ICYMI — Lil’ CISO has garnered a lot of attention with his PAM (privileged access management) song and video. So much so, that it’s spawned numerous requests to provide more information on the 12 steps outlined by Lil’ CISO for implementing a successful Privileged Access Management (PAM) strategy. In this blog, we will outline PAM along with the 12 steps for a successful PAM strategy.
What is Privileged Access Management?
In today’s world, organizations are learning how important it is to lock down accounts and assets within their network infrastructure so that they can mitigate security breaches, loss of sensitive data, and prevent unauthorized access to highly sensitive accounts and assets. These mitigation efforts revolve around a subset of Cybersecurity practice called Privileged Access Management, or PAM. The concept of PAM employs a number of fundamental key aspects that help balance mitigation efforts with operational efficiencies. This balance can be obtained by following proven security strategies in tandem with software solutions such as CyberArk, Centrify, and Beyond Trust. Regardless of how an organization decides to implement their PAM strategy, there are 12 key steps that all PAM strategies should implement in order to be successful in their PAM implementation.
12 Steps to a Successful PAM Strategy
- Improve Accountability for Privileged Passwords
Improving accountability for privileged passwords involves a password vaulting approach that not only secures privileged passwords, but also automatically, discovers and onboards accounts and rotates their passwords automatically. Doing this reduces the work load for administrators and reduces errors that happen from manual on-boarding and password rotations. There is also the added benefit of passwords having a shorter life cycle so that users will never know what the password is for any given account at any given time.
- Implement Least Privileged Desktops
Implementing least privilege on desktops involves locking down work stations to the point where a user only have the privileges needed to perform their normal every day job duties. When a user requires their privileges to be elevated then those privileges should only be elevated for the amount of time it takes them to complete their task. Once their task is completed then those privileges should be deescalated.
- Leverage Application Risk Levels
Expand vulnerability management and risk assessments to include privileged access and application controls. This is done so that if an application has a high risk of real-world threats, malware, or a lack of security patches then PAM policies can be enacted to mitigate these risks.
- Implement Least Privilege on Servers
Implementing least privilege on servers follows much of the same rules as on users work stations. The difference, however, rests in what is actually on the servers. Some of these servers contain some of the most sensitive information and applications that an organization depends on. Implementing least privileges on these machines as well as session recording, key stroke logging, and password management will go a long way in making sure that only the people who need access have access and those same people are accountable for what they do.
- Network Devices
In terms of privileged access, organizations should always look beyond work stations and servers when implementing PAM into their security posture. It is very common for network devices to be configured to use default account credentials and/or shared account credentials. Furthermore, password ages can be quite excessive on these devices which further increases the risk of network devices becoming compromised and exploited.
- Virtual and Cloud Data Centers
With more and more organizations moving toward some form of a cloud-based infrastructure, more of the same highly sensitive data, that used to be kept on-premises is now moving off-prem. The same basic PAM principals apply to this infrastructure applies here as well. This includes, account discoveries, vaulting known or discovered accounts, implementing least privilege, and implementing auditing controls such as session recordings and key stroke logging.
- IoT Devices
IoT is a very loose term as far as what falls under IoT devices. Simply put, IoT devices are any type of device, that’s not a desktop, server, or a cloud-based machine, that has internet access. For the purposes of this blog we will consider an IoT device anything that wasn’t already mentioned that can connect to an organizations internal network and/or the internet. These devices run a high risk of being exploited in various ways. One of the more common exploits involves denial of service attacks. That being said, having a PAM solution to help lock down the credentials on as many of these devices as possible will reduce an organizations attack surface. Once an automated PAM solution is implemented for the IoT devices that can be managed other mitigation efforts can be used on the devices that cannot be managed such as manual password rotations and vaulting of their credentials.
Sometimes developers need the applications and websites they develop to access internal resources. These resources sometimes require the use of service account credentials which developers will need inside of their applications. When a developer hard codes these credentials into their applications they expose the service account because the credentials are imbedded into their applications in plain text. This includes scripts, source code for websites and executables. Even the executable files themselves store connection strings in plain text within the file itself. Having a good PAM policy and a means for applications to pull the credentials dynamically, from a vault, will eliminate the use of hard coded credentials.
- Unified Management
Unified Management involves monitoring users’ behaviors and assessing the risks they pose to an organization based on their actions. In terms of PAM this form of monitoring is typically called Privileged Threat Analytics (PTA). Most modern PAM solutions employ machine learning that monitors typical user behaviors, assigns a risk score, and sends out notifications to internal security teams when it detects risky behavior that falls above a certain threshold.
- Privileged Account Integration
Privileged account integration involves bridging the gap in user management between Windows and Unix based systems. Most organizations utilize Microsoft’s Active Directory for enterprise user account management but Active Directory, by itself, cannot manage user accounts outside of the Windows domain. In order to get around this an organization should implement some type of AD bridge to integrate Unix and Windows accounts together so that users and account can be managed together instead of separately.
- Auditing and Recovery
As mentioned before session recording and key stroke logging are key aspects of privileged access management. These key logs and session recordings are not only a tool to mitigate insider attacks but they also leave an audit trail to trace back an erroneous action that a user may have made by mistake. When an auditing system is coupled with a Threat Analytics solution, you can have an automated way to monitor for risky behaviors, in real time, as well as a way to detect when normal mitigation efforts have been by-passed.Having all of these PAM solutions and mitigation policies in place are only good if they can be implemented in a reliable way. Having a failsafe for when key servers and appliance machines go down is just as important as ensuring users only have the least amount of privileges they need to do their job. After all, if you’re vaulting accounts and rotating passwords what good does that do you if you cannot retrieve the credentials you need to do your job. This is where having a good disaster recovery plan in place is a must.
- Integrate the Identity Stack
Integrating the identity stack involved having all of an organization’s identity and access management tools, utilities, and services working in tandem with each other. This means integrating Multi-factor Authentication (MFA), Security Information and Event Management (SIEM), IT service management tools (ITSM) and privileged access security solutions to work together to tighten controls so that an organization’s attack surface is reduced to the smallest area possible.
Ready for some help with your PAM strategy or implementation? The IAM experts are here to assist at firstname.lastname@example.org.