Privileged Access Management (PAM) is understandably a high priority for today’s enterprises. The misuse of privileged accounts can allow attackers to escalate credentials and permissions across complex IT networks, finding open paths to access critical assets or steal sensitive data. This can have a dangerous impact on an enterprise’s ability to remain compliant with third-party regulations as well as internal governance mandates.
Let’s look in more detail at deploying Privileged Access Management, and how to prioritize risk for your own business needs.
Identifying your privileged accounts and credentials
In some cases, you might have hundreds of thousands of privileged credentials in your IT ecosystem, and in an increasingly connected world, this information might exist in an attack surface that’s larger than you’ve considered before.
Your first step is visibility, ensuring that you can uncover all credentials, from passwords and SSH keys to password hashes, access keys and more, and that you can do so across your entire environment, on premises, on the cloud, and across DevOps processes.
According to CyberArk, there are 7 types of accounts you need to consider, as poor hygiene or practices with any of them makes your enterprise a target for APTs and other dangerous cybercrime.
- Emergency accounts: Access to these accounts requires IT management approval, and is only given in case of an emergency. As a manual task, it usually does not have any security measures in place.
- Local Administrative accounts: These accounts are shared to provide admin access to the local host or session. Whenever IT staff need to perform workstation or server maintenance, or work on network devices, mainframes and other systems, these are the accounts they will use. Password hygiene may well be poor across these accounts, as IT professionals sometimes share passwords across an organization to make access easier. This is an open door for attackers.
- Application accounts: Privileged accounts usually have access to critical applications or databases, used to access databases, run scripts, or provide access to other applications. Passwords might be embedded and stored in plain text files, copied across multiple channels and servers.
- Active Directory or Windows domain service: Password changes for these accounts are complex, as your business will need to sync any updates across applications and infrastructure. Because of this, many businesses fail to regularly update application account passwords. If this happens in a critical system such as your Active Directory, you have created a single point of failure.
- Service accounts: These local or domain accounts will interact directly with the operating system using an application or service. These may even have administrative privileges depending on their roles and requirements.
- Domain Administrative accounts: These accounts have complete control over all domain controllers, and can access and make changes to all administrative accounts within the domain. The access they have extends to all workstations and servers within the organization network, and so therefore, these credentials are under regular attack from hackers, no matter the environment involved.
- Privileged User accounts: One of the most common forms of account access granted on an enterprise domain, with these accounts users can have admin rights for their local desktops, or across a particular system. Users might choose complex or strong passwords, but this is often the only security control in place.
Identifying the risk of each kind of account will differ from enterprise to enterprise, and depend on your own digital crown jewels and most critical assets, as well as how you store and manage data, what systems hold intellectual property or other sensitive information, and where you’ve uncovered vulnerabilities in your own unique ecosystem. It’s common to start with your highest risk accounts, and then use a phased approach to build out your PAM.
What does protecting these accounts mean in practice?
Once you’ve established the accounts and credentials you want to protect, this should be approached in a number of ways. Credentials can and should be placed in a digital vault which uses multi-factor authentication for access. The best solutions will provide encrypted video monitoring of all privileged sessions, with alerts set up against suspicious activity and an easy playback option. In case of an audit or escalation,
IT admin should be able to access granular information about each session, down to single keystrokes, escalating this to the SOC or the next level where necessary. In case of a breach, automated behavior could include suspending or terminating sessions, or automatically rotating credentials to protect from further harm.
It’s also important to think about the local administrative access, even those these might seem less dangerous at a glance. Protecting these accounts is essential if you are working towards the principle of ‘least privilege’ or a Zero Trust security model. Every endpoint could be an entry point for hackers, allowing them to make lateral moves until they hit what they’re looking for, and many users have far more permissions and access than they need to do their job each day. Look for a solution with least-privilege server protection for both Windows and *NIX, allowing you to tightly manage permissions and gain insight into activity on each user. This can go a long way to remove the coarse controls and anonymity which often exists in today’s data centers. For *NIX, it also removes the risk of unmanaged SSH keys, a known exploit that can be taken advantage of to log in with root access control.
The same mentality needs to be front and center when you’re considering third-party applications and services, many of which require access to your network. These can be hard to keep track of, so a strong monitoring solution is essential. Think about best-practice hygiene for commercial off the shelf apps, such as removing hard-coded credentials and managing and rotating these privileged accounts in your digital vault.
Protect from on-premises to cloud deployments
The vast majority of today’s enterprises are working in a hybrid reality, with a network that spans on-premises and bare metal servers all the way to cloud and container systems. Any PAM solution that you deploy needs to be able to handle both, seamlessly. Managing DevOps secrets and credentials is an important part of your strategy, and that your code can retrieve the information it needs on the fly, rather than having them hardcoded into the application. This will allow you to rotate and secure these secrets and credentials the same way that you can on premises.
Another large area to consider is SaaS. These often have wide permissions, such as CRM software like Salesforce that is used by multiple teams. Privileged business users who access these applications are one click away from sensitive customer data, and the ability to move around a network far more freely than other stakeholders. Multi-factor authentication can help here, as well as isolating access to shared IDs.
Compliance and Privileged Access Management
Many of the benefits of Privileged Access Management support compliance and internal governance strategies. Firstly, you have one centralized repository for all of your audit data, reducing costs and making reporting fat easier. By enforcing privileged access automatically and monitoring this in real-time, many audit requirements are met, protecting all systems that handle information processing across a heterogeneous environment, and enforcing visibility and control over account usage.
In case of a breach, you have immediate insight into the incident, including where the breach occurred, when it happened, exactly what took place, and how to shore up defenses in the future. It’s easy to see how the right PAM solution can support compliance with a wide range of regulatory authorities, from SWIFT, and MAS-TRM, to SOX, GDPR and ISO 27001 certification.
Partnering with the best in the business
Guardicore has recently formed a partnership with market leader CyberArk, providing customers with a Privileged Session Management solution free of charge, ensuring that all Guardicore deployments meet the high security standards held by its customers. Joint customers will be able to leverage centralized control of all their privileged accounts and credentials, without duplication or sharing.
To download the Guardicore Privileged Session Management tool, head to the CyberArk Marketplace.