Show
What is Privileged Access Management?PAM is a broad category that concerns who can access a privileged account and what they can do once logged in to your organization’s network with that privileged account. PAM includes both privileged account management and privileged session management. This overview builds your understanding of PAM so you can set the foundation for a comprehensive privileged access management strategy. We’ll cover: What an IT professional should know about how privileged accounts function and the risks associated with their compromise and misuse. How you can use this knowledge to make your organization much less vulnerable to potential monetary and reputational damage from increasing threats. You’ll gain a practical understanding of privileged access management and its benefits to your organization. You’ll learn what privileged accounts are, where they’re located throughout an IT environment, and how they function. Most importantly, you’ll understand the risks associated with these accounts and learn how implementing a privileged account security solution can protect you from malicious insider and external threats. Key Privileged Access Management DefinitionsFirst, let’s define some key terms you need to know to understand PAM. What’s the difference between privileged access management and privileged account management (both called PAM)? The PAM industry began with the core capabilities of privileged account management. Privileged account management is the IT security process of using policy-based software and strategies to control who can access sensitive systems and information. Privileged accounts rely on credentials (passwords, keys, and secrets) to control access. By creating, storing, and managing these credentials in a secure vault, privileged account management controls authorized access of a user, process, or computer to protected resources across an IT environment. Since the early days of PAM, however, privileged security strategies have expanded, and the common definition of PAM has changed. Today, most people define PAM as privileged access management. This definition of PAM reflects a broader security category than privileged account management. It includes cybersecurity strategies for exerting control over elevated access and permissions for users, accounts, and processes. It determines not only which people and systems can access a privileged account but also what they can do once logged in. Additionally, this definition of PAM incorporates strategies that provide security teams with more granular control and oversight over the actions taken during privileged sessions. It includes managing the passwords of privileged accounts through tactics like credential management, least privilege enforcement, and account governance. For example, privileged access approval and workflows, two-factor/multi-factor authentication, privileged session monitoring and recording, and remote launching are critical elements of a comprehensive privileged access management program. What’s the difference between user accounts and privileged accounts? There are two major categories of IT accounts: User Accounts: A user account typically represents a human identity (such as an Active Directory user account) and has an associated password to protect information and prevent anyone else accessing without permission. There is usually a single account password per user that needs to be memorized by a person. Privileged Accounts: Privileged accounts provide administrative or specialized levels of access to enterprise systems and sensitive data, based on higher levels of permissions. A privileged account can be associated with a human being or non-human IT system. Organizations often have two to three times more privileged accounts than they have employees. In most organizations, IT staff have one account with standard-level permissions and another account for performing operations that require elevated permissions. What are privileged accounts used for? Privileged accounts are the keys to your IT kingdom because they can be used to access a sensitive server, adjust permissions, make backdoor accounts, or change or delete critical data. Privileged accounts that need elevated permissions include:
What are privileged service accounts? A service account is a special category of privileged account that requires elevated privileges to run scheduled tasks, batch jobs, application pools within IIS, and more across a complex network of databases, applications, and file systems. Hundreds or thousands of services rely on privileged accounts to run critical IT processes. As such, service accounts are among the highest risk privileged accounts. Unfortunately, service accounts are also typically the most misused types of privileged accounts. To keep systems running and avoid downtime, they’re often configured with unnecessarily high levels of privilege. Without human owners, they often lack oversight. As a result, service account passwords aren’t rotated, expiration dates pass or are never set, and accounts are never decommissioned. These common practices create a dangerous vulnerability for any organization, opening the door to cyber attacks. Who uses privileged accounts and where are privileged accounts located? The typical user of a privileged account is a system administrator (sysadmin) responsible for managing an environment, or an IT administrator of specific software or hardware. They need elevated privileges to:
Privileged accounts are used by systems administrators to deploy and maintain IT systems, so they exist in nearly every connected device, server, database, and application. Privileged accounts extend well beyond an organization’s on-premise or cloud-based enterprise infrastructure to include employee-managed marketing, sales, financial, and social media accounts. Therefore, it’s important that even small and medium businesses have an efficient privileged account management process in place. What’s the difference between identity and access management (IAM) and privileged access management? The domain of privileged access management is generally accepted as part of the broader scope of identity and access management (IAM). However, identity and privilege are inextricably linked and, as tools and solutions become more sophisticated, the lines continue to blur. Identity refers to people. You, your boss, the IT admin, and the HR person are only a handful of examples of people who may be responsible for creating, updating, or even deleting attributes. The core objective of IAM is having one digital identity per individual. Once that digital identity has been established, it must be maintained, modified, and monitored. Privileged access management is part of IAM, helping manage entitlements, not only of individual users but also shared accounts such as super users, administrative, and service accounts. A PAM tool, unlike IAM tools or password managers, protects and manages all types of privileged accounts. A mature privileged access management solution goes even further than simple password generation and access control to individual systems. It also provides a unified, robust, and—importantly—a transparent platform that is integrated into an organization’s overall identity and access management (IAM) strategy. Risks and Vulnerabilities Related to Privileged AccountsWhat are the risks associated with unmanaged privileged accounts? Many high-profile breaches have one thing in common: They were accomplished through the compromise of privileged credentials. Industry analysts estimate that up to 80% of all security breaches involve the compromise of privileged accounts. Despite the risk, traditional methods of identifying and managing privileged accounts still rely on manual, time-consuming tasks performed on an infrequent or ad-hoc basis. Even in the most sophisticated IT environments, privileged accounts are all too often managed by using common passwords across multiple systems, unauthorized sharing of credentials, and default passwords that are never changed—making them prime targets for attack. These practices can easily compromise security because for most attackers taking over low-level user accounts is only a first step. Their real goal is to take over privileged accounts so they can escalate their access to applications, data, and key administrative functions. For example, in many cases, local domain accounts on end-user devices are initially hacked through various social engineering techniques. Attacks are then escalated to gain access to more systems. Virtually all organizations have some unknown or unmanaged privileged accounts, increasing their risk. Some have thousands. This can happen for various reasons:
Every unknown or unmanaged privileged account increases your organization’s vulnerability and presents an opportunity for an intrusion. An employee may access it to perform unauthorized tasks, intentionally or unintentionally, breaking compliance regulations, and increasing your liability. A disgruntled ex-employee who retains privileged access can cause harm. A cybercriminal can find the account and penetrate your organization, steal information, and wreak untold havoc. If a single privileged account is used across your organization to run many services or applications, when that account is breached, your risk increases exponentially. In that case, it only takes one compromised privileged account for an attacker to gain access to virtually any information within your organization’s IT network. How does the cloud increase your risk of a privileged account attack? As businesses migrate to the cloud, the diversity of privileged access management use cases expands. In a cloud model, managing privileged access to workloads, services, and applications remains your responsibility, not the cloud providers’. It’s also your responsibility to make sure data going to and from the cloud (via Web browsers, Email, File exchanges such as SFTP, APIs, SaaS products, and streaming protocols) is properly secured. Unfortunately, many organizations aren’t adequately implementing and enforcing policies to control privileged access. The challenge exists not in the security of the cloud itself, but in the policies and technologies that control access, identities, and privileges. In nearly all cases, it’s the user, not the cloud provider, who fails to manage the controls. According to Gartner, through 2023, at least 99% of cloud security failures will be the customer’s fault, with 50% of issues attributed to inadequate access, identity, and privileged management. Do your cloud use cases include infrastructure, application development, and business process automation? As part of your privileged access management strategy, you need to protect the privileged credentials used to access and manage your cloud resources. How do cybercriminals compromise privileged accounts? We’ve discussed the importance of privileged accounts, the central role privileged accounts play in managing systems, infrastructure and applications, and the risks associated with losing control of privileged accounts. Next, it’s important to understand the tricks and techniques cybercriminals use to wrest control of these accounts. In the next section, we’ll discuss what can be done to protect privileged accounts. The path to compromising a privileged account often follows a variation of this pattern:
Preventing Privileged Account Attacks with PAMHow does PAM lower your risk of a privileged account attack? The overall goal when designing your privileged access management process and implementing solutions is to arm IT and security professionals with the tools they need to control access within their corporate environment, thus reducing the attack surface by limiting privileged access and behavior. Ultimately, by implementing a PAM solution in conjunction with other IT security best practices, you can contain potential damage related to attacks originating external to your organization, or those instigated internally, regardless of whether an action is due to intentional maliciousness or inadvertent incompetence. Why is it so difficult to prevent attacks using network or perimeter security tools? Many organizations try to protect their information with traditional security perimeter tools, such as firewalls, anti-virus, and intrusion detection solutions. But with fast-evolving cloud, mobile, and virtualization technologies, building a fence or moat around critical assets is no longer sufficient. In fact, it’s impossible. In the digital workplace, people are constantly sharing information and being exposed to social engineering and targeted spear-phishing attacks aimed at getting passwords and credentials. When identities are stolen, attackers can easily bypass the traditional security perimeter undetected and escalate the exploitation of privileged accounts. Hacking privileged credentials can mean the difference between a simple breach and one that could lead to a cyber catastrophe. Therefore, the “new cybersecurity perimeter” must focus on protecting the access of employees, contractors, third-party partners, services, and cloud systems. What are the top 10 capabilities of PAM software that thwart malicious hackers and other external threats? Enterprise-grade PAM solutions employ numerous features to lock down privileged access and thwart cyber attacks. They can discover privileged accounts across your organization and import them into a secure, encrypted repository—a password vault. Once all privileged credentials are inside, the PAM solution can manage sessions, passwords, and access automatically. Combine all this with features like hiding passwords from certain users, auto-rotating passwords, recording sessions, auditing, and multi-factor authentication and you have a robust defense against external threats. Here are 10 important capabilities of PAM software:
How does PAM software protect organizations from insider threats? PAM solutions contain multiple features to safeguard against insider threats. Audit trails and email alerts keep administrators informed of what’s going on in the IT environment. Session monitoring and recording increases visibility of privileged account activity. There are also permissions as well as role-based access controls to give users the access they need to do their jobs. Last but not least, PAM allows you to sever the access users had the moment they leave your organization—an action that a surprising number of organizations fail to include in their PAM strategy. How is PAM deployed? PAM can be deployed on-premise, in the cloud (otherwise known as PAM as a Service, or PAMaaS), or with a hybrid approach. Increasingly, PAM solutions are delivered as a service. In the PAMaaS model, a privileged access management vendor manages hosting and updates so you can avoid the expense and resources of installing software and keeping it up to date. Cloud-native, PAMaaS solutions also provide tighter integrations with cloud resources to strengthen protection of privileged accounts in the cloud. How to Develop a Comprehensive PAM StrategyCritical questions to answer when getting started Like any IT security measure designed to help protect critical information assets, proper privileged access management requires both an initial plan and an ongoing program. You must identify which privileged accounts should be a priority in your organization, as well as ensure the people who are responsible for managing your privileged accounts are clear on their acceptable use and responsibilities. Before you can successfully implement a privileged access management solution, a planning phase must answer several key questions:
Basic PAM Security Controls Privileged access management doesn’t have to be an insurmountable challenge. Any organization can control and secure its privileged accounts (and make an attacker’s job more difficult) with these best practices:
How to choose a vendor for your PAM solution You want to implement a comprehensive privileged access management solution with a trusted partner to help you control access to systems and sensitive data, comply with policies and regulations, and ultimately make your organization safer. Selecting the best privileged account security solution for your organization can be daunting. To simplify the process, focus on some key requirements:
Building on the PAM basics Once you’re experiencing the benefits of a privileged access management system, it’s important to keep it in prime condition and plan for ongoing improvements. Audit and analyze privileged account activity. The combination of auditing and analytics can reduce your privileged account risk. Auditing of privileged accounts gives you metrics that provide executives with vital information to make more informed decisions as well as demonstrate compliance with policies and regulations. Keep discovering privileged accounts. Implement a process and automated tools to continuously identify new privileged accounts and account changes made in your network. It’s the only practical way to maintain the visibility and control necessary to protect your critical information assets. Prevent sprawl. Automated service account governance prevents service account sprawl by managing the lifecycle of service accounts from provisioning through decommissioning. Integrate PAM with other IT and security systems. Integrate PAM into your organization’s other security and IT systems for a defense-in-depth strategy. Integrating PAM as part of the broader category of identity and access management (IAM) ensures automated control of user provisioning along with best security practices to protect all user identities. PAM security should also be integrated with security information and event management (SIEM) solutions. This provides a more inclusive picture of security events that involve privileged accounts and gives your IT security staff a better indication of security problems that need to be corrected or those that require additional analysis. PAM can also be used to improve insights into vulnerability assessments, IT network inventory scanning, virtual environment security, and administration and behavior analytics. By paying special attention to privileged account security, you can enhance all your cybersecurity to safeguard your organization in the most efficient and effective way possible. Extend existing directories such as Active Directory to Unix/Linux. Increase visibility of local and privileged users and accounts across operating systems and platforms to simplify management and reporting. Next Steps to becoming a PAM ExpertNow that you know the basics of privileged access management, you can test out a PAM solution for yourself. Start with a free trial of Delinea Secret Server and see how it works for you. More Privileged Access Management Resources: Blog Posts: A Guide to Managing and Securing Privileged Users 9 Cloud Security Best Practices Your Organization Should Follow 7 Types of Privileged Accounts to Protect Free
eBooks: Expert’s Guide to Privileged Access Management (PAM) Success What are the four steps to vulnerability analysis?Vulnerability assessment: Security scanning process. The security scanning process consists of four steps: testing, analysis, assessment and remediation.
What is the focus of a security audit or vulnerability assessment?Security audits measure an information system's performance against a list of criteria. A vulnerability assessment is a comprehensive study of an information system, seeking potential security weaknesses.
Which of the following is designed to find and document vulnerabilities that may be present in the organization's public network?The platform security validation (PSV) process is designed to find and document the vulnerabilities that may be present because there are misconfigured systems in use within the organization.
What is the importance of vulnerability assessment?Importance of vulnerability assessments
A vulnerability assessment provides an organization with details on any security weaknesses in its environment. It also provides direction on how to assess the risks associated with those weaknesses.
|