Protect your sensitive data and critical infrastructure with Privileged Access Management
Organisations implement privileged access management (PAM) to protect against the threats posed by credential theft and privilege misuse. PAM refers to a comprehensive cyber security strategy – comprising people, processes and technology to control, monitor, secure and audit all human and non-human privileged identities and activities across an enterprise IT environment.
Sometimes referred to as privileged identity management (PIM), or privileged access security (PAS), PAM is grounded in the principle of least privilege, wherein users only receive the minimum levels of access required to perform their job functions.
The principle of least privilege is widely considered to be a cyber security best practice, and is a fundamental step in protecting privileged access to high-value data and assets. By enforcing the principle of least privilege, organisations can reduce the attack surface and mitigate the risk from malicious insiders or external cyber attacks that can lead to costly data breaches.
Privileged access can be associated with human users as well as non-human users such as applications and machine identities.
Examples of privileged access used by humans:
- Super user account: A powerful account used by IT system administrators that can be used to make configurations to a system or application, add or remove users or delete data.
- Domain administrative account: An account providing privileged administrative access across all workstations and servers within a network domain. These accounts are typically few, but they provide the most extensive and robust access across the network. The phrase ‘Keys to the IT Kingdom’ is often used when referring to the privileged nature of some administrator accounts and systems.
- Local administrative account: This account is located on an endpoint or workstation and uses a combination of a username and password. It helps people access and make changes to their local machines or devices.
- Secure socket shell (SSH) key: SSH keys are heavily used access control protocols that provide direct root access to critical systems. Root is the username or account that, by default, has access to all commands and files on a Linux or other Unix-like operating system.
- Emergency account: This account provides users with administrative access to secure systems in the case of an emergency. It is sometimes referred to as a fire call or break glass account.
- Privileged business user: Is someone who works outside of IT, but has access to sensitive systems. This could include someone who needs access to finance, HR or marketing systems.
Examples of non-human privileged access:
- Application account: A privileged account that’s specific to the application software and is typically used to administer, configure or manage access to the application software.
- Service account: An account that an application or service uses to interact with the operating system. Services use these accounts to access and make changes to the operating system or the configuration.
- SSH key: (as outlined above) SSH keys are also used by automated processes.
- Secret: Used by development and operations (DevOps) teams often as a catch-all term that refers to SSH keys, application programme interface (API) keys, and other credentials used by DevOps to provide privileged access.
Privileged accounts, credentials and secrets exist everywhere. It is estimated that they typically outnumber employees by three to four times. In modern business environments, the privilege-related attack surface is growing as fast as systems, applications, machine-to-machine accounts, cloud and hybrid environments, DevOps, robotic process automation and IoT devices become increasingly interconnected.
Attackers know this and target privileged access. Today, nearly 100% of advanced attacks rely on the explanation of privileged credentials to reach a target’s most sensitive data, applications and infrastructure. If abused, privileged access has the power to disrupt business.
Notable Security Breaches Involving Privileged Access
Over the past decade, there have been numerous security breaches linked to privileged access abuse. From Yahoo!, the U.S. Office of Personnel Management, the Ukraine power grid and Uber, business of all sizes from all industries are experiencing severe data breaches. The common denominator in each attack was that privileged credentials were exploited and used to plan, co-ordinate and execute cyber attacks.
Key PAM Challenges
Organisations face several challenges protecting, controlling and monitoring privileged access, including:
- Managing account credentials: Many IT organisations rely on manually intensive, error-prone administrative processes to rotate and update privileged credentials. This can be an inefficient and costly approach.
- Tracking privileged activity: Many enterprises cannot centrally monitor and control privileged sessions, exposing the business to cyber security threats and compliance violations.
- Monitoring and analysing threats: Many organisations lack comprehensive threat analysis tools and are unable to proactively identify suspicious activities and remediate security incidents.
- Controlling Privileged User Access: Organisations often struggle to effectively control privileged user access to cloud platforms (Infrastructure as a Service and Platform as a Service), Software as a Service (SaaS) applications, social media and more, creating compliance risks and operational complexity.
- Protecting Windows domain controllers: Cyber attackers can exploit vulnerabilities in the Kerberos authentication protocol to impersonate authorised users and gain access to critical IT resources and confidential data.
Why is PAM Important to Your Organisation?
Humans are your weakest link. From internal privileged users abusing their levels of access, or external cyber attackers target ing and stealing privileges from users to operate stealthily as ‘privileged insiders’, humans are always the weakest link in the cyber security chain.
PAM helps organisations ensure that people have only the necessary levels of access to do their jobs. PAM also enables security teams to identify malicious activities linked to privilege abuse and take swift action to remediate risk.
In digital business, privileges are everywhere. Systems must be able to access and communicate with each other to work together. As organisations embrace cloud, DevOps, robotic process automation, IoT and more, the number of machines and applications that require PAM has surged and the attack surface has grown.
These non-human entities vastly outnumber the people in a typical organisation and are harder to monitor and manage – or even identify at all. Commercial-off-the-shelf (COTS) apps typically require access to various parts of the network, which attackers can exploit. A strong privileged access management strategy accounts for privileges no matter where they “live” – on-premises, in the cloud and in hybrid environments – and detects anomalous activities as they occur.
Cyber attackers target endpoints and workstations. In an enterprise, every single endpoint (laptop, smartphone, tablet, desktop, server, etc.) contains privilege by default. Built-in administrator accounts enable IT teams to fix issues locally, but they also introduce great risk.
Attackers can exploit admin accounts, then jump from workstation-to-workstation, steal additional credentials, elevate privileges, and move laterally through the network until they reach what they’re looking for. A proactive PAM program should account for the comprehensive removal of local administrative rights on workstations to reduce risk.
PAM is critical for achieving compliance. The ability to monitor and detect suspicious events in an environment is very important, but without a clear focus on what presents the most amount of risk – unmanaged, unmonitored, and unprotected privileged access – the business will remain vulnerable.
Implementing PAM as part of a comprehensive security and risk management strategy enables organisations to record and log of all activities that relate to critical IT infrastructure and sensitive information – helping them simplify audit and compliance requirements.
Organisations that prioritise PAM programs as part of their larger cybersecurity strategy can experience a number of organisational benefits, such as mitigating security risks and reducing the overall cyber-attack surface, reducing operational costs and complexity, enhancing visibility and situational awareness across the enterprise and improving regulatory compliance.
PAM Best Practices
The following steps provide a framework to establish essential PAM controls to strengthen an organisation’s security posture. Implementing a program that leverages these steps can help organisations achieve greater risk reduction in less time, protect their brand reputation and help satisfy security and regulatory objectives with fewer internal resources.
Eliminate irreversible network takeover attacks. Isolate all privileged access to domain controllers and other Tier0 and Tier1 assets and require multi-factor authentication.
Control and secure infrastructure accounts. Place all well-known infrastructure accounts in a centrally managed, digital vault. Regularly and automatically rotate passwords after every use.
Limit lateral movement. Completely remove all end point users from the local admins group on IT Windows workstations to stop credential theft.
Protect credentials for third-party applications. Vault all privileged accounts used by third party applications and eliminate hardcoded credentials for commercial off-the-shelf applications.
Manage *NIX SSH keys. Vault all SSH key-pairs on Linux and Unix production servers and rotate them on a routine basis.
Defend DevOps secrets in the cloud and on premise. Secure all Public Cloud privileged accounts, keys, and API keys. Place all credentials and secrets used by CI/CD tools such as Ansible, Jenkins and Docker in a secure vault, enabling them to be retrieved on the fly, automatically rotated and managed.
Secure SaaS admins and privileged business users. Isolate all access to shared IDs and require multi-factor authentication.
Invest in periodic Red Team exercises to test defences. Validate and improve effectiveness against real world attacks.
How Can SysGroup Help?
SysGroup partner with CyberArk, the leading PAM vendor. We have a range of solutions that can help you manage your privileged accounts. Get in touch to discuss options.