Privileged Access Management – Gain back control of your privileged accounts

Often overlooked in the global cybersecurity strategy of an organization, Privileged Access Management (PAM) is becoming crucial to ensure the continuity of Identity and Access Management (IAM) and strengthen the security of privileged accounts within any organization.

In this article we will dive into what PAM is, its key principles, and major tools used by organizations to strengthen their Privileged Accounts security.

What are the risks of no Privileged Access Management?

A poorly configured Privileged Access Management system can have serious consequences for the security of an organization. In fact, a forgotten or poorly configured Privileged Access Management can expose an organization to security breaches and see an attacker gain control over critical systems such as sensitive data and infrastructure components. Inadequate PAM also increases the risk of insider threats. Employees with excessive privileges can misuse their access, intentionally or unintentionally.

The misuse of these accesses and control over critical systems may cause:

1. Data leaks: Misconfigured PAM can result in data leaks, exposure of confidential information and theft of intellectual property. If you do not properly secure your privileged accounts, attackers can exploit them to steal sensitive data. The lack of proper PAM facilitated the escalation of the hacker’s privileges, enabling the access to more data than accepted.
2. Compliance violations: Many industry regulations (such as GDPR, HIPAA or PCI DSS) require robust PAM practices to safeguard sensitive data. Non-compliance with these regulations can result in severe legal and financial repercussions, such as monetary penalties, loss of business licenses and damage to the company’s reputation.
3. Operational disruptions and loss of productivity: Misconfigurations may cause service disruptions, downtime or system failures that may affect productivity, customer satisfaction, and overall business operations.

What are Privileged Accounts?

A privileged account is one that has higher permissions than the one created for every single user of the organization. The definition can be very broad and depends on the specific circumstances of the company. What is important to note is that it can refer to accesses given to a human or not.

Human accounts are usually the easiest to identify and control. It will be any user account that has more accesses to the information system than a regular user. Examples of privileged human accounts are:

• Administrative users: used to do administration on the Information System. Usually ICT teams accounts.
• Emergency users: Special accounts that are only used in case of a crisis (they usually grant super admin rights).
• Privileged users: Accounts granted to regular non-IT users to perform special tasks on sensitive systems (finance account that deal with sensitive financial flows, social media account…)
• Third-Party users: Account granted to third parties to perform maintenance or to access special areas of the Information System.

Non-human accounts relate to applications or services. They are a key part of the Information System and an attack on such accounts would lead to serious impacts on the business. Some examples of these accounts are:

• Service Accounts
• Application Accounts

Administrative or highly privileged accounts are a particular target, because they allow attackers to add other accounts or make change to assets that could make them more vulnerable to attacks. Service accounts are also sensitive because teams, internal or external, are sharing them.

IT Staff will have one account with standard level permissions, then another account for performing operations that require elevated permission.

Privileged accounts can be humans, applications and services, systems and infra accounts. These classifications will determine the level of interaction and security controls applied to each privileged account.

Classifying privileged accounts is a good practice because it helps to identify and prioritize privileged accounts for the business and makes decisions easier when applying PAM related controls.

Privileged Accounts Management Best Practices

To implement a good PAM policy, it is necessary to consider it in all areas of the organization, whether it is to provide accounts, monitor them or deactivate them. Privileged Access Management encompasses governance, user management, logging, as well as security of private channels.

• Governance: Focuses on the integration of PAM as a subject into the IT Security Strategy.
  • Policies and Standards: Implementation of PAM within the global information Security Policy alongside PAM standards (password policy, admin charters…).
  • Dedicated resources: Dedicate a person, a team, a department as owner of the PAM program (to write policies, take decisions…).
  • Awareness: Organize special awareness modules for those concerned by the PAM program.
• Privileged User Management: Relates to everything about user account management, from the creation to the deletion of the account.
  • Account Provisioning: Granting and revoking privileged accesses to new users following an Access Granting/Revoking process formalized and validated.
  • On-demand accounts: Implement privileged account “on-demand” usage instead of “always-on” availability.
  • Account Inventory: Privileged accounts should be maintained in a Privilege Account Inventory with basic information up-to-date (username, owner, department, manager, mail address…)
• Logging & Monitoring: Monitoring of the use of PAM via the capture of logs and other tools.
  • Monitoring sessions: Monitor and record sessions for privileged accounts activity involving sensitive data or systems.
  • Detection and Reaction: Ability to detect all privileges abuses and account compromise.
  • Audit Report: Generate automatic reports on other controls in order to ensure compliance to different kind of audits.
• Privileged Access Channels: Focuses on network security and administration channels.
  • Use of bastion: Access to administration areas is only possible through a bastion that segregates the network for IT administration.
  • Emergency channel: Management of emergency channels used to bypass security measures in case of emergency.

Privileged Accounts Management Tools

Cybercriminals exploit privileged accounts to infiltrate and spread within information systems, making Privileged Access Management (PAM) a central element for defense against cyberattacks. PAM tools are essential for securing critical resources by managing and protecting privileged accounts, credentials and commands. By centralizing and controlling privileged accesses, PAM tools make it harder for unauthorized users to gain access to critical systems.

Several PAM tool vendors offer a variety of solutions. Here are some factors to consider when choosing a PAM tool:

• Integration and Scalability: Consider the size and complexity of your IT environment, the possibility of scalability, as well as your specific security requirements.
• Budget and Cost Effectiveness: Pricing models for PAM tools can vary. Be sure to get quotes from different vendors.
• Deployment options: Consider the technical expertise required to implement and manage the PAM tool.
• User experience and management: Make the interface easy-to-use for different users.
• Homologation and compliance: Reduce the risk of fines and reputational damage by complying with norms and regulations (ISO 27K, GDPR…) which have strict requirements for the safeguarding of sensitive data.
• Offered Features: Evaluate the features that seem the most important, such as password vaulting, session monitoring, and Just-In-Time provisioning.

It is important to reflect on those features and the benefits they may have on a security system. Here are some key features offered by different tools available on the market:

• Reducing the attack surface: Reducing the number of accounts that are accessible for an attacker, especially local privileged accounts, is one way to prevent the exploitation of breaches in access management. It is also possible to reduce the number of privileges an account may have by using the least privilege principle (give the users just the privileges necessary for them to perform tasks) or by assigning Just-in-Time privileges for the authorized users (limiting the amount of time the users has those privileges). The tool can also set up rules and authorization conditions to automatically grant or deny access to critical systems.
• Session monitoring: Monitor and record sessions for privileged account activity involving sensitive data or systems or in real time with the Session sharing. The monitoring allows a quick detection and reaction with the ability to detect all privilege abuses and account compromise, trigger alarms or terminate a session once it detects a malicious activity.
• Secrets management: Securely store secrets for both human and non-human users. Secrets management also consists in the protection of passwords with automatic, periodic, or connection-based rotation, also removing passwords from disks preventing a local access and another potential breach.
• Business continuity and disaster recovery: PAM tools enhance resilience by safeguarding privileged accounts and access to critical systems even during disruptions. They also facilitate communication with end-users and provide clear instructions on how to access systems using backup credentials.

By understanding the importance of PAM tools, its benefits and the key features they offer, an organization can make an informed decision to secure its privileged accounts and reduce the security risks.

What is next for Privileged Access Management?

The future of privileged access management is all about getting smarter and more automated, notably with the rise of Artificial Intelligence and its even tighter integration with the broader security landscape of years to come.

PAM tools will become more sophisticated, using advanced analytics to detect anomalies in privileged user behavior. This can help identify potential breaches or insider threats.

As more organizations move to the cloud, the demand for cloud-native PAM solutions will grow. These solutions specifically designed for cloud environments could offer greater scalability and flexibility.

Traditional passwords are becoming less secure. We can expect PAM solutions to integrate biometric authentication methods like facial recognition or fingerprint scanning for a more secure login experience.

Finally, we can expect more automation around Just-In-Time Access. Just-in-Time provisioning may become more filtered, granular, automatically granting access only to the specific resources needed for a defined task and duration.

Conclusion

Privileged Access Management is a field of cybersecurity that is often overlooked and reduced to creating administration accounts for operation teams. Actually, PAM is paramount for the cybersecurity strategy of organizations as privileged accounts are a priority target for attackers. PAM encompasses everything in the cyber life cycle of a company from creating processes to monitoring and logging.

With the help of PAM tools becoming more and more efficient and automated, PAM is now a must-have for organizations that seek to protect their critical assets and users.

Sources:

• CIS Critical Security Controls v8 : https://www.cisecurity.org/controls
• Experts Guide to Privileged Access Management (PAM) Success : https://f.hubspotusercontent10.net/hubfs/19928113/Delinea/whitepapers/delinea-whitepaper-experts-guide-to-pam-success.pdf
• PAM Maturity model : https://delinea.com/fr/solutions/privileged-access-management-maturity-model
• How Much Does Your PAM Software Really Cost? : https://www.strongdm.com/blog/privileged-access-management-pricing
• Pit stop PAM : https://ic-consult.com/en/solutions/privileged-access-management-solutions
• NIST Security and Privacy Controls for Information Systems and Organizations: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final

Clément Brun & Maxime Duvaux
Lab IAM Brussels