GartnerIAM 2023: How to be successful with Privileged Access Management
By Hanno Ekdahl
Idenhaus attended this Gartner session on privileged access management (PAM) led by Felix Gaehtens, and it was an excellent primer on how to think about privileged accounts, access management/controls around those accounts, how to approach a PAM implementation, and the continuous commitment that PAM requires. This article summarizes some of the session talking points as well as incorporating Idenhaus’ point of view.
Starting the PAM Journey: The case for Managing Privileged Accounts
PAM begins with collecting an inventory of your privileged accounts, which is a broader domain than many organizations realize, including: local and domain administrative accounts, emergency accounts, application accounts, and service accounts. Many of these are embedded in applications have elevated, often unrestricted, access to your IT resources and technologies; making them a prime target for hackers and software exploits (i.e., ransomware).
As a result, managing and monitoring privileged account usage is critical. Organizations are waking up to the fact that they need to get a handle on these accounts, whether that awareness is driven by an insurance audit, regulatory pressures, or internal risk management mandates. Regardless, the objective of PAM is to effectively protect, monitor, and manage privileged account access across the account life cycle; this includes authentication, authorization, auditing, and establishing robust access controls.
What is a Privileged Account?
Privileged Accounts are defined by what they can do: a) they can make configuration changes to other accounts, and/or b) change security configurations, and/or c) bypass security controls (i.e., the security rules do not apply to the account). As you might imagine, managing these accounts is a critical part of securing any business, and if these accounts are not controlled the organization is at risk. It should be noted that most privileged accounts are service accounts used by machines and are not tied to a person. As such, they are often overlooked by organizations when they implement PAM and are left unprotected. These accounts may have credentials that never change, as they are embedded in integrations, and can represent a long-term, ongoing risk for compromise.
Key Objectives For A Pam Solution
- Discovery is a foundational element of any PAM journey. Most vendors provide discovery tools at no charge, which you can use to get started. Note that Discovery is a continuous process and is not a ‘one and done’ analysis.
- Vault Privileged Credentials
- Multifactor authentication for privileged access
- Adopt a least privileges model (Right-size privilege for the task to be completed)
- Remove any passwords stored in Clear Text (e.g., in scripts)
- Ability to audit what a person/privileged account did
- Enable DevOps/DevSecOps/Cloud capabilities
Framework To Deploy Privileged Access Management
Begin with the understanding that you do not know where all the privileged accounts are, whether in databases, embedded in integrations, or machines. The journey begins with discovery to identity and catalog all the privileged accounts. The next step is to understand that PAM will require people
- Put credentials for privileged accounts into a Vault, eliminating individual access without going through the tool
- Credentials are rotated, so no person has valid credentials for any length of time
- Best practice is to use session management tools, so the PAM tool logs the user into by injecting the credentials which are never seen by the end user.
- Lose session management ability if you don’t use this
- Lose ability to track what the user does
- Publishes valid passwords to the user, which will be reset; however, there is a period of vulnerability using this method
- Look at specialized tools for Cloud environments
- Multi-factor integration needs to be in the path for humans accessing a privileged accounts
- Monitoring and recording are key
- Session isolation allows you to keep track of your privileged access and put controls around it. It is recommended to use jump servers that are integrated with PAM.
- Deploy agent on workstations and take away local admin rights, so you have control over what a user can do on their machine
PAM is a critical capability for any organization because it eliminates multiple points of failure in the cybersecurity chain and protects against both internal and external attacks. People are the weakest link in cybersecurity. Internal privileged users may abuse their power (i.e., insider threats), and attackers work to compromise accounts and elevate privileges to exfiltrate your data. PAM addresses this issue by ensuring that people only have access to the resources they need to perform their assigned tasks for a defined period of time. It also is a valuable tool for the security team to detect and correct the abuse of privileged access.
- It’s a long-term journey to get a successful PAM solution in place, it is not “set and forget”. Don’t forget to invest effort in change management.
- Start with your remote users, contractors, vendors as a starting point since they will be easier to onboard to the program
- The journey begins with a comprehensive analysis across your environment to find all the privileged accounts
- It is complex and difficult process and Discovery is a foundational element of any successful PAM journey. Most vendors provide discovery tools at no charge, and here are some additional areas to look at to find privileged accounts:
- Use CMDB database and ITDR tools to determine what you have
- CIEM tools to understand privileged accounts in your Cloud infrastructure
- CASB tools to understand privilege for SaaS applications
- SIEM logs -filter out authentication events for people, service accounts should be what remains
- Vault Privileged Credentials – Focus on these accounts to get started:
- Legacy machine accounts – very difficult to manage, often in cleartext
- Cloud root accounts – very risky
- Windows service accounts
- Personal privileged accounts
- Shared accounts
- Automation accounts
Mr. Gaehtens’s concluding point, which I thought made eminent sense, was to divide your PAM into two separate tracks. Track 1 focuses on capabilities (think, Development), and Track 2 focuses on account onboarding (think, Operations and Maintenance). While Track 2 will go on forever, as the operational portion of PAM to onboard new applications, etc., Track 1 will be a discreet implementation effort focused on capabilities such as vaulting and secrets management that can be developed, tested, and deployed.
Don’t forget that you can always talk to the cybersecurity experts at Idenhaus to see what PAM solutions would be best for your organization.