Data breaches as a result of compromised privileged access are widespread, which is one reason why Matt Dircks, CEO with Bomgar, predicted that we’ll see more and serious breaches and security incidents involving privileged access. “Hackers need high-level access, which they get through targeting privileged users like IT professionals, CEOs and vendors via phishing or malware to achieve their financial goals or other motivations,” Dircks said in an email comment. “These users are targeted by the threat actor because they are likely to have access to other privileged credentials that the hacker can leverage to increase dwell time and compromise their target.”
To protect the company from those insiders who abuse their privileged access and from hackers with stolen credentials, many companies are turning to a privileged access management (PAM) solution.
“PAM and its automation are crucial to minimizing risk and losses caused by insiders and intruders that steal credentials or exceed their authority,” said Philip Lieberman, president of Lieberman Software. “The technology reduces the labor of IT to maintain compliance and radically reduces the labor costs of changing passwords by hand.”
PAM Solutions: Critical to Securing Privileged Access
To protect the company from those insiders who abuse their privileged access and from hackers with stolen credentials, many companies are turning to a privileged access management (PAM) solution.
Why do you need a PAM solution?
Your organization needs a PAM solution for two primary reasons: the volume of administrative accounts and too few admins monitoring these accounts.
In the first situation, every operating system, every IoT device, every application that supports multiple users, every web server, every piece of network equipment has administrator accounts, and should those credentials get compromised by an attacker, they can easily be used to gain access to most other similar devices, if not every device on your network, said Nathan Wenzler, chief security strategist at AsTech.
For the second reason, Wenzler added, “Some of your employees may be given administrator-level credentials (your Domain Administrators, for example), but since most privileged credentials are built-in to operating systems or other platforms, they don’t typically represent a one-to-one relationship with a human administrator. That means that no one is watching over these accounts.”
The added problem of the cloud
It’s tough enough to manage privileged access within your internal infrastructure, but the cloud makes PAM much more difficult. “Individual lines of businesses manage access for their own users, and with hundreds of such cloud environments in a typical enterprise, it’s impossible for the security teams to centrally manage and monitor such access. As a result, security teams need to ensure they have visibility into all the cloud environments, and user activities within them,” said Varun Badhwar, CEO and co-founder of RedLock.
How PAM provides value
According to Mike Orosz, director, Threat & Investigative Services with Citrix, PAM solutions provide value to an organization in the following ways:
1. Proactively and centrally managing privileged account credentials.
2. Monitoring privileged access rights and logging account usage.
3. Providing single sign-on (SSO) for privileged access, so credentials are not revealed.
4. Eliminating password recycling, canned passwords (i.e., internet123) and improving quality of user experience.
PAM: Finding the unknown
The operative word in privileged access account is privileged. These users are using legitimate credentials to access the database or network, but how do you know if their use is authentic or nefarious? PAM solutions are built from traditional Identity Access Management (IAM) solutions, where role-based (RBAC) and attribute-based (ABAC) access control rules are used to define the privileges. However, these IAM solutions are designed only to establish a trusted user and are not capable of enforcing user behavior based on the information being sent and received, according to Jason Macy, CTO with Forum Systems.
Leverage purpose-built tools to manage these credentials
Typical IAM products don’t adequately provide the level of security controls and rigorous scrutiny that is needed to manage privileged accounts, said Wenzler. Administrator accounts require a different type of management that purpose-built, enterprise-grade PAM tools provide. This includes encrypting the passwords to prevent anyone from knowing or discovering what it is, integrating with a variety of applications, operating systems and devices to rotate and change the passwords on a regular basis, monitoring and logging activity down to the keystroke, and alerting the proper employees when some sort of unauthorized use of these critical credentials takes place. Modern PAM tools can accomplish all of this and more, and any organization with an IT infrastructure should implement some version of this to protect these types of accounts.
Behavior as authentication
Peter Gyöngyösi, product owner of Privileged Account Analytics at Balabit, said it is time to use behavior as an authentication. Behavioral tools can track habits of the user (i.e., typical time of day and activities performed), the devices and technologies uses (i.e., touchpad versus mouse and keyboard; desktop or tablet), and the way individuals operate the devices and technologies (i.e., the software can detect between a touch typist and someone who uses one finger). The more the PAM solution knows about a user’s behavior, the better it can detect the difference between a legitimate user and a potential hacker.
A formal password policy
A formal password policy for privileged accounts can help assure accountability. “Policies should be based on the categorization and classification of privileged accounts specific to your organization. You can find policy templates online so you don’t have to start from scratch,” said Joseph Carson, chief security scientist at Thycotic.
Cut down on false positives
An obstacle to properly monitoring privileged users is the number of false positives that are generated. PAM solutions that focus on algorithms and behavior can cut down on the number of false positives and make monitoring more effective.
Create a strong PAM policy
Over the last several years, there have been a number of converging trends driving an increase in PAM, such as in areas like HIPAA, where restructured and structured access to information, systems, and administrative privileges has become a requirement, said Frank Picarello, COO of TeamLogic IT. That’s why companies need a strong PAM policy that should include:
• Limit – grant privileges to users only for systems on which they are authorized to use.
• Situational Access – grant access only when it’s needed and revoke access when the need expires.
• Managing Access – avoid the need for privileged users to have or need local/direct system passwords.
• Need for a holistic view and admin for access – centrally and quickly manage access over a disparate set of heterogeneous systems.
• Define a system to track all activity – create an unalterable audit trail for any privileged operation.
Beyond PAM
Strong PAM solutions can help, but more is needed, according to Charles Choe, senior product marketing manager at Guidance Software. “Organizations must also map and monitor sensitive data to understand not just who can access it, but where that data resides across the enterprise. Finally, security teams need the ability to minimize and remediate sensitive information if and when it shows up in unauthorized locations,” he said.