Ken Robertson
Change is constant in the IT security industry, but one thing that remains the same is attackers abusing privileged credentials. Compromised privileged accounts are responsible for many data breaches every year. What can you do to protect your organization? One way is to develop a Privileged Access Management (PAM) strategy and hire a vigilant team to implement it. There are many options available for privileged account management solutions that will meet the needs of both small businesses and large enterprises, so start doing your research. This article will explain why a PAM strategy is important to your organization and, if you have already started your PAM journey, suggestions on features you may want to include in your program, like a centralized secret manager, are discussed.
Back in January, an introduction to PAM article was featured in the IDPro newsletter. Hopefully after reading it, many of you started developing your organization’s PAM strategy the very next day. Great job! You are in good company — Gartner recently listed privileged account management as the highest priority security project that chief information security officers (CISOs) should explore in 2018. If you haven’t started your organization’s PAM program, it’s not too late to get moving. As suggested in the previous article, start marketing the idea to your management, include PAM in your strategy sessions, and make an inventory of all of the privileged accounts in your environment. These steps will help you initiate your journey into PAM.
Increased attention for PAM programs
Privileged users and accounts are not new to IT departments. Application owners and system administrators have used privileged accounts to access critical systems for decades. What has changed to make privileged account management a top initiative for CISOs in 2018? There are many reasons, but it starts with managing risk within your organization. Countless data breaches could have been prevented by managing privileged credentials. CISOs understand if a privileged account is compromised, the risk to the organization is significantly greater because the attacker now has the ability to penetrate a larger portion of your environment (or of that system), with less chance of being detected, and with access to more sensitive data.
Another reason for the increased attention for a PAM program is due to the explosion of the number of privileged accounts in an organization. Executives are surprised to learn that they have significantly more privileged user accounts than employee logins. A survey conducted in 2013 determined that the number of privileged accounts in an organization is typically 3-4 times the number of employees. We know that ratio is even higher today due to increased use of automation with RESTful APIs, configuration management tools that can login to every server in your infrastructure, and VMs and containers that can be created by the thousands in seconds. The sheer volume of privileged accounts can make it difficult for organizations to manage.
An additional reason that CISOs are looking at their PAM program is due to a “back to basics” movement in security that has been going on for many years. The movement started as a cost saving proposal to automate and improve processes that were considered basic, yet foundational, areas of security. The impediments holding back security organizations are not related to technology, they are often related to processes.
Don’t assume basics are easy, because they are not. The basics are hard. The larger your organization, the more privileged accounts you need to manage. Fixing privileged access issues in legacy applications can be a huge challenge, especially when the original implementors are no longer with your company and the remaining staff has limited knowledge of how things work. Yet, it is precisely this type of application that an attacker will take advantage of to gain access to your data. The privilege access issue needs to be fixed or the application needs to be retired.
Efficiencies gained through automation and removing the human element from tedious tasks will strengthen your organization’s security posture, free up skilled resources to work on more challenging tasks, and save money. Consider this: does it make sense to fund projects for the latest and greatest security scanning tool if you know that you have gaps with privileged access management? No, of course not. Funding for your PAM program will have a better return on investment and will also shore up the foundation for your whole security organization.
Prioritize accounts based on risk
Every organization is different and will have different strategies for success. There is no single formula or magic bullet for implementing PAM that will work for everyone, but there are a handful of common risks found in most organizations. Operating system, domain admin, and database admin accounts are a good place to start. Phase your PAM program in using a risk-based approach and implement on highest risk systems and accounts first. Have a clear strategy for your program before selecting any PAM tools.
Your organization will want to define what makes an account privileged and what is considered high risk versus low risk. Without these definitions, system administrators and application owners are left to decide what should be considered a privileged account and they may miss including critical accounts in your inventory.
There will be many different types of privileged accounts in your environment, so as mentioned above, part of your PAM strategy and risk assessment is to identify and categorize them. The account’s level of privilege could come from its ability to change or modify user access, change system configurations, and change security settings. The privilege could also come from the classification of data that it can access, if that data is monetizable, or if the account could be used to harm a business’s reputation. Leaving social media accounts unmanaged puts your company at risk of possible brand damage. Often, account access is shared across multiple people and they are only protected with a username and password.
There are many resources online to help you with identifying types of privileged accounts, but here is a quick list of some of the common ones:
• Local admin accounts on servers
• Admin accounts for applications and databases
• Admin accounts for your Active Directory domain
• Emergency / fire call accounts to be used for recovery or troubleshooting
• Service accounts used by applications
• Application accounts used to connect to databases
When creating your privileged account inventory, it is easy to overlook some types of accounts. Here are some of the privileged account types that are commonly missed:
• API keys used by applications to connect to other applications and services
• SSH keys used by humans and applications to connect to OS
• Social media accounts for apps like Twitter, Facebook, and LinkedIn
• Cloud console accounts for AWS, Azure, and Google Cloud
Centralized Secret Managers
A relatively new feature in the PAM toolbox is a centralized secret manager for handling credentials for API keys, database connections, configuration management, containers, and your DevOps pipeline.
You may think that you already have this use case covered with your enterprise password manager, but in many cases, your traditional tools will not be able to keep up with the demand. Secret managers are optimized to handle highly automated environments, like your CI/CD pipeline and your configuration management and build systems. You can think of a secret manager as complementing your existing password manager.
A big part of setting up DevOps tools is about configuring the secrets that will allow them to communicate with other apps and services. Configuration management tools, like Chef, Puppet, etc. have localized secret managers built into them to be used for installing software and for connecting to operating systems, data bases, and APIs. Each tool manages its own set of privileged credentials, with different access controls and different logging capabilities. Access to the data isn’t always logged, so if you have an intrusion, it isn’t clear what data has been accessed and by who. Every tool becomes its own island of accounts and security controls making it impossible task manage.
This is where a centralized secret manager can help you. The key here is centralized and not tied to any specific automation tool. From a risk perspective, it becomes very difficult to manage the highly privileged credentials when they are scattered all about. A centralized secret server can be utilized by all of the tools and services in your organization and your PAM team will be able to manage and monitor the secrets while not getting in the way of the automation.
There are several secret managers available that have both an open source version as well as an enterprise version. This is great because it will allow your team to install and test in your environment and determine the value that they provide.
Conclusion
PAM is a trending topic right now, and for good reason. Privileged accounts are being abused by both external and internal threats and that is going to continue. In general, the number of privileged accounts greatly exceed the number of user accounts and staffing needs to be able to appropriately handle the volume. PAM is more than password management. It is necessary for organizations of every size to have a strategy around how they will handle privileged accounts. PAM is a program that can be started immediately to significantly reduce risk, secure information and provide a positive business impact.
