Even before COVID-19 entered our lexicon, privileged access management (PAM) was widely recognized as a foundational cybersecurity technology. In recent years, almost every cyberattack has involved compromised or misused privileges/privileged credentials. Most malware needs privileges to execute and install payload. Once a threat actor has infiltrated an IT network, privileges are typically needed to access resources or compromise additional identities. With privileged credentials and access obtained, a threat actor or piece of malware essentially becomes a malicious “insider”. Outside of PAM, there are few defenses against a rogue insider.
In 2020, the largescale shift to working from home (WFH) imposed by the coronavirus has increased the urgency for maturation of PAM security capabilities. The subsequent increase in BYOD and shadow IT, compound by significantly more reliance on insecure WiFi networks and remote access pathways, has exacerbated many of the thorniest privileged access challenges. It’s also a proven recipe for breaches.
In the remainder of this blog, I will cover the 10 phases, or use cases, of PAM that comprise a complete, holistic privileged access management program. At BeyondTrust, we refer to this as the Universal Privilege Management model. This approach entails securing every privileged user (human or machine), session, and asset across your IT environment—leaving no privilege undiscovered, unmanaged, or unaudited. The 10 phases can be implemented via the three solutions that comprise a complete PAM platform—privileged password management, endpoint privilege management, and secure remote access.
While organizations most frequently begin with securing privileged credentials (privileged password management), you can start anywhere, so long as your PAM platform is flexible. With each PAM layer implemented, your organization eliminates and mitigates additional privileged attack vectors, while realizing new security and operational synergies.
1. Secure & Audit Privileged Account Credentials
Gaining control and accountability over privileged accounts—both human and machine—is often the first step organizations take on their PAM journey. Privileged password management solutions can automate the discovery, onboarding, management, and monitoring of the ever-expanding types of human and machine privileged accounts/credential types (privileged user passwords, application passwords, DevOps secrets, SSH keys, certificates, etc.), and bring those accounts/credentials under management within a centralized password safe. This is an important step for preventing or mitigating password re-use attacks and other backdoors (orphaned accounts, etc.) into the IT environment.
2. Enforce Least Privilege on Desktops (Windows and MacOS)
Enforcing least privilege on desktop devices is one of the most powerful ways to reduce endpoint security risk across the enterprise. Endpoint privilege management solutions can remove local administrative rights and default every user as a standard user. Rather than being enabled, persistent, and always-on, the privileges are only elevated on an as-needed basis and only for the targeted application or process. Limiting both the amount and duration of access condenses both the attack surface and threat window for malicious applications and activity that can abuse privileges.
3. Apply Least Privilege Across Your Server Environment (Windows, Unix, Linux)
IT admins often require elevated rights to perform their jobs. Unfortunately, in the wrong hands, high levels of privilege can be abused to inflict considerable damage to an IT environment and exfiltrate data. While sudo can help organizations “get by” in simple environments, it’s not an enterprise-class tool. Sudo suffers from significant security and administration drawbacks. Enterprise-class PAM solutions can enable organizations to efficiently and effectively delegate server privileges without disclosing the passwords for root, local, Active Directory domain, or bridged administrative accounts. Least-privileged, just-in-time access should always be enforced, and every privileged session should be closely audited and monitored.
4. Implement Application Reputation
PAM solutions should be able to enforce a number of application reputation strategies as part of endpoint privilege management. Some of these include:
- Application control capabilities, including allow listing, block listing, and reputation-based listing to restrict applications to only those approved to execute, with the correct privileges, within the appropriate context
- Applying real-time risk intelligence to inform privilege delegation and elevation decisions
- Command filtering (on Unix and Linux systems) and PowerShell script management (on Windows systems)
- Trusted application protection to add context to the IT process tree to prevent fileless attacks and attacks leveraging trusted applications to perform malicious activities
5. Control Remote Access
Rarely does a cyber attacker operate directly on a resource (such as a stolen laptop). Most attacks start externally via a remote access connection. Typically, these threats initially compromise a remote vendor or employee, then piggyback into an organization’s network. VPNs and other widely used remote access tools lack connection isolation, granular privilege and access controls, and application-based audit capabilities. With the recent, largescale shift to remote work, tools like VPNs and RDP are being stretched way beyond their legitimate use cases, contributing to a surge in targeted attacks and breaches. PAM platforms with privileged remote access capabilities can enforce least-privilege access and session auditing for remote access sessions—for both vendors and employees better than traditional VPN solutions alone.
6. Extend PAM Best Practices to Network Devices and IoT/IIoT
Some non-traditional endpoints and edge devices, like IoT, have minimal computing power, which means they may not be candidates for traditional endpoint security tools, like AV. Additionally, IoT and network devices may have embedded or easy-to-guess credentials, among other design flaws. That’s why it’s critical to extend credential management, least privilege, and other PAM controls to these devices and keep them properly segmented across your environment.
7. Extend PAM Best Practices to the Cloud and Virtualized Environments
In addition to suffering from many of the same privileged access weaknesses as on-premise environments, the cloud presents unique use cases, such as hypervisors, cloud management consoles, and APIs. In the cloud, ephemeral privileged accounts and credentials are rapidly instantiated and disposed of when new cloud and virtual instances are spun up and, just as easily, spun down. When managing any privileged account, discovery is the critical first step to gaining control over these assets and the many planes of privileges across cloud environments. Once cloud and virtualized instances and their assets are found, they must be managed to limit exposure, and all session access should be monitored and audited. Simply put, PAM has a substantive role to play when it comes to both cloud security and API security, regardless of the access and implementation of privileged accounts.
8. Extend PAM to DevOps and DevSecOps
DevOps seems to magnify many of the worst PAM challenges due to the heavy emphasis on automation and speed. Common DevOps risks include:
- Insecure code and hardcoded passwords
- Scripts or vulnerabilities in Continuous Integration/Continuous Deployment (CI/CD) tools, that could deploy malware or sabotage code
- Over-provisioning of privileges
- Sharing of DevOps secrets
While DevOps presents some special use cases, PAM’s role in DevOps security is comparable to any other environment—managing privileged accounts/credentials (including for CI/for CI/CD tools, service accounts, etc.), enforcing least privilege, etc. It also essential that the PAM solution does not disrupt or delay workflows, but rather enables peak DevOps agility. Securing the accounts, keys, and certificates required for automation is a fundamental part of extending PAM into your development and automation practices.
9. Integrate PAM and Identity Access Management
Identity and access management (IAM) solutions help IT teams answer, “Who has access to what?” PAM solutions answer the questions of “Is that access appropriate?” and “Is that access being used appropriately?” Complete visibility and accountability over identities requires bi-directional integration of privilege management and IAM solutions. Some PAM solutions also include AD Bridging capabilities, which help further centralize identity management and authentication by providing single sign on across Windows, Unix, Linux, and macOS environments using the same account for simplified access, monitoring, and reporting.
10. Integrate PAM with Other IT Tools
PAM + IAM integration is imperative, but your privileged access security workflows and data should also integrate with the rest of your IT and security ecosystem. Gaps in this ecosystem translate into security vulnerabilities and lost productivity. The better your PAM platform integrates (such as with SIEM, ITSM, etc.), the more effective your ability to orchestrate pinpoint responses to problems—or opportunities. As a rule of thumb, any security technology that solves a problem, but that does not integrate into the rest of your ecosystem, is a point solution with a finite lifespan. It could be argued that siloed solutions are also a waste of money and resources. Therefore, make sure your PAM investment works with, and integrates with, your overall IT and security ecosystem to best serve your environment.
Visit BeyondTrust for more information about securing your universe of privileges.
If you are interested in learning more about 10 steps to universal privilege management, tune in to my keynote at this week’s KCLive Event.