What is Privileged Access Management (PAM)? | Beyond trust (2023)

Lack of visibility and knowledge of privileged users, accounts, assets, and credentials

Long-forgotten privileged accounts are often scattered across organizations. Thoseorphan accountsthey can number in the millions and provide dangerous backdoors for attackers, including former employees who have left the company but retain access.

Provision of excessive privileges

If privileged access controls are too restrictive, they can disrupt user workflows, causing frustration and hampering productivity. Because end users rarely complain about having too many privileges, IT administrators have traditionally given end users broad sets of privileges. In addition, an employee's role is often fluid and can evolve so that they accumulate new responsibilities and the corresponding privileges while retaining privileges that they no longer use or need.

All this excess privilege results in a bloated attack surface. Routine computing for employees on personal PC users may involve browsing the Internet, watching videos, using MS Office and other basic applications, including SaaS (eg Salesforce.com, GoogleDocs, Slack, etc.). In the case of Windows PCs, users often log in with much broader administrative account privileges than necessary. These excessive privileges greatly increase the risk of malware or hackers stealing passwords or installing malicious code that can be delivered via web browsing or email attachments. The malware or hacker can take advantage of the full set of account privileges, access data on the infected computer, and even launch an attack against other computers or servers on the network.

Shared accounts and passwords

IT teams often share root, Windows administrator, and many other privileged credentials for convenience so that workloads and tasks can be seamlessly shared as needed. However, if multiple people share an account password, it may be impossible to link actions taken on an account to just one person. This creates security, auditability, and compliance issues.

Encrypted/Embedded Credentials

Privileged credentials are required to facilitate authentication for access and application-to-application (A2A) and application-to-database (A2D) communications. Applications, systems, network devices, and IoT devices can be shipped and deployed with built-in default credentials that are easy to guess and pose considerable risk. In addition, secrets are often encoded by employees in plain text, such as a script, code, or file, so that they are easily accessible when needed.

Manual and/or decentralized credential management

Privilege security controls are often immature. Privileged accounts and credentials can be managed differently across various organizational silos, leading to inconsistent application of best practices. Human privilege management processes cannot scale in most IT environments where there may be thousands, or even millions, of privileged accounts, credentials, and assets. With so many systems and accounts to manage, humans invariably take shortcuts, such as reusing credentials across multiple accounts and assets. Therefore, a compromised account can compromise the security of other accounts that share the same credentials.

Lack of visibility into service account and application privileges

Applications and service accounts often automatically run privileged processes to perform actions and communicate with other applications, services, resources, etc. Application and service accounts often have excessive privileged access rights by default and also suffer from other serious security flaws.

Siloed identity management processes and tools

Modern IT environments often run on multiple platforms (eg Windows, Mac, Unix, Linux) and environments (on-premises, Azure, AWS, Google Cloud), each maintained and managed separately. This practice equates to inconsistent IT management, additional complexity for end users, and increased cyber risk.

Cloud and virtualization management consoles and environments

AWS, Microsoft 365, etc. provide nearly unlimited super-user capabilities, allowing users to rapidly provision, configure, and remove servers at scale. From these consoles, users can effortlessly create and manage thousands of virtual machines (each with their own set of privileges and privileged accounts). Organizations need to have the right privileged security controls in place to integrate and manage all of these newly created privileged accounts and credentials at scale.

DevOps environments

DevOps's emphasis on speed, cloud deployments, and automation presents many privilege management challenges and risks. Organizations often lack visibility into the privileges and other risks presented by containers and other new tools. inappropriatesecret management, scrambled passwords, and privilege overprovisioning are just a few of the privilege risks that occur in typical DevOps deployments.

Edge computing and IoT devices

Perimeter networks are expanding to deliver data faster where it is needed. Access to and from these devices, as well as the devices themselves (often IoT), must be protected. And despite the pervasiveness of IoT, IT teams still struggle to discover and securely integrate legitimate devices at scale. Compounding this problem, IoT devices often have severe security drawbacks, such as hard-coded default passwords and the inability to harden software or update firmware. Also, they may not have enough processing power to run antivirus (AV) software. WFP has a key role to play.

(Video) BeyondTrust: Privileged Access Management Platform (PAM)

• A condensed attack surface that protects against internal and external threats:Limiting privileges to people, processes and applications means that avenues and entrances for exploitation are also reduced.

• Reduction of infections and spread of malware– Many varieties of malware (such as SQL injections, which rely on the lack of least privileges) require elevated privileges to install or run. Removing excessive privileges, such as applying least privilege across the enterprise, can prevent malware from taking hold or slow its spread if it does.

• Improved operating performance: Restricting privileges to the minimum range of processes to perform an authorized activity reduces the possibility of incompatibility issues between applications or systems and helps reduce the risk of downtime.

• Easier to achieve and prove compliance– By restricting the privileged activities that can be performed, privileged access management helps create an environment that is less complex and therefore easier to audit.

• Help meet cyber insurance requirements: In recent years, ransomware attacks and ransom payments have hurt bottom lines and threatened the viability of the cyber insurance industry. Cyber ​​insurers appreciate that PAM controls reduce risk and stop threats and are therefore powerful tools to reduce cyber liability. Today, many cyber insurers require PAM checks to renew or obtain new cyber liability coverage.Cyber ​​Insurance Requirements Checkliststhat are part of or precede the insurance application process, usually require a series of specific controls such as "It has a PAM system to manage privileged accounts and access".

• Remove administrator rights on the endpoints.Instead of providing standard privileges, standardize all users with standard privileges while enabling elevated privileges for applications and to perform specific tasks. If access is not initially provided but is required, the user can submit a support request for approval. For most Windows and Mac users, there is no reason for them to have administrator access on their local machine. Also, when it comes down to it, organizations need to be able to exercise control over privileged access to any endpoint with an IP: traditional, mobile, network device, IoT, SCADA, etc. From 2015 to 2020, 75% of critical Microsoft vulnerabilities could have been mitigated by removing administrator rights (Source:Microsoft Vulnerability Report 2022).

• Remove all root and administrator access rights to the servers and reduce each user to a standard user.This will dramatically reduce your attack surface and help protect your Tier-1 systems and other critical assets. "Unprivileged" standard Unix and Linux accounts do not have access to sudo, but still retain minimal standard privileges, allowing basic customizations and software installations. A common practice for standard Unix/Linux accounts is to take advantage of the sudo command, which allows the user to temporarily elevate privileges to root level, but without direct access to the root account and password. However, while using sudo is better than providing direct root access, sudo has many limitations with respect to auditability, manageability, and scalability. Therefore, organizations are best served by employing server privilege management technologies tocomplement or replace sudo. These PAM technologies allow granular elevation of privileges as needed, while providing clear auditing and monitoring capabilities.

• Remove unnecessary privileges.Enforce least privilege access rules through application control, as well as other strategies and technologies to remove unnecessary privileges from applications, processes, IoT, tools (DevOps, etc.), and other assets. Impose restrictions on software installation, use, and changes to operating system settings. Also limit the commands that can be entered on highly sensitive/critical systems.

• Remove permanent privileges (privileges that are "always on") whenever possible.Privileged access for human users should always expire. Timezero support privileges (ZSP)—the removal of all persistent privileges— is the ideal end state for human user accounts, many machine/application counts will still require persistent privileges to maintain uptime goals. Implementjust-in-time privilege management(also called privilege escalation) to elevate privileges as needed for specific applications and tasks only when they are needed.

• Limit privileged account membership to as few people as possible:This simple rule of thumb dramatically reduces the overall attack surface of the business.

• Minimize the number of entitlements for each privileged account:With this rule in place, any compromised account will result in a threat actor having only a limited set of privileges and will help limit the scope of a security breach.

• Centralize the security and management of all credentials (eg, privileged account passwords, SSH keys, application passwords, etc.) in a tamper-proof vault. Implement a workflow in which privileged credentials can only be verified until an authorized activity completes, after which the password is verified again and privileged access is revoked.

• Ensure strong passwords that can withstand common types of attacks (eg, brute force, dictionary-based, etc.) by applying strong password generation parameters such as password complexity, uniqueness, etc. .

• Routinely rotate (change) privileged passwords, shortening change intervals in proportion to password sensitivity. Quickly identifying and changing default credentials should be a top priority, as they present an outsized risk. For more sensitive accounts and privileged access, implementone-time passwords (OTPs), which expire immediately after a single use. While frequent password rotation helps prevent many types of password reuse attacks, OTP passwords can eliminate this threat. For DevOps workflows, implement dynamic secrets, in the ephemeral/OTP type generated as needed for a single client.

• Eliminate password sharing – Each account should have a single sign-on to ensure clear oversight and a clean audit trail.

• Never reveal passwords: Implement single sign-on (SSO) authentication to hide passwords from users and processes. Password managers can automatically inject passwords as needed.

• Remove embedded/encrypted credentialsand put under centralized management of credentials. This typically requires a third-party solution to separate the password from the code and replace it with an API that allows the credential to be retrieved from a centralized password vault.

Terminal Least Privilege Management

These solutions typically cover the enforcement of privileges, including elevation and delegation of privileges, on Windows and Mac endpoints (eg desktops, laptops, etc.).

Server and infrastructure privilege management

These solutions allow organizations to granularly define who can access Unix, Linux, and Windows servers, and what they can do with that access. These solutions may also include the ability to extend privilege management to network devices and OT/SCADA systems.File integrity monitoringmay be offered to provide additional protection against sensitive files and system changes.

application control

This covers the allowed listing, the blocked listing, and the gray listing. Application control exercises broad and granular control over which applications can run, how they can run, and in what context.Reliable application protectionis an advanced feature that applies additional context to intelligently break attack chain tools that can exploit legitimate and commonly used applications (PowerShell, Wscript, etc.) that are used in fileless or underground attacks (LoTL).

Ponte en Active Directory (AD)

AD Bridging solutions integrate Unix, Linux, and Mac on Windows, enabling consistent single sign-on, policy, and management. AD Bridging solutions typically centralize authentication for Unix, Linux, and Mac environments, extending the single sign-on and Kerberos authentication capabilities of Microsoft Active Directory to these platforms. Extending Group Policy to these non-Windows platforms also enables centralized configuration management, further reducing the risk and complexity of managing a heterogeneous environment.

Cloud Infrastructure Rights Management (CIEM):CIEM is a newer class of product focused on cloud entitlements of the right size. These solutions are typically designed to be multi-cloud (Azure, AWS, etc.), to centralize and simply apply least privilege.ICES productsidentify excessive privileged access and can automate its remediation.