Apr 30, 2024
•
Company
Privileged Access Management: Gatekeeping for the Greater Good
As nineteenth century British historian Lord Acton famously wrote: "Power tends to corrupt ... and absolute power corrupts absolutely." Few examples better support this phenomenon than the privileged IT account.
Common and dangerous, users with generous account credentials and unchecked access to systems, software and information represent a significant risk in the modern enterprise. Without proper safeguards, access to accounts with elevated permissions can lead to —whether by mistake or misfeasance — the spread of malicious applications, the misconfiguration of devices, and the compromise of data integrity.
And that's just the insider threat. Attackers target privileged account credentials because these make the task of getting in, rooting around, and wreaking havoc on victims' systems far, far easier and exponentially more productive. The more unmanaged, high-value, high-permission accounts an organization has, the greater the chance one will fall into the wrong hands with catastrophic results.
Consider the case of X, the social media network formerly known as Twitter. In 2020, attackers armed with access to one of the platform's admin accounts compromised high-profile users like Joe Biden, Bill Gates, Elon Musk, and Barack Obama and posted messages promoting a cryptocurrency scam. The crime was made possible by social engineering just one Twitter employee who had administrative access to the company's user management platform.
That same year, hackers successfully bribed a customer support representative from kid-friendly online gaming platform Roblox to gain access to an admin account. Through this privileged account, the attackers were able to steal user data, change profile information, and pilfer in-game purchases – damaging the company’s reputation in the process
These incidents are the norm, not the exception. According to Verizon’s Data Breach Investigations Report, more than one-third of breaches begin with some insider threat, deliberately or accidentally. Some 32% of reported incidents were related to privilege misuse, while 21% of breaches were due to password misuse.
The data demonstrates not only the important role privileged accounts and identities play in threat models and risk profiles, but also the imperative for proper privileged access management (PAM) to ensure users only get as much powerful account access as they need to do their jobs and only for as long as they actually need it.
Defining Privileged Access Management (PAM)
At its core, PAM is a threat-reduction strategy that combines processes and technologies to monitor, detect, and prevent unauthorized access to critical resources by accounts with high-level permissions. PAM differs from Identity and Access Management (IAM) in that IAM typically focuses on automated provisioning and decommissioning of individually assigned user accounts based on job roles –think standard Active Directory accounts owned by one human user protected with a single password known only to that user.
PAM -- and the tangentially related Privileged Identity Management, or PIM -- focuses on managing the risk of accounts that generally can’t be attributed individually to specific users. This disintermediation of privileged users from privileged accounts is important within the privileged access management schema. Privileged users may access one or several privileged accounts to accomplish tasks like hardware and software deployment, password resets, sensitive data access, or infrastructure reboots and configuration changes. It's not unusual for organizations to have many more privileged account credentials on the books than they have employees on the payroll.
The ultimate goal of a PAM (or a PIM/PAM) platform is to manage this complexity; to limit the number of accounts with access to administrative functions, all while dutifully managing those that do. PAM tools reveal when privileged accounts are logged in, and what they are being used to do. PAM provides mechanisms for controlling these powerful accounts, often by applying policy- or time-based restrictions on access.
Many PAM solutions also include additional layers of protection that users can leverage when responding to breaches by attackers that have achieved some level of privileged access.
Organizations aspiring towards robust, effective privileged access management should aim for the principle of "least privilege," in which users, accounts, and computing processes are granted only as many access rights as is strictly necessary to perform legitimate routine activities. The least-privilege approach minimizes the risk of systems or data compromise resulting from a malicious attack on — or the accidental misuse of — privileged accounts.
PAM Discovery: Taking Stock of Privileged Account Types
One mistake organizations sometimes make when considering a PAM implementation is to acquire the tool first, then try to fit it to their environment. A better approach is to first look at the various types of accounts at risk in the enterprise, then determine whether a PAM platform is appropriate to address them. Common privileged accounts generally fall into one of the following categories:
Superuser accounts, such as the "root" account in Unix or Linux and the "Administrator" account in Windows. These accounts have unlimited access and privileges across the system.
Domain administrative accounts that have administrative rights across all workstations and servers within a particular domain.
Local administrative accounts built into the operating system with administrative rights mainly on a local workstation or server.
Application accounts, used by software apps with extensive privileges within the associated database environment.
Emergency accounts, provisioned to be used in the event of a crisis when normal access processes must be bypassed. These accounts usually have extensive privileges and must be tightly controlled and monitored.
System and service accounts used by apps and services to interact with the operating system. These often have more privileges than necessary by default.
Vendor accounts, assigned to a third-party partner or supplier in order to conduct routine business. These accounts often grant high-level access with little visibility or granular control, and many vendors use VPNs (Virtual Private Networks) to tunnel through the host's network.
Putting PAM Into Action
Once the organization has identified the presence and prevalence of their various privileged account types, the task turns to monitoring and managing privileged access activity in the interest of overall security posture and risk mitigation. A short list of requirements for a workable privileged access management strategy might include:
Crafting organizational policies governing all classes and categories of privileged accounts
Creating ephemeral credentials for access to critical assets
Opting for encrypted gateways rather than password-based credentials for remote access
Logging privileged account sessions for compliance auditing
Monitoring privileged access to detect abnormal behavior
Implementing specific security awareness training for users with privileged access to ensure PAM policies and strategies get ingrained into the culture
Exploring this a bit further, consider the use case offered by system admin-level accounts. These powerful accounts can be adequately secured with single-use or time-based credentials — often called "just-in-time" credentials — that are both strong and changed after each use. The process is far superior to traditional passwords, which get shared, reused and are ripe for abuse. Single-use credentials all but guarantee that a compromised password or hash is useless to an attacker. Many PAM platforms manage just-in-time credentials by correlating the password checkout process with the individual user, while also enforcing a second factor of authentication. For even stronger security, organizations can add the use of a privileged access workstation or embedded “jump box” along with host- or network-based firewalls to ensure these powerful accounts can only be accessed from a designated, pre-approved source.
Public Key Infrastructure (PKI) and certificate-based identity mechanisms can help further ensure that access to sensitive systems is safeguarded by cryptographically secure methods. To wit:
Certificate-Based Authentication: Leverages digital certificates issued by a trusted Certificate Authority (CA), guaranteeing that only authenticated users with the correct certificates can gain privileged access.
Non-Repudiation: PKI authenticates users and provides an audit trail, ensuring actions taken on systems can be traced back to the individual, minimizing the risk of repudiation.
Automated Key Management: Through the use of PKI, keys can be automatically rotated and managed, reducing the risk of unauthorized access due to compromised credentials.
Integration with PAM Solutions: PKI can be integrated into existing PAM solutions to provide an additional layer of security that complements traditional password-based systems.
Encrypted Communication Channels: PKI ensures that communications to and from privileged systems are encrypted, preventing eavesdropping or tampering with data in transit.
By leveraging PKI and cryptographic identities, organizations reinforce the security around their most vulnerable assets, ensuring that privileged accounts remain secure and that access is only granted to authorized entities.
Corralling local admin accounts, meanwhile, benefits from controls that require a unique, random password for every machine in the organization. A user requiring such access must know the device name before retrieving a local admin password for each service in the system. It’s a complex policy, but one capably handled by PAM solutions. After use, the password is reset to a new, unique credential. This works well should the user fall victim to a phishing or malware attack. Even with remote access to a device, an attacker cannot retrieve local admin credentials on the compromised machine for lateral movement. PAM not only thwarts the typical attack vector with unique, strong local admin passwords, it makes the hack attempt much more likely to trigger failed log-in alerts.
For difficult-to-manage service accounts, organizations can use PAM tools to dynamically change service account passwords outright, but the risk of breaking system integrations is high unless in-house developers are thoroughly integrated into the process. Most organizations, therefore, opt for a defense-in-depth approach to service account security, combining the removal of interactive logins with host-based firewalls to restrict access to a bare minimum of systems, in addition to implementing strong passwords and diligent monitoring for misuse.
Making the Case for PAM
Privileged access management can help organizations manage risk, making it harder for attackers — internal and external — to get high-level access to critical network and data assets. PAM provides the monitoring and the granular controls necessary to discover all of an organization's privileged users along with detailed visibility into how the powerful accounts they access are being used. Key benefits of a robust PAM program include:
Reduced risk of data breach and the ability to limit damage from breaches in progress
Smaller attack surface with fewer entrance points and lateral pathways available to internal and external threat actors.
Better governance and auditing with logs that detail all activity related to critical systems and data.
Risk mitigation scalability through automated discovery, monitoring and management across large numbers of privileged accounts, users, and assets.
Sprawl over time of privileged accounts without proper security guardrails exposes today's enterprises to significant risks, including — but not limited to —the spread of malware, the compromise of networked devices, the loss of mission-critical data, with potentially catastrophic reputational or regulatory results. A proper privileged access management approach that combines thoughtful security policies and strategies along with specific PAM technology point solutions is a critical piece in an organization's overall infosec arsenal.