Privileged Access Management
Privileged access management (PAM) is defined as the provisioning of tools that help organizations manage and secure accounts that have access to critical data and operations. Any compromise in these ‘privileged’ accounts can lead to financial losses and reputational damage for the organization.
Every organization’s infrastructure is built with multiple levels of deployments, data stores, applications, and third-party services. Some of these components are critical for operations, while some may be as mundane as email.
But each
of these is accessed by user accounts, which are of two types:
Human users: They are typically employee
accounts, encompassing all departments, including HR, DevOps, and network
administrators.
Automated non-human users: These are third-party applications and services that require an account to integrate with the organization’s systems.
‘Privilege’
is defined as the authority that an account has to modify any part of the
company’s technology architecture, starting from individual devices to the
office network. This privilege allows the bypassing of security restraints that
are normally applied across all accounts.
A standard account is a norm among employees, with the least privileges attached to it. These accounts are used to access and operate limited resources such as internet browsing, emails, and office suites. A privileged account possesses more capabilities than a standard account. This elevated access is gained using privileged credentials.
Despite the numerous headline-making incidents
in recent years, cybercrime continues to rise with reported data breaches
increasing by 75% over the past two years. For those that suffer a breach, the
repercussions can be costly:
increased public scrutiny, costly fines, decreased customer loyalty and reduced revenues. It is no wonder that cybercrime has risen towards the top of the concern list for many organisations and the customers with whom they do business.
You’ve heard many of the stories.
Equifax, Uber, Facebook, My Heritage, Under Armor, and Marriott. Personal data
from millions of their customers was stolen. Even though the number of breaches
went down in the first half of 2018, the number of records stolen increased by
133 percent to almost 4,5 billion records
worldwide. Unfortunately things are
only likely to get worse. According to a 2018 study from Juniper Research, an
estimated 33 billion records will be stolen in 2023 – this represents a 275
percent increase from the 12 billion records
that are estimated to have been stolen
in 2018.
Are you ready for more bad news? Thanks
to the demands of the application economy, the threat landscape has expanded
and protecting against these threats has only gotten more challenging.
Victims
of the future
Digital
transformation is a necessity for organisations to not only survive, but thrive
in the application economy. But these transformations are creating an expanding
set of new attack surfaces that must be defended, in addition to the
existing
infrastructure that you’ve been protecting for years. These new points of
vulnerability include:
DevOps adoption: In more sophisticated IT shops,
continuous delivery/ continuous testing practices have introduced automated processes
that see no human intervention at all. In many cases, these scripts or tools are
often using hard-coded administrative credentials that are ripe for theft and
misuse.
Hybrid environments: As your IT environment has evolved
to include
software-defined
data centres and networks, and expanded outside of your four walls to
incorporate public cloud resources and software-as-a-service (SaaS)
applications, the traditional way of approaching administration and management
quickly falls apart – mainly because it fails to protect new attack surfaces like
management consoles and APIs.
Internet of Things: Smart devices are proliferating in
our lives, from phones to watches, from refrigerators and cars to medical
implants and industrial machinery. And because these devices have connectivity,
not only can they be hacked, but they are already being compromised where
security is inadequate or non-existent.
Third-party access: Outsourcing development or IT
operations has become the
norm. In
addition, many companies are sharing information with partners. However, many
of these third-party employees are being granted ‘concentrated power’ via
administrative access. Who is watching how they are using or potentially
misusing that access?
Take
hold of the flame
Stealing
and exploiting privileged accounts is a critical success factor for types of
attacks. This is not surprising when one considers that privileged identities
have access to the most sensitive resources and data in your environment; they
literally hold the keys to the kingdom.
Thankfully,
there is a positive angle you can take on this fact. If privileged accounts are
the common thread amongst the innumerable attack types and vulnerability
points, then these accounts – and the credentials associated with them – are
exactly where you should focus your protection efforts.
For
many, focusing on ‘privileged users’ is difficult because its population can be
so diverse. Privileged accounts and access are not just granted to employees
with direct, hands-on responsibility for system administration, but also to
contractors and business partners. You may even have privileged unknowns who
are securing ‘shadow IT’ resources without your knowledge. And finally, in many
cases, privileged accounts aren’t even people – they may be applications or
configuration files empowered by hard-coded administrative credentials.
This
begs the question, if you can’t even get a clear tally of who represents your
privileged user population, how can you hope to protect these accounts?
By securing those accounts at each stop along the breach kill chain.
Breaking
the chains
What
is a kill chain? It’s the series of steps an attacker typically follows when
carrying out a breach. While the chain can comprise numerous steps, there are
four key ones in which privileged credentials represent the cornerstone of an
attack. These include:
1. Gain access and expand: To access the network, insiders might exploit the credentials they already have, while outsiders will exploit a vulnerability in the system to steal the necessary credentials.
2. Elevate
privileges: Once inside, attackers will often try to elevate their
privileges, so they can issue commands and gain access to whatever resources
they’re after.
3. Investigate
and move laterally: Attackers rarely land in the exact spot where the data
they’re seeking is located, so they’ll investigate and move around in the
network to get closer to their ultimate goal.
4. Wreak havoc: Once they have the credentials they need and have found exactly what they’re looking for, the attackers are free to wreak havoc (e.g. theft, business disruption, etc.).
If you
can prevent an unauthorised user – insider or outsider – from gaining access to
the system in the first place, you can stop an attack before it even starts.
To
prevent unauthorised access, you must:
•
Store all privileged credentials in an encrypted vault and rotate these
credentials on a periodic basis.
•
Authenticate all users, applications, and services before granting access to
any
privileged
credential.
• Employ automatic login and single sign-on so users never know the privileged credential.
Limiting
privilege escalation
In many networks, it’s common for users to have access to more resources than they actually need – which means attackers can cause maximum damage quickly and even benign users can cause problems inadvertently. This is why granular access controls are so important.
To limit
privilege escalation, you must:
• Adopt a
‘zero trust’ policy that only grants access to the systems people need for
work.
•
Implement filters and white/black lists to enable fine-grained access controls.
• Proactively shut down attempts to move laterally between unauthorised systems.
Monitoring
privileged activity
Whether
it’s a trusted insider who wandered into the wrong area or an attacker with
malicious intent, there’s a very good chance that at some point users will gain
access they shouldn’t have.
The
challenge, then, is to improve visibility and forensics around user activity
within sensitive systems. To deter violations at this late stage of the kill
chain, you must:
•
Ensure that all privileged access and activity is attributed to a specific
user.
•
Monitor all privileged activity to proactively detect unusual behaviour and
trigger automatic mitigations.
•
Record all user sessions so that all privileged activities can be played back
in DVR-like fashion.
•
Review and certify privileged access on a periodic basis to ensure that it is
still required.