In a time of rapid digital transformation, a lot of organizations face challenges managing privileged accounts. To strictly control, protect, monitor, and manage them, such companies use Privileged Account Management (PAM). It grants privileges to users only for systems on which they are authorized, centrally manages access over systems and eliminates local system passwords for privileged users. Besides, PAM creates an unalterable audit trail for any privileged operation and may track user activity to command detection.

PATECCO provides consultations on PAM solutions’ implementations into the customers’ infrastructure, especially in banking and telecommunication sector. The two main components of its PAM projects are Password management and Session management. The password management refers to different types of accounts such as Privileged (administrative) account, Shared account, Administrator, root, QSECOFR, Emergency account, Technical account (only used for machine to machine communication), etc.

For example, shared and emergency accounts, in general are highly privileged accounts. They differ in approval workflow to get the corresponding password. The use of shared accounts can be planned, but the emergency accounts need faster workflow. The problem with the shared accounts is that without PAM, it is not clear who uses this account, at what time. By using PAM, the companies can make sure, that only one person could use such account for a predefined time. This is stored in an activity log and after using this account by that person (checking in), the password is changed by PAM. This process is called “breaking glass scenario”.

In reference to session management, it is ensured that all data gathered (session files and some activity logs) is stored in a safe manner (encrypted) and the access to these is possible only via the “principle of four eyes”. Guideline and process documents are designed and agreed with the works council, the data security officer and some other people involved in compliance processes.

For the past 3 years, PATECCO developed high skills in implementing PAM solutions, describing and designing necessary processes, and connect systems to these solutions. Its IT consulting team can offer best practices in the following functional PAM subsets:

1. Identity Consolidation

  • Consolidate UNIX, Linux, LDAP identities under a single unique ID in Active Directory for centralized identity, role, and privilege management and Kerberos-based authentication
  • Deleting or disabling as many privileged accounts as possible to reduce the attack surface

2. Privileged Access Request

  • Establishing a solution (tool) that supports workflow-based privileged access request across both SUPM and SAPM components for stronger security, governance, and compliance

3. Super User Privilege Management (SUPM)

  • Minimizing the number of shared accounts. Reduce/disable the number of privileged accounts. Use of host-based SUPM for least privilege login with unique ID and explicit privilege elevation wherever possible, and use of SAPM for accounts where SUPM cannot be used as the EXCEPTION not the RULE.

4. Shared Account Password Management (SAPM)

  • Data breach mitigation is most effective when reducing the attack surface — reducing the number of privileged accounts as close to zero as possible and only using SAPM for emergency login scenarios such as “break glass”.

5. Application to Application Password Management (AAPM)

  • Replacing plain text passwords embedded in scripts with an API call to a company’s SAPM service for better security and reduced IT administrative overhead

After introducing PATECCO’s best practices in Privileged Account Management, it’s time to summarise the main goals of its PAM projects: to demonstrate PAM capabilities allowing privileged users to have efficient and secure access to the systems they manage, and ensuring that audit and compliance requirements are met.