Skip to main content

Which Are the Best Practices in Privileged Access Management?

The digital world often faces problems of abused privileges or stolen credentials which are seen as the main cause of data breaches. The reason is that many companies do not track how their employees use shared privileged credentials and do not engage in privileged user monitoring. These risks can be reduced through effective privileged access management (PAM). PAM is a set of policies and processes for assigning, controlling, and monitoring administrator-level privileges and should be a major focus for Security and IT management who are looking to mitigate the risks of data breaches and insider risks.

Why companies need strict access control?

As mentioned above compromised credentials are a main cause the vast majority of security breaches. Attackers cannot easily get around modern security mechanisms, so they find a way out and steal credentials by getting into the network. Usually, an attacker aims to get privileged credentials through the network by gaining low-level access to steal data, disable systems, and cover their tracks.

When it comes to controlling access to a company’s cloud workloads, big data projects and network devices, the practice shows that most enterprises are not doing enough to address modern security concerns. Today’s environment is much different than when all privileged access was constrained to systems and resources inside the network. Privileged access management not only covers infrastructure, databases and network devices, but is extended to cloud environments, big data, DevOps, containers and more.

Basically, PAM includes a collection of practices, policies and technologies that protect administrative or “privileged” access to the back ends of critical systems. Privileged users operate privileged accounts, where they are authorized to set up, configure, reconfigure or delete systems, servers, databases and storage volumes.  Privileged users are necessary for the proper functioning of the IT departments, but their features makes them very attractive targets for hackers. Some of the worst data breaches in recent times were a result from the abuse of privileged accounts and the impersonation of privileged user identities. Protecting privileged credentials is a major goal of cyber security policy and security operations.

PAM Best Practices

There are companies still using spreadsheets and common sense to manage privileged accounts, but this is no longer a viable and efficient approach.  Such companies should take PAM seriously and to integrate that solution within their Identity and Access Management system. Below is presented a set of PATECCO privileged access best practices which all organizations should follow:

1. Identity Consolidation

The management of privileged identities and their access to critical systems only makes sense if all identities that are to be managed are unambiguously recorded in the context of an initial survey. For this reason, PATECCO recommends starting a PAM project with an analysis, cleansing and consolidation of existing identities, roles, permissions, and local accounts across all, especially heterogeneous, resources.

Only if a uniform and unambiguous collection of all these identities is guaranteed, the next step can be taken meaningfully regarding the consideration of privileged access. Specifically, this means that all identities can also log into the system in a personalized manner, so that authorizations can then be granted to this unique identity even in administrative systems.

As best practices from the PATECCO project experience, an Active Directory is used to consolidate UNIX, Linux, and LDAP identities with a single, unique ID for centralized identity, role, and permission management and for Kerberos-based authentication

2. Privileged Access Request

The central challenge for any privileged access management system is the use of a (minimum) four-eyes principle that uniquely identifies the requestor and the approver and enables   traceability. A workflow-based request and approval mechanism for privileged access is usually used for this purpose.

Access to and use of privileged accounts is a key focus for regulators in many industries, but access to critical corporate resources should also be controlled, documented, and monitored in every other organization to improve security, governance, and compliance.

3. Super User Privilege Management (SUPM)

PATECCO calls the ability to enable a “least privilege” access model for authorized users via authorization extension tools SUPM, Super User Privilege Management. The aim of this procedure is to assign only the minimum set of authorizations at session runtime. An interactive session starts with as few authorizations as possible and is only elevated when required. In particular, the aim is to avoid the necessity of accessing shared accounts through a modified authorization model.

For this PATECCO uses the combination with Identity Consolidation in Active Directory. This provides further administrative advantages so that roles and authorizations for administrative users can be managed centrally. In addition, global changes can be made quickly and consistently under Windows, Linux and UNIX.

4. Shared Account Password Management (SAPM)

When implementing PAM projects, PATECCO puts great emphasis on the protection of the assets of the respective organization. Shared accounts ought to be prevented conceptually, because the containment of data protection violations is most effective if the attack surface can be reduced.

The aim is therefore to reduce the number of privileged accounts as far as possible towards zero and to use SAPM only for emergency login scenarios such as “Break Glass”. This applies to legacy and emergency scenarios in which privilege elevation cannot be reached sensibly and in which direct logon as administrator (for example, root) must be allowed in exceptional cases.

5. Application to Application Password Management (AAPM)

A key design deficiency in programs that require automated access to critical systems (such as provisioning systems or other programs that use service accounts) is the use of hard-coded credentials in application code, scripts, and other configuration files. AAPM tools provide a workaround by providing a mechanism (typically APIs) to make credentials securely available on demand by accessing a secure password vault. PATECCO supports during the execution of a PAM project in implementing AAPM as an extension of the SAPM tools. This helps in managing accounts used by applications or systems to communicate with other applications or systems (such as databases, web services etc.).

By implementing PAM capabilities and following PAM best practices, privileged users have efficient and secure access to the systems they manage, while organizations can monitor all privileged users for all relevant systems. PATECCO supports in ensuring that audit and compliance requirements are met and can support in implementing privacy policies adherent to regulatory and legal requirements, e.g. EU-GDPR.

PATECCO’s Best Practices For Securing Privileged Accounts

In a time of rapid digital transformation, a lot of organizations face challenges managing privileged accounts. To strictly control, protect, monitor, and manage them, such companies use Privileged Account Management (PAM). It grants privileges to users only for systems on which they are authorized, centrally manages access over systems and eliminates local system passwords for privileged users. Besides, PAM creates an unalterable audit trail for any privileged operation and may track user activity to command detection.

PATECCO provides consultations on PAM solutions’ implementations into the customers’ infrastructure, especially in banking and telecommunication sector. The two main components of its PAM projects are Password management and Session management. The password management refers to different types of accounts such as Privileged (administrative) account, Shared account, Administrator, root, QSECOFR, Emergency account, Technical account (only used for machine to machine communication), etc.

For example, shared and emergency accounts, in general are highly privileged accounts. They differ in approval workflow to get the corresponding password. The use of shared accounts can be planned, but the emergency accounts need faster workflow. The problem with the shared accounts is that without PAM, it is not clear who uses this account, at what time. By using PAM, the companies can make sure, that only one person could use such account for a predefined time. This is stored in an activity log and after using this account by that person (checking in), the password is changed by PAM. This process is called “breaking glass scenario”.

In reference to session management, it is ensured that all data gathered (session files and some activity logs) is stored in a safe manner (encrypted) and the access to these is possible only via the “principle of four eyes”. Guideline and process documents are designed and agreed with the works council, the data security officer and some other people involved in compliance processes.

For the past 3 years, PATECCO developed high skills in implementing PAM solutions, describing and designing necessary processes, and connect systems to these solutions. Its IT consulting team can offer best practices in the following functional PAM subsets:

1. Identity Consolidation

  • Consolidate UNIX, Linux, LDAP identities under a single unique ID in Active Directory for centralized identity, role, and privilege management and Kerberos-based authentication
  • Deleting or disabling as many privileged accounts as possible to reduce the attack surface

2. Privileged Access Request

  • Establishing a solution (tool) that supports workflow-based privileged access request across both SUPM and SAPM components for stronger security, governance, and compliance

3. Super User Privilege Management (SUPM)

  • Minimizing the number of shared accounts. Reduce/disable the number of privileged accounts. Use of host-based SUPM for least privilege login with unique ID and explicit privilege elevation wherever possible, and use of SAPM for accounts where SUPM cannot be used as the EXCEPTION not the RULE.

4. Shared Account Password Management (SAPM)

  • Data breach mitigation is most effective when reducing the attack surface — reducing the number of privileged accounts as close to zero as possible and only using SAPM for emergency login scenarios such as “break glass”.

5. Application to Application Password Management (AAPM)

  • Replacing plain text passwords embedded in scripts with an API call to a company’s SAPM service for better security and reduced IT administrative overhead

After introducing PATECCO’s best practices in Privileged Account Management, it’s time to summarise the main goals of its PAM projects: to demonstrate PAM capabilities allowing privileged users to have efficient and secure access to the systems they manage, and ensuring that audit and compliance requirements are met.