The digital world often faces problems of abused privileges or stolen credentials which are seen as the main cause of data breaches. The reason is that many companies do not track how their employees use shared privileged credentials and do not engage in privileged user monitoring. These risks can be reduced through effective privileged access management (PAM). PAM is a set of policies and processes for assigning, controlling, and monitoring administrator-level privileges and should be a major focus for Security and IT management who are looking to mitigate the risks of data breaches and insider risks.

Why companies need strict access control?

As mentioned above compromised credentials are a main cause the vast majority of security breaches. Attackers cannot easily get around modern security mechanisms, so they find a way out and steal credentials by getting into the network. Usually, an attacker aims to get privileged credentials through the network by gaining low-level access to steal data, disable systems, and cover their tracks.

When it comes to controlling access to a company’s cloud workloads, big data projects and network devices, the practice shows that most enterprises are not doing enough to address modern security concerns. Today’s environment is much different than when all privileged access was constrained to systems and resources inside the network. Privileged access management not only covers infrastructure, databases and network devices, but is extended to cloud environments, big data, DevOps, containers and more.

Basically, PAM includes a collection of practices, policies and technologies that protect administrative or “privileged” access to the back ends of critical systems. Privileged users operate privileged accounts, where they are authorized to set up, configure, reconfigure or delete systems, servers, databases and storage volumes.  Privileged users are necessary for the proper functioning of the IT departments, but their features makes them very attractive targets for hackers. Some of the worst data breaches in recent times were a result from the abuse of privileged accounts and the impersonation of privileged user identities. Protecting privileged credentials is a major goal of cyber security policy and security operations.

PAM Best Practices

There are companies still using spreadsheets and common sense to manage privileged accounts, but this is no longer a viable and efficient approach.  Such companies should take PAM seriously and to integrate that solution within their Identity and Access Management system. Below is presented a set of PATECCO privileged access best practices which all organizations should follow:

1. Identity Consolidation

The management of privileged identities and their access to critical systems only makes sense if all identities that are to be managed are unambiguously recorded in the context of an initial survey. For this reason, PATECCO recommends starting a PAM project with an analysis, cleansing and consolidation of existing identities, roles, permissions, and local accounts across all, especially heterogeneous, resources.

Only if a uniform and unambiguous collection of all these identities is guaranteed, the next step can be taken meaningfully regarding the consideration of privileged access. Specifically, this means that all identities can also log into the system in a personalized manner, so that authorizations can then be granted to this unique identity even in administrative systems.

As best practices from the PATECCO project experience, an Active Directory is used to consolidate UNIX, Linux, and LDAP identities with a single, unique ID for centralized identity, role, and permission management and for Kerberos-based authentication

2. Privileged Access Request

The central challenge for any privileged access management system is the use of a (minimum) four-eyes principle that uniquely identifies the requestor and the approver and enables   traceability. A workflow-based request and approval mechanism for privileged access is usually used for this purpose.

Access to and use of privileged accounts is a key focus for regulators in many industries, but access to critical corporate resources should also be controlled, documented, and monitored in every other organization to improve security, governance, and compliance.

3. Super User Privilege Management (SUPM)

PATECCO calls the ability to enable a “least privilege” access model for authorized users via authorization extension tools SUPM, Super User Privilege Management. The aim of this procedure is to assign only the minimum set of authorizations at session runtime. An interactive session starts with as few authorizations as possible and is only elevated when required. In particular, the aim is to avoid the necessity of accessing shared accounts through a modified authorization model.

For this PATECCO uses the combination with Identity Consolidation in Active Directory. This provides further administrative advantages so that roles and authorizations for administrative users can be managed centrally. In addition, global changes can be made quickly and consistently under Windows, Linux and UNIX.

4. Shared Account Password Management (SAPM)

When implementing PAM projects, PATECCO puts great emphasis on the protection of the assets of the respective organization. Shared accounts ought to be prevented conceptually, because the containment of data protection violations is most effective if the attack surface can be reduced.

The aim is therefore to reduce the number of privileged accounts as far as possible towards zero and to use SAPM only for emergency login scenarios such as “Break Glass”. This applies to legacy and emergency scenarios in which privilege elevation cannot be reached sensibly and in which direct logon as administrator (for example, root) must be allowed in exceptional cases.

5. Application to Application Password Management (AAPM)

A key design deficiency in programs that require automated access to critical systems (such as provisioning systems or other programs that use service accounts) is the use of hard-coded credentials in application code, scripts, and other configuration files. AAPM tools provide a workaround by providing a mechanism (typically APIs) to make credentials securely available on demand by accessing a secure password vault. PATECCO supports during the execution of a PAM project in implementing AAPM as an extension of the SAPM tools. This helps in managing accounts used by applications or systems to communicate with other applications or systems (such as databases, web services etc.).

By implementing PAM capabilities and following PAM best practices, privileged users have efficient and secure access to the systems they manage, while organizations can monitor all privileged users for all relevant systems. PATECCO supports in ensuring that audit and compliance requirements are met and can support in implementing privacy policies adherent to regulatory and legal requirements, e.g. EU-GDPR.