The Journey To Universal Privilege Management
Karl Lankford, Director, Solutions Engineering, BeyondTrust, shares insights on why a comprehensive PAM solution that goes beyond just privileged password management, is essential for modern cybersecurity defence.
Almost without exception, today’s threat actors leverage readily available automated tools — automation increases the speed and probability that the attacker can find and exploit that initial weak link that gives them a “hook” into an environment.
The good news is that organisations increasingly recognise that to maintain a level playing field, they need automation and purpose-built solutions to protect privileges, and PAM has become a cornerstone of an effective, modern cybersecurity defence. The bad news is that many organisations mistakenly presume that privileged password management alone will solve the problem, when it’s only one part of a necessary, comprehensive PAM solution.
Universal Privilege Management (UPM)
The Universal Privilege Management model allows enterprises to start with the PAM use cases that are most urgent to the organisation, and then seamlessly address remaining use cases over time. Each use case, once addressed, will give enhanced control and accountability over the accounts, assets, users, systems, and activities that comprise the privilege environment, while eliminating and mitigating multiple threat vectors. The more use cases that are addressed, the more PAM synergies emerge, and the more impact organisations will realise in reducing enterprise risk and improving operations.
So, here are the 10 use cases on your journey to UPM.
While not mandated, many organisations find discovering and securing privileged accounts the logical starting point for improving privilege security controls. But this demands a privileged credential management solution that automatically discovers and onboards the ever-expanding list of privileged accounts/credential types and brings those under management within a centralised password safe. This includes both human (employee, vendor) and non-human (functional, service, application, software robot, etc.) accounts in the environment.
The solution should allow control over which accounts are being shared, by whom, when, where, and why. It should provide mechanisms to find hardcoded credentials and deliver options to replace them with managed credentials. Critically, the solution should monitor, manage, and audit every privileged session regardless of where it originates.
Least privilege on desktops
Another important step to achieving Universal Privilege Management is implementing least privilege on end-user machines. Least privilege is defined as, “the minimum privileges/rights/access necessary for the user or process to be fully productive.”
With a least-privilege approach, users receive permissions only to the systems, applications, and data they need for their current roles. Rather than being enabled, persistent, and always-on, the privileges are only elevated on an as-needed basis and only for the targeted application or process. This is the basis for a just-in-time (JIT) PAM model.
Least privilege on servers
Having superuser status is important for administrators and some authorised users to do their jobs. Unfortunately, this practice also presents significant security risks from intentional, accidental, or indirect misuse of those privileged credentials.
Organisations must limit, control, and audit who has access to superuser accounts and privileges, without impairing productivity. Organisations must be able to efficiently and effectively delegate server privileges without disclosing the passwords for root, local, or domain administrator accounts. They should record all privileged sessions to help meet regulatory compliance. This is conceptually like the removal of administrative rights on desktops, but with the added requirements of supporting server-class operating systems in Tier-1 regulated environments.
Application control is essential to preventing advanced malware attacks, such as ransomware. Whitelisting, blacklisting, and greylisting offer application control strategies that enable organisations to restrict applications to only those approved to execute, with the correct privileges, within the appropriate context.
Another application reputation capability involves empowering organisations to make better informed privilege elevation decisions by understanding the vulnerability of an application or an asset with which it interacts. Applying real-time risk intelligence to privilege delegation and elevation not only stops exploits from becoming a privileged attack vector, but it also blocks drive-by social engineering threats that can leverage vulnerabilities within the environment. Similar to application control on Windows, command filtering on Unix and Linux is a critical security, compliance, and reliability control. For both application control and command filtering, a full audit trail of everything, attempted and allowed, is important.
The vast majority of remotely launched attacks come from threat actors who are not specifically targeting the organisation, but rather through remote contractors, vendors, and, even remote employees, who have themselves been compromised.
The ideal defence is to extend PAM best practices beyond the perimeter. This ensures only the right identity has access to the right resources in the right context. It eliminates “all or nothing” remote access for vendors by implementing least-privilege access to specific systems for a defined duration of time, potentially requiring a chaperone when appropriate.
Vendor credentials should be managed through the solution with policies, mandating rotation or single use passwords, and utilising credential injection in sessions so that passwords are never exposed to end users.
Finally, session management and monitoring should be enforced to audit and control all vendor/remote access activity. This approach is far more secure than traditional protocol routing technologies like VPN.
Network devices and IoT
Many PAM tools lack the ability to extend granular privileged access controls to non-traditional endpoints, such as medical or industrial-connected devices and control systems.
Organisations need a solution that delivers the capability of least privilege to those endpoints by allowing fine-grained control over the commands sent and the responses received over SSH sessions. This offers the ability to control the operation of functions like tab completion, restricting access to only those aspects of the endpoint that are appropriate for the user. Administrators and vendors can be constrained within their area of responsibility without impacting their productivity.
Cloud and virtualisation
With the accelerated use of virtualised data centres and cloud environments for processing, storage, application hosting and development, organisations have opened new avenues for threat actors to access sensitive data and cause disruption.
From a privileged access management perspective, the options to secure these assets are like traditional desktops and servers as described earlier. However, here are a few unique privileged security use cases for the cloud:
- Utilise a password management solution to manage the passwords and keys that are unique to the cloud environment, like the hypervisor, APIs, and management consoles.
- Implement a PAM solution with session monitoring for all administrative or root access into cloud providers, regardless of whether they are SaaS, PaaS, or IaaS-based.
- When performing RPA or variations on DevOps, utilise a password management or secrets store to protect application-to-application secrets used in the cloud
DevOps and DevSecOps
DevOps delivers condensed development and deployment cycles through automation, frequently leveraging the scale of the cloud. The downside is that DevOps processes can also “automate insecurity,” creating massive risks as well as compliance and operational gaps.
The right solution can discover all privileged automation accounts (including for CI/CD tools, service accounts, RPA, etc.) and replace the credentials with trusted API calls. The automatic retrieval and injection of the proper tool credentials helps protect developers, operations teams, and applications from attacks when privilege accounts are used for automation.
Privileged account integration
Modern PAM solutions must communicate with the rest of the IT security environment. By unifying privileged access management and other IT and security management solutions, IT teams benefit from a single, contextual lens through which to view and address risk by activity, asset, user, identity, and privilege.
Identity Access Management (IAM) integration
Access to an organisation’s resources is ideally managed through an IAM solution, which offers capabilities such as single sign-on, user provisioning/deprovisioning, role-based user management, access control, and governance. But managing a heterogeneous environment that contains silos for Unix, Linux and macOS, plus a Microsoft or cloud environment, leads to inconsistent administration for IT, unnecessary complexity for end users, and a vast sprawling of alias accounts.
The ideal solution is to centralise identity management and authentication and provide single sign on across Windows, Unix, Linux, and macOS environments by extending a directory store like Microsoft’s Active Directory with single sign-on capabilities to non-Windows platforms.
By evolving PAM capabilities using this UPM model, organisations will not only reduce the threat surface, eliminate security gaps, improve response capabilities, and ease compliance, but will also deter many attackers, who are still largely opportunistic in seeking to exploit the easiest prey.