Privileged Access Management, Privileged Account Management, Privileged User Management or Privileged Identity Management. They all refer to the same thing. That is, the management of elevated or privileged accounts such as administrator accounts within the organisation’s ICT systems. Restricting Administrative Privileges is listed as the 4th most important strategy to mitigate cyber intrusion on the Australian Signals Directorate (ASD) (aka. Defence Signals Directorate) publication “Strategies to Mitigate Defence Cyber Intrusions“.
Privileged accounts, by their very nature have elevated access to an organisations ICT systems and data, and are often thought of as holding the keys to the ICT kingdom. The development of PAM solutions has been driven by the recent explosion in abuse of privileged accounts and vulnerabilities in Windows platform such as Pass-the-Hash attacks (as described here by the Microsoft security team), and a realisation that better management could reduce the exposure to these attacks or as a minimum provide the tools to manage the damage an intrusion may cause.
Many of the recent high-profile corporate hacks have used privileged accounts to access systems and the data stored on them. An interesting recent case was the attack on Target that occurred in November 2013 in the United States where hackers were able to use Administrator accounts to install malware and download credit card and secure information for over 41 million customers. Privileged accounts have access to the most secure information on a corporate network. Gaining access through these accounts provides an open door to the internal network. In the case with Target, the use of default or simple passwords by administrators provided an easy method for the hackers to move around in the network.
Identity Management is the new firewall against these types of intrusions. Managing who can access what and when is critical to shoring up the barriers against unwanted intruders and introducing adherence to strict policies for passwords and limiting a user’s access to data. While Identity Management solutions can manage Privileged accounts, typically we see these accounts are treated as exceptions and managed separately, more often on a manual basis.
Managing Privileged Accounts is the domain of more specialised tools that provide management, monitoring and forensic capability to not only control the what and when of an administrator, but track their activity as well.
All Privileged Account Management tools have strong capability in Windows environments, many of them will add further features for Linux or Unix environments. Some of the core capabilities we look for in these tools include:
- Management and automatic rotation of passwords. This ensures only the authorized admins and programs can access high-risk environments.
- Least privileged access. Where Admins administer with minimal rights, then escalate privileges as required.
- Centralized reporting and analytics. This allows the review of privileged access in a single place. – which of course assists with triage.
- Directory bridging. Unifying infrastructure – providing Linux & z/OS an avenue to be managed by the Enterprise Directory.
- Auditing and protection. This creates irrefutable and tamper-proof evidence for sensitive system access.
This is not a “One Size Fits All” solution though. With the wide range of features and solutions offered by vendors, approaching the need for a Privileged Access Management solution needs to follow a planned and structured method. We recommend this approach take the following steps:
- Gather requirements from all Stakeholders.
- Weight the requirements from senior stakeholders based on:
Once all the requirements are prioritised, applying a weighting against the feature set of a product can reveal the ideal solution for the organisation. In some instances other factors will also influence a decision. The obvious influence is price, but other factors such as single vendor solution, ease and cost of deployment, and integration with the Identity Management Platform also have a major influence on the final decision.
In a recent engagement we looked into the selection questions for Privileged Account Management and found well over 40 key capabilities relevant to the selection of an effective PAM solution for an organisation. Whether a result of an internal breach or a directive from a recent audit, deploying an effective Privileged Account Management solution will ensure the management and behaviour of a privileged account is monitored and maintained.
Identity and Access Management is the key to keeping corporate data and assets safe, increasing employee productivity and enabling business processes. How successfully companies and governments adapt to the digital world will be determined by their approach to Identity. The deployment of scalable and repeatable platforms enable an organisation to quickly respond to the needs of their business and adapt to technology and business changes to deliver current and new services to any device. Extending this to manage Privileged accounts will ensure the security of an orgnisations data will not be compromised by poor policies placed on the critical and central accounts.