It depends! Any account credentials which are the ‘keys to the kingdom’ are privileged and a high priority for protection from attackers or accidental misuse. However, beyond the IT and infrastructure access, don’t forget that privileged access management (PAM) controls can give you a consistent way of managing other types of high-risk access – whatever those risks look like for your business.This blog looks into privilege and privileged access.
Internal stakeholders, auditors, industry regulators and insurers all want to know how you're protecting your most privileged accounts and access. The concern is warranted – attackers want to find and abuse privileged access to move around your network, find ways to keep a foothold in your systems and exfiltrate data, whilst bypassing controls and evading detection.
How do we best protect privileged access? and how do we know which accounts and entitlements should count as ‘privileged’?
Historically, when you think about PAM, and some of the PAM solutions on the market, the focus has been on managing privileged IT access – the root, local admin, domain admin, etc., accounts which allow a user (or an attacker) to make changes to systems. Installing or removing software, adding and removing users and permissions, changing the configuration and disabling security or monitoring functions.
It's clear that we should manage the access to these powerful accounts, and that’s typically where a PAM programme and PAM tools start:
- Vaulting privileged accounts
- Automatically changing passwords
- Restricting use to approved business changes or incidents
- Monitoring activities performed with the accounts
- Restricting use to strongly authenticated identities (via multi-factor authentication)
Savanti works with its clients to plan and deploy PAM solutions. But before you get to a PAM tool there are some simple good hygiene practices which can reduce risks, like using separate privileged accounts to hold privileged IT entitlements rather than granting full admin rights to your standard accounts. This limits the damage, or 'blast radius' from attacks such as phishing or web-based malware that your day-to-day account might be exposed to.
PAM controls are in addition to good identity governance and automation (IGA) controls, such as lifecycle management (joiners, movers and leavers), regular recertification of discretionary access, and analysis and review of birth-right access for a given job role. These controls are trying to ensure that your users have enough access to get their job done, but also to identify and remove access which is no longer justified - attempting to enforce the ‘principle of least privilege’.
Flagging roles or entitlements that allow sensitive or privileged access is important as it allows a risk-driven approach to be taken when approving access and recertification requests - ensuring approvers understand what they are approving, allowing additional approvals where necessary, and providing aggregate reporting on who holds privileged or risky access for how long.
What makes an entitlement, role or application access ‘privileged’ is the risk associated with that access. PAM controls are applied to the most sensitive IT access, because of the risk that access poses to organisations if misused accidentally or deliberately by an insider (or abused by an attacker). This could be IT risk of impact to services, confidentiality or integrity of data, but also the reputational risk associated with access to official social media accounts, the regulatory risk with sensitive personal or financial data or even physical risks associated with access to operational technology, machinery, building management or internet-of-things devices.
Who is responsible for this?
It’s a shared responsibility. Application owners are best-informed about what their application does, and the information it holds. Cyber security has the threat intelligence and understanding of the technical controls and security posture of the underlying infrastructure and governance, risk and compliance (GRC) departments have the regulatory implications and business risk appetite. Between them, an access strategy should be established which sets out the risks to different types of access and data, criteria for scoring and prioritising those risks and planning the use of controls available to reduce the risk to an acceptable level.
Ideally, identity engineering should wrap the capabilities of the IGA and PAM tools as clearly defined services and architectural patterns, which meet the needs of the business. Providing good documentation and self-service resources empowers application owners to drive their onboarding process, getting all the benefits of IAM and PAM automation as well as compliance. Another benefit of a self-service model is that it reduces the dependency on the identity engineering team to be responsible for all onboarding - a common bottleneck in IAM and PAM projects.
As you bring more use-cases under PAM controls there is often some resistance to the change in ways of working. There is a trade-off between security and efficiency – but the additional ‘friction’ of performing activities within a PAM tool can be minimised by careful understanding of current ways of working, and emphasising the benefits and using privileged access within a PAM tool. Automated password management, consistent user experience, the ability to review mistakes and of course the reduction of risk – not everyone has the criminal mindset to appreciate what damage could be done with the access they use every day!
Savanti are identity strategy and implementation experts and help its clients use identity to improve their security and operational efficiency.