What does good Privileged Access Management (PAM) look like? is the first question to answer when defining your implementation objectives.
‘Reducing the risk of credential theft and misuse’ is the headline outcome. The following objectives address key PAM use cases and provide focus on how to deliver a framework of policy and technology that will protect your key credentials.
1. Enforce the principle of Least Privilege Access Control
Giving users ‘only’ the privileges they need to do their job is Information Security 101, however, even security-conscious organisations can fail this principle.
Account cloning, one account for one admin, admins with many responsibilities and nested Active Directory groups are some of the reasons that users are over-privileged. Also, every organisation has that “go-to” person who can Just Do It (avoiding officious process), because they have accumulated privileges from different roles. This, Privilege Creep, risks insiders carrying out unauthorised activity, or an attacker (having compromised an account), intruding much further into the IT network.
Role-Based Access, could be one answer, where accounts have only the privileges required to carry out a specific task. Users with wide responsibilities may need access to multiple accounts, but a good PAM technology can make this painless for the user and can separate users from accounts, removing the threat of an individual being a target for attackers.
Role-based access can also streamline your access policies, making user administration quicker and simpler to carry out.
2. Embed a process for provisioning, de-provisioning and reviewing privileged access
Consideration needs to be given on how privileged access is granted and how to ensure that it is removed once no longer justified.
Capable PAM solutions enable two main approaches to provisioning access. Most organisations are best served by using a combination of the two.
Just-in-time access gives users temporary account use to enable them to carry out a specific task. Usually, the PAM solution provides workflow approval through which a user can submit an access request. This is the ideal solution for ensuring that users are provisioned with specific privileges and deprovisioned when they have finished their task. This is particularly well suited for 3rd party or occasional change related access.
However, this approach will meet resistance from users who require continuous access. The wait for approval on each occasion can also be problematic in time-critical circumstances, outages for example. Therefore, the second approach is to provide pre-approved access to use specific accounts. This approval needs to be embedded within the organisation’s Joiners, Movers and Leavers process.
Best practice stipulates a periodic review of privileged access to ensure that movers and leavers have been properly actioned and incidences of privilege creep are eliminated. Making this review simple should be a factor in PAM product selection.
3. Establish monitoring, reporting and alerting that informs the business of privilege usage and enables accurate risk assessment
Understanding how exposed you are to the risk of credential theft and misuse can be alarmingly difficult if you are uncertain of where your privileged access is and how it should be used.
A key part of bringing privileged access under control is knowing your usage patterns, monitoring that usage and alerting on any activity that doesn’t fit.
Your monitoring, reporting and alerting goals will be a key factor in product selection. Privileged threat analytics will measure user behaviours, establish a baseline and alert you to any suspicious deviations.
In the event that something does go wrong, a comprehensive audit-trail showing who did what, using which account and when, will help your forensic investigation and remediation actions.
4. Mitigate as much risk as possible as quickly as possible
All security projects suffer from the challenge of ‘how is this investment helping my business objectives’. Keeping the business safe only gets grudging acceptance so the pressure to deliver value early, is on.
This means you need to map your landscape, risk assess and prioritise your PAM implementation. Understanding what your critical assets are, the type of privileged access used and how they could be compromised, will identify the PAM product capabilities that are most important to you, e.g. vaulting, secrets protection, key management, remote access, and endpoint protection etc.
Savanti has developed a successful PAM Delivery Framework, to help guide customers through the decision making necessary to ensure that their PAM solution protects their business.
We'd be happy to support you on your journey, please get in touch info@savanti.co.uk or visit the chat function on our website: www.savanti.co.uk, especially if you would like us to send you details of our PAM Delivery Framework.
