PIM, PAM, or Perish?

Abhi Yadav's avatar By Abhi Yadav in Identity & Access Management on
No comments

 

OneWorld Identity‘s Cameron D’Ambrosi sat down with Shawn Keve and me to discuss the unique challenges of Privileged Identity Management as compared to traditional IAM, aired in the August edition of his “The State of Identity” podcast. Listen to a recording here:

Privileged identities come in various forms: they can be elevated accounts on your cloud services like root accounts on AWS instances, local administrator accounts on workstations & endpoints, or service accounts used by applications. These identities provide pretty much unfettered access to IT systems, and therefore ensuring the security of these accounts should be a top priority.

The 2017 Verizon Data Breach Investigations Report shows that 90% of breaches were attributed to sophisticated state or state-like actors who used phishing as their primary method to gain access and then seeks to escalate privileges. Once they get hold of privileged identity credentials, then it’s quite easily for them to move laterally and hide their footprints – and it’s game over.

“Most malware require elevated privileges to do harm.”

Most often attackers masquerade as privileged users. A 2016 survey by Aberdeen showed that 90% of data breaches involve the compromise or misuse of privileged access. In the wrong hands, the damage has proven to be catastrophic.

 

Here are some potential blind spots that organizations need to pay attention to with respect to managing their privileged identities:

(1) Securing Local Admin

While PIM is easy to understand at the O/S level, where these are system accounts like Windows Admin and Unit Root, most organizations do not pay sufficient attention to local admin accounts on endpoints and admin accounts on the database. With local admin, users can disable security settings and install malware.

A sensible way to approach this is to come to an agreement with business that all users do not need this access all the time, and implement a process for privilege elevation e.g. a way for users to request temporary, permanent, or emergency local admin rights.

(2) Using PAM to Secure the Cloud

The auto-scaling nature of cloud creates a rather large blind spot for most organizations when it comes to securing privileged access. With IaaS for example, this involves not just locking down super user access to the VMM/ Hypervisor – but due to the ephermeral nature of instances, an agile PAM system is required that can provide just-in-time privilege to instance admins, local users accounts on instances, access to storage, and even temporary privileges for application-to-application accounts.

Another blind spot with the cloud is Shadow IT, and to secure this organizations are turning to proxy-based CASB solution which have some DLP-like capability, in addition to thier PAM systems.

Gartner predicts that be 2020, 95% of IaaS security failures will be the customers fault, and half due to mismanagement of identity privileges

…A cause in point is the recent Time Warner Cable breach.

 

(4) Securing DevOps

There’s a transformation is happening in how organizations deploy software today, and as identity specialists we need to think of different ways to deliver identity. DevOps culture include Continious Integration & Continuous Deployment (CI/CD) tools which need privileged access to traditional on-premise or IaaS platforms. This brings with it a need for “elastic” identity or elastic PAM abilities that require systems to be agile and nimble in ways they provide access.

Also, with container management and orchestration tools becoming popoular that allow systems to span across multiple IaaS environments, it becomes important for PAM tools to include Segregation of Duty capabilities that can detect potential conflicts. PAM tools need to be able to auto-scale for DevOps and have service discovery across multiple IaaS environments.

 

(3) Establish Identity Governance processes for Privileged Access

The Verizon DBIR report indicates that the majority (81%) of privilege misuse can be related to insider threats. Increasingly, auditors are finding companies that do not extend their enterprise identity governace (IGA) controls for privileged access. This takes the form of providing an approval-workflow based method to request privileged access, periodic certification of privileged accounts like admin/root/DBA, and providing auditors with reports on who did what with their privileged access.

By bringing together traditional enterprise identity governance controls with PAM systems, organizations are better able to address security vulnerabilities and are better prepared for audits.

 

(5) Weeding out suspicious behavior with privileged activity monitoring

Traditionally, organizations have tackled these problems by implementing complex software and hardware, added specialized security resources, and integrated and managed everything in-house. These solutions provide alerts, but organizations are expected to figure out what those alerts mean. Most of these organizations found it incredibly challenging to expand the scope of their controls beyond managing basic local administrative accounts.

 

Moreover, traditional Privileged Access Management (PAM) solutions do not provide proactive controls for detecting and blocking privileged access misuse. Often, organizations lack sufficient skill sets to respond as quickly as required, or find out only after the fact that accounts have been used inappropriately.

 

 

Here are some steps that organizations can take to reduce their risk exposure with privilege identities:
  1. Identify which resources (individuals and systems) have elevated access to protected resources
    • Vendors like CyberArk and BeyondTrust have some pretty nice (and free) tools that help with this discovery.
  2. Understand the scope of privileged identity interactions with protected resources
    • Conduct a risk assessment analyzing vulnerabilities and likelihood of misuse at this stage that includes cloud resources. The NIST CyberSecurity Whitepaper that details an implementation approach that maps implementation back to 800-53 controls.
    • Review DevOps containers & automation scripts for potential risks of collusion with privileged access.
    • Eliminate all unnecessary privileged access.
  3. Establish a privileged identity management framework to mitigate ongoing risk
    • Define a governance framework that aligns with procedures & management control. The ICAM guide is a good starting point, albeit a dated document.
    • Implement a PAM Credential Vault for passwords, SSH keys etc., and business processes for checking-out passwords with approval.
    • Setup “break-glass” procedures for emergency use.
    • Record and monitor privileged user sessions, and implement command filtering.
    • Establish MFA architectures for privileged access. For example, after their 2015 breach OMB required all federal agencies use PIV-based credentials (hard tokens) for authenticating privileged users (although an alternate solution using soft tokens would be more elegant).
  4. Improve this implementation by monitoring these activities against business use & scale for future need:
    • Incorporate PIM/PAM in strategic planning for the enterprise.
    • Establish task forces and action plans to resolve alerts.
    • Tie in alerts to a behavioral analytics system like Securonix to use unsupervised machine learning algorithms to detect suspicious privileged misuse.
Tags: ,
Unknown's avatar

Published by Abhi Yadav

Leave a comment