There is a thought-provoking CIS Controls document that discusses the application of the Pareto principle (80/20) to Information Security. CIS experts believe that 20 percent of protective measures give 80 percent of the result in terms of company security.
One of the top protection measures that have the most significant effect on information security is controlled use of administrative privileges. In an organization, employees should only have the permissions to perform the actions and access the data they really need to.
In this article, I will discuss how Privileged Access Management (PAM) can benefit companies when lookng to tighten control over adminstrative privileges. To do this, I will explore typical cases and problems that can be detected when implementing and testing PAM solutions.
Who needs PAM and why?
The need for Privileged Access Management systems does not always arise. However, when we are talking about access to critical systems, the use of PAM allows us to solve a lot of tasks related to reliability and trust:
- Production systems. The cost of business downtime can reach millions. Access to production systems should be limited. They must be carefully protected, including from admins.
- Cloud services. The cloud is becoming increasingly popular even for deploying systems critical to the operation of organizations. PAM can also be used here to protect you from the service provider.
- Remote work. This is another crucial point, especially when it comes to remote administrators and other privileged users. Ensuring endpoint security is vital to data protection.
- Protection against cyber-attacks. The number of attacks using privileged user accounts is growing. Even a good and trusted administrator may unwittingly miss something and provide a path for intruders to access critical IT systems.
PAM usage scenarios
When it comes to working with mission-critical IT systems, the PAM can offer several use cases:
- Session recording. Organizations can view any session in real-time, connect to the session and terminate it. In the case of a breach, session data can also be saved and accessed for use as evidence in court.
- Proactive monitoring. These include flexible policies, pattern searching capabilities and the automation of actions.
- Threat prevention. PAM can stop misuse of accounts by allowing for increased risk assessment and anomaly detection.
- Searching for those responsible for a breach. There are cases when several users use one account, PAM helps monitor who had access to certain facilities and when.
- Work performance analysis. PAM allows companies to evaluate individual users, departments or the entire organization.
- Accurate access control. PAM allows for restriction of traffic and access for users at certain time intervals.
The principles of PAM operation
The PAM server is located on the edge of the perimeter, opening access channels to target systems, as it is a type of proxy server. After connecting via a VPN, the PAM server is only available to users and all access occurs through it. Users can log in and start working with protected servers through controlled sessions. The PAM server can be installed as a separate virtual machine or as a separate server and is configured separately for each client.
Each privileged user enters the portal through a browser. As a result of this, increased security controls such as multi-factor authentication can be easily configured, for example requiring users to enter their login information as well as an OTP when accessing the server.
The main point of call in such a system is the company's security officer. In their console, they will set up access rights and accounts through which users will connect to mission-critical resources.
A security officer can perform various actions in PAM. They can connect to an active user session and take control, terminate the session or simply send a message to the user. By setting parameters for the operation of protocols, the security officer can disable some commands. For example, it is possible to prevent a machine from rebooting via SSH. When trying to make a forbidden step, the user receives an alert. In addition to recording and logging sessions, PAM can have a keyboard logging feature that allows security officers to track console commands that users enter.
Additional security features
Since the PAM system’s final goal is to protect data, it is necessary to mention a few more important features:
- Data masking. When connecting the administrator to work with the Database Management System (DBMS), those in charge of the PAM server can configure obfuscation of the stored data. Employees can administrate it, but they cannot download it, mitigating data theft from inside the organization. This means even if user credentials are compromized, malicious actors cannot access crucial data.
- Logging and alerts. It is possible to record all actions and hide data in real time if something suspicious happens.
- Agentless connection and no jump servers. PAM servers do not need any additional components for connection, thus increasing the solution's reliability and eliminating unnecessary bottlenecks and vulnerabilities.
Fault tolerance
PAM infrastructure must be organized in such a way that it is impossible to bypass it. Otherwise, the concept loses its goal. Therefore, it is necessary not only to use secure connections but also to ensure a high level of PAM availability.
Therefore, on the most critical projects, it is recommended to deploy two PAM servers simultaneously. This helps to ensure infrastructure maintenance in 24/7 mode without compromising security.
Security problems that PAM projects can detect
Modern PAM systems can be deployed within a few days and sometimes even hours, with the first results being rapidly detectable. Below are typical real-life problems identified by PAM systems during the pilot project phase:
1. Network administrators regularly give themselves access to prohibited resources.
The first incidents that can be detected are violations committed by administrators. Most often, it is an illegal change of access lists on network equipment in order to open access to a prohibited site or for a prohibited application. It should be noted that such changes may remain in the hardware configuration for years.
2. Use of one account by multiple administrators.
Another common admin-related issue is sharing an account with colleagues. In this situation, it can be difficult to understand who exactly is responsible for specific actions, leading to obfiscation if a cyber security incident occurs.
3. The same password is used for multiple systems.
Users may struggle to rememebr multiple complex passwords, leading to them using one simple password for absolutely all systems. If such a password is leaked, a potential intruder can gain access to most parts of IT infrastructure.
4. Users have more rights than expected.
It is often found that users with reduced rights turn out to have more privileges than they should. For example, they can reboot the controlled device. This can either be a mistake of the person who issued the rights or a flaw in the methods used to assign rights.
Conclusion
Having PAM in place can take the stress out of working with the critical systems your business depends on. PAM also allows companies to transfer users to a remote location or move workloads to the cloud and fully control these processes from an information security perspective.