Privilege Account Management

Privilege Account Management (PAM) is part of Identity and Access Management (IAM), or also known as Identity Management (IdM), where individual user rights to a resource are granted privileges so that they can execute certain tasks or procedures on that resource.  This can also be part of Role Based Access Control (RBAC) in which the user’s privilege is granted through a role. In this case the roles are the authority that determines what the user can perform on the resource. Whether we are talking about PAM, IAM or Roles, all of these should follow the Principle of Least Privilege (PoLP) in which the the user’s access or privilege allows them to perform only those specific actions they require and nothing more.

 

Balance Security vs User Enablement

One of the key challenges of PAM solutions is granting enough permissions to the user so that they can be productive while minimizing the security risks that comes with those permissions. The two are inversely related. Increased security results in limited user permissions while increasing permissions results in decreased security.

 

Privilege Accounts

An enterprise can have numerous privileged accounts as it may be used for multiple assets for various requirements. Some examples of where privileged accounts are used:

  • Servers, network devices, databases and applications
    • Systems Admins
    • DB Admins
    • Network Admins
  • Workstations such as laptops, mobile, etc
    • System Admins
    • Application Admins

 

Types of Privilege Accounts

There three general types of privileged account types.

  • Administrator
    • System wide management
    • “Keys to the Kingdom”
  • Services
    • Runs specific services / programs
    • On windows these still require passwords
  • Embedded / Application
    • Usually for single application
    • For example – accounts used for database access by applications

It is also important to note that in an enterprise, Privilege Accounts may also be divided to Employees (internal) and Partners (external).

 

Securing Administrator Accounts

There are a series of steps to manage privileged access accounts. The steps start with discovery and go through a cycle of management up through auditing. An example of these steps could be:

  • Discover admin accounts
  • Classify the accounts
  • Enforce secure password policy for the accounts
  • Manage account authorization – who owns it, who approved it
  • Setup reports/alerts for auditing
  • Monitoring the account usage

 

NIST also has definitions on privilege management and the following is from NIST 500-299 standard for Cloud Security architecture.

 

Best Practices for Managing Privileged Users

The following are some best practices when managing privileged users.

  • Well defined process for enabling and disabling privileges
    • User background checks
    • User must complete training, review policy
    • Periodic reviews / expirations
  • Implement Least Privilege Principle
    • Least device access
    • Least functional access (applications)
    • Least command execution (install, alter system settings, etc)
  • Strong Authentication
    • Strong password policy
    • Multi-factor authentication
  • Separate Authentication from Authorization
  • Protect privileged account credentials
  • No anonymous activity/access
  • Critical assets require extra protections/policies/procedures
  • Alert on violations
    • Lock out accounts in violation
  • Log and record everything

 

Securing the PAM System

Since the PAM system stores all information about the privileged accesses, it is a crucial part of IT and security. As such there needs to be steps taken to secure and mitigate risks to this system. This includes managing access to the system, preventing data loss while enabling constant data availability. This can be done using strong access control policies to the system, having data redundancy, and disaster recovery plans.

When managing the Privilege Access Accounts, there needs to be roles and processes defined through the PAM system on how those accounts are managed. Roles include users who would review, approve, and monitor the privileged accounts. Processes include approval workflows, account policies such as expiration, user requirements such as training and procedures for monitoring and auditing the accounts.

 

User Account Control UAC

Introduced in Windows 7 to address a problem where users were often running with administrator rights. This allowed them and their applications to perform admin actions. To restrict this, UAC was created to allow users to run as standard users and not administrator. As a standard user, they are prompted when a process tries to go beyond what is allowed as standard operation.

UAC prompts when a process requiring administrator rights, such as installing drivers or ActiveX controls, changing system configurations, changing user account configurations, backup and restore, viewing or access files of other users, and when changing anything under the Program Files. The level in which these alerts are given can be configured in the UAC settings.

 

Vendors

Some popular vendors providing PAM Solutions

 


Balabit

BeyondTrust
Identity and Access Management Solutions Review - Centrify
Centrify

Core Security

CyberArk

thycotic
Avecto
Avecto

Lieberman
Identity and Access Management Solutions Review - CA Technologies
CA Technologies

ManageEngine

One Identity

 

 

References

List of Vendors (2018)
https://www.gartner.com/reviews/market/privileged-access-management-solutions
https://solutionsreview.com/identity-management/privileged-access-management-solutions-directory/

Privilege Access Management at Hitachi
https://www.youtube.com/watch?v=emhfCVOw9GQ

Best Practices for Privilege Identity Management
https://www.youtube.com/watch?v=sblMZUf23Uc

 

eof