7 steps for complete privilege management
This white paper identifies seven core areas for privileged access management, presenting the key capabilities you should seek across each of these areas.
Each core area, when implemented, will give you greater control and accountability over the accounts, assets, users, systems, and activity that comprise your privilege environment, while eliminating and mitigating many threat vectors. You can address these areas all at once, or more commonly, phase in controls for one or several areas of PAM at a time. The more of these areas you implement, the more PAM synergies you will see, and the more impactful the reduction in enterprise risk and the operational improvements.
Throughout the process of selecting and deploying your privileged access management solution, keep in mind these business requirements, as they will help you articulate the value of this program higher in the organisation:
Total cost of ownership
Does it result in time-savings (such as replacing manual processes with automation) and allow you to re-deploy resources for other initiatives?
How soon does it help you measurably improve security controls and dial down risk? How long will it take to achieve your end-state goals with the solution?
How does it integrate with the rest of your security ecosystem (IAM, SIEM, service desk, analytics)? Does it help you make better decisions on risk? If it only works well as a standalone/point solution, it’s probably only a stopgap versus a long-term solution. On the other hand, if the solution has synergies with your existing security solutions, it will also help you maximise existing investments.
Will the solution vendor grow with you or even pull you towards growth through security enablement? Is the vendor resourced to evolve capabilities and deepen feature-richness to meet the PAM use cases of tomorrow?
Improve accountability and control over privileged passwords
The most logical starting point for gaining greater control over privileges is improving accountability over privileged credentials. According to Forrester Research, privileged credentials are implicated in 80% of data breaches.
Admins commonly share passwords, which makes it nearly impossible to get a clean audit trail. Many systems, applications, and devices (IoT, etc.) have embedded or hardcoded passwords, opening opportunities for misuse. Passwords are needed for application-to-application and application-to-database access. New privileged credentials are born when now cloud/virtual instances are spun up. The list goes on.
Manual password management measures (discovery, rotation, enforcement of best security practices) are notoriously unreliable, complex, and time-consuming—and impractical to scale. And some best practices – like eliminating and centrally managing some types of embedded passwords—are virtually impossible without enterprise tools.
How do organisations ensure security and accountability over all the different types of credentials that allow privileged access—without disrupting administrator productivity or other workflows and processes?
Goal: An automated, comprehensive solution to seamlessly discover the ever-expanding list of privileged accounts/credential types (both human and non-human) in your environment, place those accounts/credentials under management, and satisfy auditor requests that they are adequately managed. Such a solution will outright eliminate some privileged attack vectors, while mitigating many others, helping to drastically reduce enterprise security exposures. This requires a purpose-built enterprise password management/privileged credential management solution that can automate each phase of the password lifecycle consistent with your security policies.
Other considerations: How important is scale? Do you have just a few thousand privileged credentials, or many hundreds of thousands? A handful of PAM solutions may be able to scale to manage tens of thousands, or even hundreds of thousands of privileged user credentials. Fewer still can also manage high numbers of SSH keys. And, if it is important to you (it should be) to monitor and manage all privileged sessions, understand that just a couple, elite vendors can monitor/ manage hundreds of thousands of concurrent sessions. And, only BeyondTrust delivers all of these capabilities and meets the enterprise needs of scale across the board and across any environment.
Implement least privilege & application control for Windows & Mac
Once privileged credentials and accounts are being consistently discovered, onboarded, and managed, the next step to complete privileged access management is implementing least privilege on end-user machines by eliminating local admin rights. If you have Windows servers, you also want to dial in the proper privileged access for your various Administrator accounts (Network, Microsoft Exchanges Active Directory, Database, Developers, Help Desk, IT Staff/Power Users, etc.).
With a least-privilege approach, users receive permissions only to the systems, applications, and data they need based on their current role. Rather than having privileges enabled and always-on, thus always ripe for misuse or abuse, the privileges are only elevated on an as-needed basis. By defaulting most users to standard users and only elevating privileges as needed, you drastically reduce the threat surface, sharply curtail the ability for lateral movement, and minimise the risk of threats, such as phishing and ransomware, to land and expand. By tightly controlling and auditing admin access, you also ensure your most sensitive assets are protected.
Relying on native and adhoc, in-house toolsets to restrict or enable end-user privileges is onerous and time-consuming. And, although users should not be granted local administrator or power user privileges in the first place, sometimes certain applications require elevated privileges to run.
How do IT organisations reduce the risk of users having excessive privileges without obstructing their productivity or overburdening the help desk with requests for privileges/permissions?
Goal: The ability to efficiently eliminate local admin rights across Windows and macOS systems, tightly control and audit admin access to servers and sensitive systems, and enforce granular control over applications. This requires enterprise endpoint privilege management solutions that remove end-user privileges, while automating rules-based technology to elevate application privileges— without ever elevating user privileges.
Other considerations: How important is the solution’s time-to-value for you? Some solutions will require a complex services arrangement, while others can show a demonstrable risk reduction and slash help desk tickets in just weeks.
Secure remote access for vendors & employees
Remote access pathways represent the weakest links for most organisations—and cybercriminals know it.
IT administrators, insiders, and third-party vendors need privileged access to do their jobs effectively; they also need the ability to elevate privileges. Organisations often lack visibility into what vendors are doing when they access their network. VPNs provide far too much access than is usually required. Most other remote access solutions also share similar pitfalls as VPN, including lack of granular security settings, inability to provide a comprehensive audit trail, lack of support across diverse operating systems and use cases.
These are all serious shortcomings. And when you consider the scale of the problem, it’s plainly apparent how critical this deficiency is. As the published research from BeyondTrust’s 2019 Privileged Access Threat Study found, on average, organisations have 182 third-party vendors logging into their systems/networks, in a typical week. With so many remote access points, and typically, sub-optimal visibility, auditing, and security controls over this access, it’s just a matter of time before a weak link in across the remote access surface is compromised—either via an employee or a third-party vendor.
How can organisations better monitor access for privileged users without inhibiting business agility?
Goal: Eliminate “all or nothing” remote access for vendors by implementing granular, role-based access to specific systems and defined session parameters. Allow vendors or internal users access to specific systems, for an allotted time, for specific applications or purposes. Administrators can approve or deny access requests from anywhere and any device, to anywhere and across major platforms.
Implement least privilege and audit access across Unix and Linux server environments
Business-critical, Tier-1 applications running on Unix and Linux servers are prime targets for cyber threat actors. Privileged user credentials for these resources can provide access to ecommerce data, ERP systems with employee data, customer information, and sensitive financial data.
Having root passwords, superuser status, or other elevated privileges is important for IT admins to do their jobs. Unfortunately, this practice presents significant security risks stemming from intentional, accidental, or indirect misuse of privileges.
Native, open source, and ad hoc tools are often used to “get by.” But in server environments with even modest complexity, you end up paying a high price for these “free” tools in several ways. For instance, some dangerous, or at least onerous, shortcomings of sudo and other basic tools include:
- Unsettling deficiencies in oversight, forensics, and auditing: lack of file integrity monitoring, log securing, or the ability to record sessions and keystrokes for audits
- Serious gaps in security: For instance, these tools don’t account for activity inside scripts and third-party applications, leaving a shortcut to unapproved applications. Native OS tools also lack the ability to delegate authorisation without disclosing passwords.
- Administrative complexity and lack of scalability: policies typically need to be managed on each individual server when using sudo or other basic tools
- Don’t offer an efficient migration path away from sudo, if it is being used
- Lack of enterprise support
With sudo and other tools, it’s virtually impossible to maintain best-practice security and compliance in all but the most primitive of IT environments. And, simply put, the stakes of inadequate privileged access controls in your Unix/Linux environments are far too high.
Goal: Visibility and control over all privileged activities across Unix and Linux. Consistent enforcement of least privilege, efficient delegation of Unix and Linux privileges, and authorisation without disclosing passwords for root or other accounts. The ability to either do away with sudo outright, or make the most of sudo by layering on enterprise capabilities that resolve security and auditing deficiencies, and make administration simpler and less prone to error.
Other considerations: Do you also have Windows servers and desktop endpoints? Would you prefer one vendor and platform to implement PAM across all your endpoints, or are you fine relying on different vendors and management consoles for different OS. Also, is it important for you to be able to enable single sign on across your heterogeneous infrastructure and unify policy management across Unix, Linux, macOS, and Windows? If improving PAM coverage and reducing complexity is important to you, there are only a couple vendors that can meet your needs.
Leverage user, asset, & application-level risk to make better privilege decisions
Once privileged credentials are under management, and end users have the privileges they need to perform their jobs – and nothing more – you can progress to leveraging real-time vulnerability data to make better-informed privilege elevation decisions. For instance, if an application is running with a vulnerability, should you permit it access to perform a highly sensitive operation? The answer may vary based on the unique contextual factors in your environment. For this to be actionable, it requires the ability to do at least three things:
- Know where the vulnerability exists
- Understand how the risk changes depending on what assets the vulnerable application interacts with and what privileges it elevates – and where all these scenarios fall within your risk appetite
- The ability to orchestrate a response, in real-time, that is consistent with your policies and risk appetite
But how do you accomplish this at the enormous scale most organisations would demand?
Goal: Seamless integration of automated privilege elevation/delegation capabilities with vulnerability, risk, and threat intelligence to make smarter privileged access decisions.
Unify & centralise privilege management, policy, reporting, & threat analytics under a single pane of glass
It’s no secret that IT and security professionals are overloaded with privilege, vulnerability, and attack information. Unfortunately, advanced persistent threats (APTs) often go undetected because traditional security analytics solutions are unable to correlate diverse data to discern hidden risks. Seemingly isolated events are written off as exceptions, filtered out, or lost in a sea of data. The intruder continues to traverse the network, and the damage continues to multiply.
Generally, the more point tools you have—each with different administrative interfaces and built with different code—translates into:
- Heightened risk that your solutions won’t integrate or communicate well with each other – resulting in downtime, security gaps, and frustration
- Steeper learning curves for your administrators
- Persistently higher administrative burden
- Delayed orchestration in response to threats
How do security and IT operations teams gain an understanding of where threats are coming from, prioritise them, and quickly mitigate the risks?
Goal: A holistic view of risk with advanced threat analytics that enables IT and security professionals to rapidly identify data breach threats—whether sophisticated or typical. This includes the ability to pinpoint specific, high-risk users and assets by correlating low-level privilege, vulnerability, and threat data from a variety of third-party solutions.
Integrate Unix, Linux, and macOS into Windows
Once you have greater control over privileged access in Unix and Linux environments, the next logical step is to bring those systems under consistent management, policy, and single sign-on.
Unix, Linux, and macOS have traditionally been managed as standalone systems – each a silo with its own set of users, groups, access control policies, configuration files, and passwords to remember. Managing a heterogeneous environment that contains these silos – plus the Microsoft environment – leads to inconsistent administration for IT, unnecessary complexity for end users, and risk to the business.
How do IT organisations manage policy consistently across diverse platforms and provide a streamlined user experience that reduces administration time and errors?
Goal: Centralised authentication for Windows, Unix, Linux, and macOS environments to reduce the risk and complexity of managing a heterogeneous environment. Improved efficiencies by reducing the number of logins (and the accordant help desk calls when they are forgotten), and the number of different systems, configurations, and policies to manage. This requires an Active Directory Bridging solution.
Get in touch
Learn more about how CyberOne privileged access management solutions could benefit your business.
Complete the form for a prompt response from our team.