Tuesday, July 16, 2019

Privileged Access Management

In its Private Industry Notification (20190423-001) the FBI specifically called out the risk represented by privileged users, those people who configure and manage networks, systems, applications, and users, those with administrator (e.g., "root," "ADMIN") pivileges.  These users are problematic because they can both expand their privileges and hide their use.  For example, an administrator might create a phony user ID to use to hide his activity or to use after termination.  The most egregious example might be the abuse by Edward Snowden who expanded his privileges to exfiltrate dozens of documents over months from the NSA without being detected.  

At the primitive level, most privileges are associated with a user identifier and a reuseable password.  In order to provide coverage, these are often known to and used by multiple parties with a subsequent loss of accountability, just where we need it most.        

However, there are solutions, called Privileged Access Management (PAM) packages, that can be used to provide some automated control and accountability over these users.  These applications work by acting as proxies for the privileged controls, hiding them, controlling access to them, and recording their use.  Instead of connecting directly to the privileged controls, the administrator connects to the proxy which then connects him to the privileged control.  

These packages may provide:

  • hiding of all privlleged controls
  • strong authentication of privileged users
  • management control over the granting and withdrawing of privileges
  • logging of all connections, events, and uses, content.
  • multi-party controls (two or more people must cooperate)
  • restriction of use to a time of day or shift
  • restriction of use to specified (e.g., supervised) locations (e.g., device, network address, VPN, VLAN)
  • restriction to a single user at a time (checkout/checkin) 
  • other
The PAM becomes the sole process with access to the privileges and uses them on behalf of its user as directed by management or policy.  

If your enterprise, network, system, or application has only one privileged user or administrator, then you have good accountability;  whatever was done, that person did it.  However, that will apply to only very small enterprises.  Everyone else should be using a Privileged Access Manager.  There are now dozens on the market.  Choosing the right one will require some effort but the usual sources (e.g., Gartner, Capterra, Solutions Review) will assist you.

No comments:

Post a Comment