Privileged Access Management:
A Key Technology for Critical Environments
Closed gas stations, disrupted flight schedules, a nationwide state of emergency: In May of 2021, a ransomware hack on the Colonial Pipeline plunged the U.S. East Coast into chaos – after all, the Colonial Pipeline Company supplies 45 percent of the country’s fuel needs. The attack was the work of the hacker group DarkSide, which first stole around 100 GB of data, then compromised the billing system – and finally shut down the pipeline completely. Only after paying 75 bitcoin (about 4.4 million USD at the time) did the company receive a slow decryption tool and get back up and running on May 12. That same day, President Joe Biden signed an executive order to strengthen cybersecurity and prevent such cases. But, of course, there are things companies can do to protect themselves even without executive help. At the top of the list: strong protection for identities and accounts, especially those with privileged access rights.
The Colonial Pipeline hack, and the government’s prompt response, illustrate just how dangerous inadequately protected networks are. CRITIS-regulated organizations in particular, which are responsible for maintaining basic societal functions, must therefore reliably prevent such scenarios. In addition to protecting users with up-to-date identity & access management (IAM), the key is to prevent attackers from moving laterally through the network via compromised accounts and servers. This keeps the attackers from gaining additional rights, thus minimizing their damage potential. To do this, you need to protect privileged accounts with dedicated privileged access management (PAM).
How does PAM work?
One of the best practices for protecting identities and accounts has always been the “least privilege” principle. It ensures that authenticated users are granted as few privileges as possible: only those needed to perform the intended task. If attackers gain access to a user account despite all the protective measures, the maximum damage they can cause is limited by the privileges of the user in question. For example, if the user has read-only access to selected resources, the risk is relatively manageable. For optimum protection, it is also advisable to assign privileged roles (i.e., roles with particularly extensive rights) for a specific time window and not permanently: just-in-time access. This way, the vulnerability of critical network functions can be successfully minimized.
What other measures are required?
The range of technological solutions that support companies with PAM is broad, and the strategies of individual manufacturers differ in many details. However, all solutions have some key components in common:
High-level (tier 0 or tier 1) resources, such as domain controllers, require the highest level of protection. As a result, most vendors grant privileged access to them only in an isolated environment and employ robust multi-factor authentication.
The IDs of SaaS admins and privileged business users are similarly well protected. Here, the focus is on robust password management strategies that enforce strong passwords and ensure automatic password changes.
Critical credentials for infrastructure accounts, DevOps accounts, and SSH key pairs should always be stored in secure vaults.
To ensure additional cyber resilience, many vendors recommend further measures such as red-team exercises, or enhanced auditing and reporting features.
Which solution suits us?
The ideal product for your company depends on a variety of factors: Is it a true greenfield project? Or do you already have standalone PAM solutions in certain areas, or even an enterprise-wide legacy solution with which you are not satisfied? What legal and compliance regulations apply to your systems? And do you prefer a native cloud, hybrid, or on-premises approach? Experience shows that in-house teams often struggle to fully answer these questions. In this case, external advice can help them decide, say, whether CyberArk, Thycotic, or One Identity is best for their business.
It makes sense to call in a vendor-independent consultant or system integrator at an early stage, someone who is familiar with the products of the various manufacturers and can assess which solution will fit best into your architecture. iC Consult offers a no-obligation, free pre-workshop on PAM, in which we jointly explore the current status of your IT as well as your future requirements. This workshop includes:
Defining your key priorities and business goals for PAM migration
Looking at existing solutions and performing a gap analysis
Assessing the current PAM maturity level
Outlining existing dependencies for migration (such as looking at legacy systems and required customizations)
Developing a phased approach to managing privileged identities
You’ll receive a comprehensive overview of your PAM project, get to know our team – and take the first step on your PAM journey. Reach out to us at email@example.com or visit ic-consult.com/en/pam-journey/
In the coming days, we will share additional articles showing how the PAM journey differs in greenfield and brownfield scenarios.
More about PAM
Privileged Access Management in Greenfield Scenarios
Reference Stories: How iC Consult experts may enhance your PAM program
What are you feeding your PAM Tiger?