Privileged Access Management:
A Key Technology for Critical Environments
Closed gas stations disrupted flight schedules, a nationwide state of emergency: In May 2021, a ransomware attack on the Colonial Pipeline –which provides 45 percent of the East Coast’s fuel supply – plunged the region into chaos. The attack was orchestrated by hacker group DarkSide, who first stole around 100 GB of data, then compromised the billing system, and finally shut down the pipeline for good. Only after the payment of 75 bitcoin (at that time, around $4.4 million) did the company receive a slow decryption tool and was back up and running on May 12. That same day, President Joe Biden signed an Executive Order to strengthen cybersecurity to prevent such cases. But of course, companies can do a lot to protect themselves without executive help. At the top of the list: strong protection for identities and accounts, especially those with privileged access rights.
The Colonial Pipeline hack and the government’s prompt response illustrate how dangerous inadequately protected IT infrastructures are and why it is paramount to comprehensively control the access to these networks. This is especially true for critical infrastructures – i.e., organizations that are so vital that their destruction would have a debilitating impact on physical or economic security, public health, or safety. To prevent scenarios like the one above, more and more organizations are implementing Zero Trust strategies and protecting their users with powerful Identity & Access Management solutions. And they are right – a robust IAM strategy is a great foundation for a strong identity-centric security solution. But by itself, IAM will not prevent attackers or malicious insiders from moving laterally through the network via compromised accounts and servers to gain additional rights and maximize their damage potential. For this, dedicated Privileged Account Management (PAM) is required.
What is PAM?
When it comes to protecting identities and accounts, the so-called “least privilege principle” has always been an important best practice: It ensures that each authenticated user is only granted the minimum level of privileges sufficient to perform their intended task. This ensures that even if an attacker gains access to a user account, the maximum damage they can cause is limited by the privileges of the user in question: For example, if a user only has read access to selected resources, the risk is relatively manageable. For optimum protection, it is also recommended to assign privileged roles (i.e., roles with particularly extensive rights) only for a brief period and never permanently. This just-in-time access will help companies minimize the attack surface of critical network functions.
Additional Recommended Measures
Most vendors support this basic PAM solution with a wide range of additional technologies, and at first sight, the strategies of the manufacturers differ in many details. However, closer examination reveals many common traits and key components:
- High-level Tier 0 or Tier 1 resources, such as domain controllers, require the highest degree of protection. As a result, most vendors grant privileged access to them only in an isolated environment and protect access with robust Multi-Factor Authentication.
- Equally strict are the requirements to access the identities and credentials of SaaS admins and privileged business users. Here, the focus lies on robust Password Management strategies, e.g., enforcing strong passwords and automatic regular password changes.
- It should always be possible for critical credentials for infrastructure accounts, DevOps accounts, and SSH key pairs to be stored in secure vaults.
- To ensure additional cyber resilience, most vendors recommend further measures such as red team exercises or enhanced auditing and reporting features.
Which Solution Fits Best?
When evaluating the PAM market for the first time, the wide selection of available solutions can look a bit intimidating. To find the right product for their organization, identity leaders should ask themselves the following key questions:
- Which assets and accounts are we looking to protect? Which specific risks are we looking to mitigate?
- Are we facing a true greenfield project? Or do we already have standalone PAM solutions in use in certain areas or even an enterprise-wide legacy solution with which we are not satisfied?
- Which legal and industry compliance regulations do we have to consider?
- Do we favor a cloud-native, hybrid, or on-premises approach?
Experience shows that internal teams often struggle to fully answer these questionnaires and to finally decide, without external advice, whether CyberArk, Delinea or One Identity, to name a few, are the best fit for their business.
Start Your Project with a Workshop
Therefore, it is often worthwhile to discuss the project with a vendor-independent consultant or system integrator at an early stage. They should be familiar with the products of various leading manufacturers and help assess which solution will fit best into an organization’s architecture. For a successful kickoff, a comprehensive, free PAM workshop is recommended to explore the status quo and define concrete goals for the project. It should help:
- define key priorities and business goals of the PAM migration
- evaluate existing solutions and analyze existing performance gaps
- assess the current PAM maturity
- outline existing dependencies (e.g., legacy systems and required customizations)
- develop a structured PAM approach
This kind of workshop will help the organization grasp the project in all its complexity, ensure support from all relevant stakeholders and, thus, set the course for successful implementation. If you are interested, reach out to us via our contact form or visit our PAM Journey page for further information.
As a prime target of multiple modern cyberattacks, privileged accounts require special attention and dedicated protection. Strong Privileged Access Management (PAM) ensures that users are always only granted a minimum level of privileges for their specific task and provides additional protection layers like Multi-Factor Authentication, strong Password Management and Secure Storage Vaults for critical keys. PAM migration is a complex task, though, and internal security teams should strongly consider onboarding an external specialist to set the stage for a successful implementation.