Today the security landscape has changed and it's moving faster than ever, leading to a whole new set of security and business challenges. Domain admins have become Tenant Admins; service accounts have become bots; local data centers have become cloud containers, workloads, and services. Global companies must restrict access to PII based on geographic location (GDPR), not just job function. More and more applications’ privileged access is defined by “limits” of what users can perform with the access they already have and need (meaningful use).
With all these new challenges and cyber insurance rates that are only accelerating daily, so many organizations are still just vaulting passwords for root/domain admin and calling it done. Organizations need to know the ins and outs of how privileged access is used throughout the cloud and on-premises.
For more traditional on-prem privileged access management (PAM) use cases, such as managing “dash A” accounts across workstations, groups, and applications, many PAM solutions will check the box by vaulting the passwords just like the root/domain admin use case. However, this leads to a glaring issue - the access is always there and always an attack surface. Even if the account is no longer needed or not actively in use, it sits as a potential doorway to be leveraged by attackers.
This is not the only area in which traditional PAM falls short. Another area is the proliferation of hardware requirements in the form of jump-boxes. This additional hardware requires administrative oversight and adds further complication, slowing down privileged users doing their jobs. When security solutions make work cumbersome, end-users find ways to circumvent it.
Traditional PAM also does not adequately meet the needs of discovery processes across the network. As new servers and products get added, they require intervention to be integrated with the PAM solution. This is especially so with workstations where their ownership inventory frequently changes. Updating the PAM manually does not scale, so assets get missed without proper discovery.
When it comes to modern cloud use cases, one approach uses the tools that come natively with the new technology landscape. Multiple cloud infrastructure providers have some solutions, but it’s in the early stages. They provide a built-in “just enough” PAM that is really just PIM (Privileged Identity Management).
While this is a nice feature, it tends to lead to a new-old problem, role management. Should these roles be managed by the infra team, IT, security, dev-ops, or someone else? The short answer is the business which includes all the groups listed prior. But perhaps, other questions need to be considered that are equally important.
Are the roles right-sized for the organization, department, or group using them in a “least privilege” approach?
Are people using the roles effectively, or are they consistently using the “catch-all” role?
Can we monitor activity to ensure only the correct people are using the roles?
Least privileged is genuinely something to strive for, yet it is tough to achieve without looking at the cumulative access and understanding how it is being used. When organizations compare what access is being used against what access is provided, they find that many users/service accounts are severely over-provisioned. This excess privileged access is often identified by evaluating nested Active Directory groups that have grown organically over time.
One method of dealing with over-provisioning access is to circumvent it using “zero-standing privileges.” Rather than access being permanently granted for assets, it instead is evaluated and granted on an as-needed basis with automatic expiration of access rights. This solution is highly effective when implemented correctly, though it can create an excess of administrative overhead if the wrong solution is selected.
Alternatively, another idea to improve the security of privileged and end-user access was risk-based authentication. While this can be a valuable tool, it has led to an onslaught of mobile app authenticators providing 2FA and passwordless features as part of the risk-based authentication. I, for one, enjoyed the first mobile app authenticator I used, but I am now up to 4 currently installed on my phone, not counting SMS messages.
With all of the challenges and pains around the Privileged Access landscape, is there anything that can be done? YES, THERE IS! But it is not as simple as buying product X, and all your problems will disappear. Every organization has different challenges, requirements, and, most importantly, different risk tolerances they are willing to accept. There are multiple great solutions on the market that serve various purposes and provide additional benefits. Some of the features to consider in a modern PAM solution are as follows.
Continuous Scanning
Cross-Cloud Discovery
Zero Trust/Just-in-time (JIT) PAM
Identity and prevent lateral movement
Enable Cloud/DevOps
ServiceNow integration
IGA Solution integration
With the right Cloud PAM solution, your organization can take control of access management in your organization and go beyond an expensive password vault. With a modern Cloud PAM solution, your organization will gain in-depth insight into how privileged access is utilized in your organization and have the tools to manage it. This reduces the risk of privileged access management in the organization and the cost of cyber insurance.
With so many questions to answer and features to choose from, finding the right-fit Cloud PAM solution is not easy. Legion Star is here to help. Legion Star offers a rapid advisory assessment to help organizations identify risks within their privileged assets and how these processes fit into a broader cyber security access control framework.