IAM Sprint: Take Control of Privileged Credentials
07 May, 2024, by Stephen Swann
Could you say how many privileged systems and accounts exist in your organisation right now? Do you know who has access to what, when and (more importantly) what they are doing when they are in there?
Passwords are vulnerable and shared passwords even more so. How can you protect this attack surface and how do you mitigate against the potential threat posed by inside users?
Within this sprint, you should aim to:
- Create a centralised view of privileged credentials via discovery
- Vault those privileged credentials
- Identify privileged users who require access to those credentials
- Optionally, switch on session recording for privileged credential usage
Ultimately, taking control of your privileged credentials can provide a tick in the audit box by demonstrating you are heading in the right direction with regards to establishing a principle of Zero Standing Privileges (ZSP).
The Warm Up
Even without a privileged access management tool, there is a certain amount of discovery that should be undertaken. Who is a privileged user? What is a sensitive system? What are privileged credentials. How are privileged credentials currently assigned and used. What regulatory compliance are you subject to?
However, with the right tool, the discovery of servers, applications, privileged credentials, and privileged users can be automated. You may even unearth some sensitive access rights that have been granted without your prior knowledge!
With the discovery information at your fingertips, you will be able to identify where the highest business risk exists and establish a priority list for switching on privileged access management controls.
You should also consider the kind of access request rules you want to enable. Most tools will have a rules-based wizard with best practice rule definitions provided out-of-the-box. These will cover things like: who has access to vaulted credentials, how are vaulted credentials checked-out by a privileged user; how are privileged credentials to be used; how are sessions initiated; how are sessions recorded and retained.
The Sprint
A tool such as IBM Security Verify Privilege Vault (ISVPV) provides the necessary functionality (and more) to address the needs of a PAM sprint and the SaaS version is perfect for a PoC.
Discovery is a point-and-click affair and can be as targeted as you need for the purposes of your sprint. Ideally, you will tackle a service and a set of privileged credentials that are used by a team of users who are sympathetic to your goals and can help you derive value and a base line for a suite of BAU processes.
Vaulting of credentials, the definition of credential rotation rules and the enforcement of password complexity rules which go beyond any default policy you may have for end users is a must.
The sprint should also define credential check-out rules including any approval processing required. You could, time-permitting, switch on integration with your favourite service management tool to ensure tickets have been raised in advance of any request for check-out.
And of course, there is the session launch sequence that should be defined. Most PAM tools provide launchers, such as SSH Terminals or RDP handlers. These can even be configured in a manner that forces recording of privileged sessions for future forensic analysis.
A comprehensive suite of reporting tools is normally provided out-of-the-box – ISVPV has almost 100 such reports plus a comprehensive engine for developing custom reports, should they be required. The sprint should identify a core set of useful reports and have those shared with key stakeholders.
The Warm Down
The warm-down should analyse the success of the sprint, garner feedback from the key stakeholders involved in the sprint and work out a plan for rollout to a wider community.
Rollout to a wider community, however, means it is people, policy, and process time. And that means communication.
Don’t underestimate the impact a PAM solution will have on privileged users. Any change results in natural resistance, but the barriers that will be placed in the way of privileged users will result in grumbling. Every effort must be made to ensure that the privileged users truly understand the need to put those barriers in place. They need to understand that control and risk reduction are imperative.
The warm-down process should also attempt to identify any future third-party system integrations that would be beneficial such as:
- SIEM integration of security event monitoring
- MFA provider integration for strong authentication into the PAM service
- UBA integration for AI analysis of user behaviour
- IGA integration for formal processing of the creation of privileged user accounts
Finally, most organisations fail to produce a response plan should a privileged account be compromised. Many organisations are even unaware of the risks of such a compromise. The implementation of a PAM solution can go a long way to preventing such a compromise, but that certainly does not negate the need for a response plan. Write one now!