Privileged Access Management or PAM helps solve a core fundamental Infrastructure concern for organisations.
Credentials and the ‘secure’ part of a credential (the Password) are most often the only information needed for an attacker to breach your network. The Password used for each user and service within your organisation is all that often stops your data from being accessed from an unwanted intruder as the user account details are most often easily guessed from email addresses etc.
Because the password is so important it is critical to rotate these passwords on a regular basis, in a corporate Active Directory you will be required to change your password every 30/60/90 days in most cases.
As your next password will have to be unique and as most humans are not password memory monsters, we simply add a 1 or the next number to the password!! – PAM doesn’t solve this ISSUE though – That would be MFA (read here for more).
Always make sure your user accounts do not have any Administrative rights, either on the workstation or to the companies Infrastructure……
This is what PAM solves; the admin account problem – as all account passwords need to be managed how do you do this, the administrative accounts issue is where PAM is your answer.
The Admin accounts for your business may be accounts used to manage the Active Directory domain or the Microsoft Office 365 admin console but these accounts are also “Hidden”,in plain sight, throughout your infrastructure, some of these will be remote access accounts, like what was used to breach Colonial Oil in 2021:
In addition administrative accounts will often be used for application servers which must connect to other services like Databases, cloud services or other application servers. These connections use a credential to connect to the reciprocal services and often this account password is not rotated ever, even worse is that the credential may be stored as a non encrypted file on a file system and or passed over a network in a clear text format meaning that it can be easily discovered.
What is a PAM solution comprised of?
It depends on the solution that is used but typically a PAM solution has the following components:
Vault – this is where the credentials are stored in a secure and encrypted fashion. This may be a stand alone appliance, SaaS application or application on a client or server (least secure).
Web interface – for clients to access data in the vault they will connect to the web interface and be authenticated to the vault using a directory service or internal vault account login.
API interface – for applications and services to connect to the PAM solution, they will connect often through an API, this may be part of the Web application.
Agents – for managing credentials on workstations and servers an agent may be used. This Agent may reset the passwords after each use by an admin so that the password is never a known value. An agent may also be used for applications that do not have anyway for passwords to be managed natively by the PAM solution, in which case the agent might work as a screen scraper and replay the credentials into a dialog window.
How does a PAM solution work?
It depends on the organisation deploying a PAM solution and what they hope to achieve with credential management.
In an ideal world a PAM solution with all “functions” turned on may:
- Manage all admin credentials (users can “check out” a credential when they need to use it)
- Provide full auditing and reporting on all use of each credential
- Rotate passwords on credentials as they are “checked in” to the system, ensuring that users never know the passwords
- Discover new admin accounts and secure on a regular basis, ensuring no backdoor accounts exist.
- Manage credentials on many platforms: Workstations, Servers, Service Accounts Applications, SaaS, SaaS, PaaS etc
- Guide the users access to the target platform through managed Sessions (Terminal server or SSH) that is recorded during use and also limits what can be done during the session.
- Securely lock away credentials so that no one has access without going through the appropriate process to request and use
- Provide workflow processes to allow different credentials to require further approvals if necessary.
And finally; how does this help my organisation?
Attackers always use a credential to access data, therefore securing credentials is critical to ensuring your business security. PAM is the tool that ensures that even during breach (if you are unlucky), accounts etc that are targeted by a malicious attacker are not left usable for a long period of time.
Even new accounts that may be created to maintain persistence will be also discovered and have their passwords reset, as occurs in a lateral attack.
Privileged Access Management is a cyber security tool that should always be considered and we recommend very strongly that PAM is implemented for all Medium sized businesses and above.