Some Thoughts about Privileged Identity Management and Privileged Account Management

Some Thoughts about Privileged Identity Management and Privileged Account Management

Flavio Gerbino
by Flavio Gerbino
time to read: 12 minutes

Privileged Identity Management (PIM) is a domain of Identity Management. It focuses on the particular requirements of privileged accounts in the IT environment of a company. Among them are admin, root and super-user. PIM is also referred to as an information security and governance instrument in order to support companies to fulfil legal and regulatory compliance requirements (such as FINMA in Switzerland, PCI-DSS and so on). In addition to that, PIM helps to hinder attackers from using privileged accounts in order to misuse internal data. And if that doesn’t work, then PIM should at least help to detect and document the misuse.

Typical regulations for handling privileged identities and users as well as accounts are, depending on the branch you work in, stated in specific standards and regulation documents as well as laws. The list at the end of this article serves as a basic list of what could be important for your environment when it comes to laws.

Terminology

Vendors talk about these products using various terms. Subsequently, there is a lot of confusion when it comes to PIM. These days, the term P x M has established itself, whereas x is often used as a placeholder for Access, User, Account, Identity or Password.

A subset of PIM is Privileged Account Management which is what we’ll talk about in this article.

PAM Content - Click to Enlarge

Privileged access and the control of the administrator account is a permanent field of interest and a constant source of worry in a company. Constantly rising requirements in terms of compliance require even more attention to this. They demand that companies force measures that protect, manage and control critical accounts and passwords.

Unmonitored root, admin and superuser accounts as well as other privileged accounts can lead to loss or theft of sensitive company data. And these accounts can be used to get malware into the system that compromise security. Increasingly tight laws and regulations require the aggregation of data and event management information. This requires the ability to identify and elimination of internal threats that can appear with the use of privileged accounts.

This means that companies have to be able to provide privileged access on request using a least privileges and need to know basis. This in turn requires a basis of specific roles. Generally, access should only be given to necessary systems for a predetermined amount of time.

The optimal approach to PAM solutions has accountability and granular access control at its core.

This creates a framework of least privileges. Administrators only gain access to necessary tools. And only by request and only when they need said access.

This requires checks and balances:

This process requires some steps as a preset before a PAM tool can be considered:

  1. There needs to be a policy. It specifies how privileged accounts are managed and what the owners are permitted to do
  2. The development and integration in a security management framework. The frameworks defines people responsible for keeping in line with the policy
  3. Systematic and consequent inventory of privileged accounts. This gives overview over:
    • Accounts
    • Roles
    • Groups
    • Functions
    • Persons
  4. Use tools suitable to management and implement sensible and pragmatic processes that are based on everyday practises.

This way a company can better protect their data and systems from privileged access and avoid security breaches. Failing that, the breaches are at least identified and comprehensibly documented. In addition to that, the rising requirements can be met.

This is a rough summary of PAM. It is a combination of:

This takes care of Audit Trail and Session Recording when privileged users access a system on the basis of least privileges. In short: PAM can reestablish control over an un-culture of privileged access.

This un-culture has quite some risks:

A sensibly implemented PAM system can be a means to lessen the risk or to even eliminate it. It does this by paying attention to the following points:

Overview Main Functions

In a PAM, the following core functionalities need to be considered:

This is how privileged password management and privileged session management works:

Sequence in PPM/PSM - Click to Enlarge

Context of functions and users in connection with a PAM system. Here’s how accounts in a PAM environment can be structured:

Factors of Account Management - Click to Enlarge

PAM Technology has to adapt to the needs of the privileged account. This include:

A Note Concerning Session Recording

Session Recording has found its way into many companies. It is popular in the frame of PAM solutions. However, session recording brings its own share of problems that are often ignored which is why I want to mention them specifically. Because the trend to record sessions extensively can have its disadvantages:

There is a significant risk of disinformation by the exponential growth of amounts of data as well as a steadily rising use of storage. Costs and use can exceed the use of the recorded data. The affinity for classic system logging can be used to find the relevant data in records

Summary

There’s rising pressure in daily practice to log who did what when and why precisely and succinctly. This is even more of a pressing issue when it comes to privileged accounts. Add to that the rising requirements regarding revision safety of IT activity as well as the current laws and regulatory requirements such as FINMA, PCI-DSS et cetera. It is not enough to deploy a technical solution without systematically and specifically plan internal and external requirements. Validating primary drivers needs to be enforced before deployment of a PAM framework. As usual, the technology the PAM is based on needs to be taken into account. But even more important is the proper implementation of processes to control a PAM solution. Do not underestimate the initial effort.

Annex

About the Author

Flavio Gerbino

Flavio Gerbino has been in information security since the late 1990s. His main areas of expertise in cybersecurity are the organizational and conceptual security of a company.

Links

Is your data also traded on the dark net?

We are going to monitor the digital underground for you!

×
I want a "Red Teaming"

I want a "Red Teaming"

Michael Schneider

Human and AI

Human and AI

Marisa Tschopp

Vehicle forensics

Vehicle forensics

Michèle Trebo

Isn’t business continuity part of security?

Isn’t business continuity part of security?

Andrea Covello

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here