privileged access management (pam)

Harnessing Privileged Access Management (PAM) to Defend Core Digital Assets Against a Breach

By Dan Blum, Doug Moench and Doug SimmonsOctober 16, 2015

1Copyright (c) 2015 Security Architects, LLC

Today’s Speakers

Copyright (c) 2015 Security Architects, LLC 2

Expert in security, privacy, cloud computing and identity managementEx-Gartner Golden Quill award-winning VP and Distinguished AnalystFounding partner of Burton Group

CISSP specializing in Security and Risk Management strategies and architectures, identity management solutions, and federation technologies. Over 30 years experience documenting current state environments and developing recommendations for improving infrastructure.

Dan BlumPrincipal Consultant

Doug MoenchSenior IAM and Security Consultant

Doug SimmonsPrincipal Consultant

Focuses on IT security, risk management and IAM. Has performed hundreds of engagements for large enterprise clients in multiple vertical industries including financial services, health care, higher education, federal and state government, manufacturing, aerospace, energy, utilities and critical infrastructure.

Why PAM?


Source: Information is Beautiful (Breach visualizations)

Many of these could have been

prevented or delayed

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/static/


A Clear and Present Danger…

Common attack paths

At least make the attackers

work for it!

Are too bloody

easy

About Us

• We are a consulting firm dedicated to helping organizations plan, specify and develop security programs, policies and technology solutions.


About Us

ClientsEnterprise Security TeamsCloud service providers (CSPs)Other Audiences

Areas of Expertise

CloudSecurity

Identity andPrivacy

EndpointSecurity

CyberSecurity


Our Services

SecurityAssessments

Security Architectures

CustomConsulting

Security Workshops

Consulting Services


What is PAM?

• Privileged Account Management (PAM)

A set of technologies that allow organizations to identify, secure, and monitor accounts that have elevated privileges in order to minimize risks and ensure compliance.

PAM is also sometimes referred to as:Privileged User Management Privileged Identity ManagementPrivileged Access Management

Privileged Accounts are theOil that Lubricates IT


Root and admin

Network admin

Domain admin

DBA

Other “superusers”

Shared accounts

Service accounts*

What they’re forNOS devicesDNS/DHCP serversFirewallsRouters, and switches

Domain controllersVirtual machine adminIaaSDatabases, applications

What they do

Love them or hate them you can’t run IT without them

Operations: start/stop services, run jobs, or generate reports

Configuration, updates, maintenance, patches, tuning, troubleshooting

Develop applications, administer applications connect applications

* For apps!


PAM Business Drivers

• Reduce risk of breaches:

• Compliance drivers– Maintain internal control

• PAM specifically mentioned in PCI DSS, SOX, NERC/CIP, and some local/regional regulations

– Simplify auditing and reporting – Detect/prevent Separation-Of-Duties (SOD) violations

Core Features

Password vault

Fine-grain privilege control

Session manager

Application credential management


Ancillary ServicesDiscovery ServicesRole ManagementPolicy EngineLogging and Auditing

Platform flexibilityPhysical and virtual platformsLocal or cloud-basedRemote session protocols

Holds PAM accounts, managed credentials, policies, logs

Other considerations

Availability and performance

11

PAM Architecture Pattern

Copyright (c) 2015 Security Architects, LLC

12

Password Vault

• Contains accounts for privileged users• Contains policies for managed

resources• Encrypts and stores passwords, SSH

keys, policies and logs• Allows users to check-out/reserve a

credential• Changes credentials on managed

resources after use• Provides management console for

centralized policy administration• Deployed as software on a physical

server, virtual machine, or appliance


Privileged User and Admin Credentials

Vault Admins

Passwords/SSH Keys

Must be hardened!Must maintain high availability!


Session Manager

• Session management mechanisms to control access to resources

• Enables monitoring, logging, and recording of administrative activities

• Role management and policy enforcement capabilities, SOD rules

• Generate alerts for policy exceptions

• Emergency access mechanisms to bypass normal operations when needed.

• Roles• Policies• SOD Rules• Filters• ACLs

Logging and

RecordingRoles

Policies

SODRules

Filters

ACLs

SOC Monitoring

Session Management

RDP, SSH, VNC, PCoIP, NX

Privileged Users Admins

Target Resources(Network, Systems)


Fined-Grained Privilege Control

• Establish more granular filters to limit administrative activities.

• Often includes agents installed within clients or target servers (similar to desktop management or AD Bridge tools).

Target Infrastructure Resources

(Network, Systems)

Server agent to enforce

Fine-grained privileges

Privileged Users Admins

Client agent for some apps (i.e.

Active Directory)


Application Credential Manager

• Identify, store, and rotate application credentials and SSH keys in the password vault

• Eliminate the need to hard-code authentication information

– Use a simple API call instead

• May support caching to minimize performance impacts

• Commonly supported interfaces and protocols include:

– HTTP and HTTPS– SOAP/XML – Java– VBScript– C/C++– PowerShell

15

Applications

UserID/Password

SSHKeys

Othercredential

Target Resources(Network, Systems)

APIPassword

Vault

Local Cache

Local Cache

Local Cache

Secure KeyExchange

PW/KeyRotation

API Call


PAM Market Landscape

• Relatively small niche, but growing rapidly~$500 million annually, 32% rate

• Market leaders (in share + core features)

• More market players around the world • Differentiators

High availability, platform + multi-tenancy support, workflow integration and SoD features, credential management, SIEM integration, session recording features

Beyond TrustCACyberArk

DellLieberman SoftwareExceedium


The PAM Map

Hitachi ID Systems

BeyondTrustCA, CentrifyDell, Enforcize,IBM, Lieberman,ManageEngine, Micro Focus,Observe IT, Oracle, SecureLink,Thypotics, Xceedium

CyberArkRaz-Lee Security

Pitbull Software

Wallix

OsiriumBalait

MasterSAMApplecross

SSH Communications Security

NRI Secure

* Some names shortened, or omitted for space* Source: Gartner list of 2015 PAM vendors

Arcon


Deploying PAM: Key Issues

• Getting and keeping stakeholder buy-in• Creating high availability, disaster recovery and

“break glass” procedures that work• Integrating with identity, workflow and

monitoring infrastructures• Phasing in functionality on your schedule rather

than the vendors• Locking in favorable professional services and

product support


Getting and Keeping Stakeholder Buy-in

“Nobody implements our product because they want to. They do it because someone is telling them they have to.”– Philip Lieberman, in an informal conversation with us, about 4 years ago

Recommendations– Follow ALL recommendations in coming slides to make PAM

as transparent as possible for IT and the business– Involve IT and business stakeholders and representatives

from all affected teams in project phasing and process development

– Develop a communications and support package for all privileged users and administrators that will be affected


Maintain High Availability

• Eliminate single points of failure• Deploy high-availability password vault

– Active-active or active-passive failover, stretch cluster or PAM-replication across sites

– Create and test DR plans• Estimate and measure usage, size appropriately, utilize with

load balancers for all PAM components• Have “break glass” processes to keep IT running in the event

any part of PAM fails• Prevent or detect any abuse of “back doors”


Other Critical Recommendations

• Thoroughly plan and design integration with identity, workflow and monitoring infrastructures

• Phase in functionality on your schedule, not the vendor’s sales quotas– Calibrate phasing to your

infrastructure maturity level• Lock in favorable professional

services and product support terms


Conclusion

• PAM deployments can range from basic password vaults to advanced application hardening, session monitoring and analytics

• Although the market is relatively mature, few enterprises have deployed the technology outside niches to their full IT environment

• Don’t over-reach or you’ll get thrown on the defensive with internal constituencies

• The good news: An effective PAM deployment is likely to resolve some of your audit and compliance issues – as well as prevent many breach scenarios


Open Q&A

Security Architects, LLChttp://[email protected]

+1 (301) 585-4717

mailto:[email protected]

privileged access management (pam)

Internet