Upload
doankiet
View
233
Download
3
Embed Size (px)
Citation preview
Privileged Account Management
Administrative Accounts—Securing the keys to the kingdom!
PHILIPP REISINGER, SBA RESEARCH
1
Contents 1 Introduction .............................................................................................................................................. 3
2 Executive Summary................................................................................................................................ 5
3 Risks of Privileged Accounts .............................................................................................................. 6
4 What is PAM? ............................................................................................................................................ 7
4.1 Main Functionalities ..................................................................................................................... 7
4.1.1 SAPM ......................................................................................................................................... 8
4.1.2 PSM ............................................................................................................................................ 9
4.1.3 SUPM ......................................................................................................................................... 9
4.1.4 AAPM ......................................................................................................................................10
4.2 Additional Capabilities ..............................................................................................................10
4.2.1 Auto-discovery ....................................................................................................................10
4.2.2 AD Bridging ..........................................................................................................................11
4.2.3 Session Transcription, OCR and the ability to search logs ...............................11
4.2.4 “Threat Analytics” ..............................................................................................................11
4.2.5 Dual Control—Four-eye-principle ..............................................................................11
4.2.6 Advanced Authentication Support .............................................................................12
4.2.7 Cloud and Hypervisio Integration ...............................................................................12
4.2.8 SIEM Integration ................................................................................................................12
4.3 Implementation Possibilities ..................................................................................................13
5 PAM Vendor and Cost Overview .................................................................................................... 13
5.1 Important Vendors .....................................................................................................................13
5.1.1 CyberArk ...............................................................................................................................13
5.1.2 BeyondTrust ........................................................................................................................13
5.1.3 ObserveIT ..............................................................................................................................14
5.1.4 Thycotic .................................................................................................................................14
5.1.5 CA Technologies .................................................................................................................14
5.1.6 BalaBit ....................................................................................................................................14
5.1.7 Wallix ......................................................................................................................................14
5.1.8 Dell ...........................................................................................................................................14
5.1.9 Hitachi ID Systems.............................................................................................................15
5.1.10 Arcon .......................................................................................................................................15
5.2 Vendor Map ....................................................................................................................................15
5.3 Cost Estimate .................................................................................................................................16
6 Side Topics .............................................................................................................................................. 16
6.1 Reporting and Review of Accounts ......................................................................................16
6.2 Logging and Monitoring ...........................................................................................................17
6.3 PAM High Availability ................................................................................................................17
6.4 PAM Security .................................................................................................................................18
2
6.5 Privileged Third Party Access ................................................................................................18
6.6 Administrator Guideline ...........................................................................................................18
6.7 Dealing with Objections against Recording Capabilities ............................................19
7 Appendix .................................................................................................................................................. 20
7.1 List of References ........................................................................................................................20
7.2 List of Tables .................................................................................................................................20
7.3 List of Figures ................................................................................................................................20
7.4 List of Listings ...............................................................................................................................20
8 Literature ................................................................................................................................................. 21
3
1 Introduction
Privileged Account Management (PAM), often also referred to as Privileged Access (or
Identity) Management, is a very important topic which is lately receiving increasing
attention. It deals with the controlling, securing, managing and monitoring of
privileged accounts. Due to their far-reaching and often unlimited capabilities and system
access possibilities, administrative and service accounts are highly critical and play a key
aspect in the security posture of every organization. With that in mind, it is not surprising
that privileged accounts are often referred to as “keys to the kingdom”.
Most of today’s severe cyberattacks and data breaches involve the abuse, compromise or
exploitation of administrative accounts. Privileged accounts are frequently abused, e.g., in
APT attacks for moving laterally through a victim’s network; they furthermore play an
important role regarding insider threats.
One prominent example for the “power” of privileged accounts are the data leaks initiated
and executed by Edward Snowden who was a system administrator and used his privileged
position to accomplish one of the highest-impact data breaches in recent history.1
The control of privileged accounts is a common audit requirement and an essential
component of various compliance mandates, which further underlines their importance and
the need to manage and secure them appropriately.
Main functionalities and features of PAM technologies include:
secure centralized storage and management of account credentials
controlling access to shared accounts
recording and monitoring of privileged activities
control and limitation of commands which can be executed by administrative users
removal of privileged credentials from configuration files or scripts
Today PAM is most prevalent in the financial, insurance and IT services industry where it is
used to control, monitor and log administrative activities in order to comply with
regulations like PCI DSS or ISAE 3402. IT service providers—managing the infrastructure
for multiple customers—also leverage PAM capabilities in order to create an audit trail and
to provide customers with assurance and visibility (who has access and which actions are
performed).
1 https://en.wikipedia.org/wiki/Edward_Snowden#NSA_sub-contractee_as_an_employee_for_Dell
4
Questions?
If you have any questions or comments regarding this document, feel free to contact me.
Philipp Reisinger
SBA Research gGmbH
+43 1 505 36 88 – 1305
5
2 Executive Summary
Potential abuse and exploitation of administrative accounts as well as regulatory
requirements are pressuring enterprises to secure their privileged accounts. In the wrong
hands, privileged accounts can represent one of the biggest threats to an enterprise’s
security since far-reaching and often unlimited capabilities are associated with them.
Their capabilities can for example be used to override
security measures, breach data, perform unauthorized or
malicious changes resp. transactions and hide those
activities by deleting audit logs.
Privileged accounts exist in every organization and in
many forms and shapes. Examples span from the root account in Unix or Linux
environments resp. Windows administrator accounts (be it local or domain wide) to
accounts used for the administration of databases or applications to accounts for network
devices, security technologies, cloud platforms or third parties and vendors.
PAM deals with the critical tasks of controlling, securing, managing and monitoring
these privileged accounts. Therefore, main functionalities and features of PAM
technologies include:
discovery of privileged accounts
secure centralized storage and management of account credentials
automatically changing account credentials at regular intervals
controlling access to shared accounts
providing access to shared or administrative accounts without permanently
disclosing the password
recording and monitoring of privileged activities
control and limitation of commands which can be executed by administrative users
removal of privileged credentials from configuration files and scripts
Control and management of privileged accounts is an important topic covered by many
standards and recommendations, for example ISO 27001/27002, NIST SP 800-53, PCI-
DSS and the CIS Top 20 Critical Controls.
This whitepaper provides an overview over the topic of Privileged Account Management, a
description of the technical capabilities and features offered by common solutions as
well as a list of vendors and pricing scenarios.
The misuse of administrative
privileges is a primary method for
attackers to spread inside a victim’s
network.
CIS Critical Security Controls
6
3 Risks of Privileged Accounts
Due to their often unlimited capabilities and system access possibilities, administrative
and service accounts are highly critical and play a key role in the security posture of every
organization.
Most of today’s severe cyberattacks and data breaches involve the abuse, compromise and
exploitation of administrative accounts. Risks associated with the abuse or misuse of
privileged accounts are manifold and include, but are not limited to the following
points:
Insider Threat
o data theft (the Snowden as well as the Bradley Manning leaks are two of
the most prominent examples)
o theft of trade secrets
o unauthorized access, modification or deletion of critical information
o placement of logical bombs2 in scripts or applications
Overriding Security Measures
o usage of privileged accounts to override or disable security measures
Manipulation of Audit Logs
o Administrative access can be abused to manipulate audit logs and hide
malicious activities
Malware Abusing Privileged Accounts
o Malware can cause much more damage if executed with elevated
privileges.
2 A famous example is the the Fannie Mae Logic Bomb: On October 24, 2008, a UNIX engineer at Fannie Mae named Babubha Makwana was informed that he would be let go from the company at the end of the day. Rather than following best practice of immediately revoking all system access and escorting him from the building, Fannie Mae allowed Makwana to stay on site and finish the work day. During this time, he created a series of scripts that could have caused enormous damage to the company upon execution by first disabling monitoring and then disabling all system access to Fannie Mae’s 4,000 servers, finally wiping all data from the servers and their backup systems. The code that should launch the series of scripts—which was set to trigger on January 31, 2009—was embedded in a key script that ran every morning. Fortunately for Fannie Mae, another engineer found the embedded logic bomb before it went off and alerted the authorities. (Source: https://www.sans.org/reading-room/whitepapers/analyst/keys-kingdom-monitoring-privileged-user-actions-security-compliance-34890); For more examples see http://www.infoworld.com/article/2621894/it-management/it-admins-gone-wild--5-rogues-to-watch-out-for.html
7
Compromise and Abuse by Hackers
o Privileged accounts are one of the main targets of hacking activities.
Usage for Lateral Movement in APT Attacks3
Uncontrolled Access and Lacking Oversight over Persons Having Access to
Privileged Accounts
o In many organizations it is not clear who (of the many individuals) has
access to administrative accounts or which privileged accounts even exist
within the infrastructure. This is especially a risk if these accounts are
used in a generic, non-personalized way (shared administrative
accounts). This causes (adverse) changes to be overlooked and to be
untraceable to a specific person.
Third Parties or Vendors with Capabilities for Privileged Access
o Often third parties or vendors have privileged access to an organization’s
applications or infrastructure. The target breach is a good example in
which credentials of a vendor responsible for HVAC maintenance were
used for the initial compromise.4
4 What is PAM?
Privileged Account Management (PAM) deals with the controlling, securing, managing
and monitoring of privileged, administrative, shared and service accounts which are
highly critical in regard to the security posture of a company.
Privileged accounts exist in every organization in many forms and shapes and include
for example the root account in Unix or Linux environments, Windows administrator
accounts (local or domain-wide), accounts used for the administration of databases or
applications as well as accounts for network devices, security technologies, cloud
platforms or third parties and vendors.
4.1 Main Functionalities
According to the Gartner Market Guide for Privileged Access Management5, there are four
main functionalities of PAM solutions:
3 For example: http://www.cyberark.com/blog/keys-kingdom-credentials-lateral-movement/ 4 See http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/ and http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/ 5 Gartner Market Guide for Privileged Access Management 2015
8
Shared account password management (SAPM): Securely store and manage
account passwords and control access to shared accounts.
Privileged session management (PSM): Establish privileged sessions to
multiple systems (often leveraging SSO) and/or monitor as well as record their
activity.
Superuser privilege management (SUPM): Enable fine-grained filtering of
commands and actions which administrators are allowed to perform.
Application-to-application password management (AAPM): Eliminate hard-
coded passwords used by applications or scripts.
Figure 1 Main PAM functionalities
4.1.1 SAPM
Shared account password management provides a hardened and encrypted password
safe or vault which can be used to centrally store administrative, service and shared
account credentials or keys.6 The stored credentials can be automatically changed at
regular intervals based on a predefined policy. SAPM also enables enforcement of a
password policy (regarding password length, complexity, change intervals, etc.).
SAPM features manage logins to these accounts. After a user authenticates to the solution
6 With some tools (e.g., Thycotic or CyberArk) it is also possible to use the vault to store credentials for authenticated vulnerability scanning.
PAM
Privileged Account Management
SAPMShared
Account Password
Management
PSMPrivileged
Session Management
SUPMSuperuser Privilege
Management
AAPMApplication to
Application Password
Management
9
logins are for example handled via SSO or by providing the user with the required
credentials—this can be done on a check-in/check-out basis. Logins ideally happen
without disclosing the password to the user. It is also possible to automatically change a
password every time it was disclosed. This feature enables shared account usage—
without permanently disclosing the password of the shared account—and traceability via
check-in/check-out logs.
SAPM also provides an audit trail of account usage. Additionally, workflow features and
functionalities to request and authorize account access (sometimes with integration in IT
service management tools to verify access requests) are often included.
4.1.2 PSM
Privileged session management offers two main functionalities: First of all, it is used to
establish privileged sessions. This achieves that all administration activities are
conducted via one central point whereby a proxy/gateway approach is most common.
Secondly PSM enable session monitoring and recording (recording of command input and
output, video recording of graphical sessions).
Most PSM tools offer various possibilities to transcribe the recorded sessions (e.g. OCR of
recorded videos) and enrich these recordings with additional metadata (often collected
with an agent, examples include windows opened, text input/copied, commands and
applications executed, file names, URL’s, system calls, resources affected etc.). Finally, the
offer various capabilities to monitor and search these recordings.
When researching PSM technologies it is important to pay attention which protocols are
covered (e.g., ssh, rdp, telnet, citrix, vnc) and to think about deployment and integration
options in order to make sure that administrative activities—at least on critical servers
and infrastructure components—can only be conducted via the PSM solution, i.e. that
monitoring can’t be avoided by establishing a direct connection to the target servers.
4.1.3 SUPM
Superuser privilege management functionalities are mainly used to control and restrict
the commands which can be executed by an administrative user. They can also enable
“normal” users to run privileged commands (via methods similar to sudo or run as).
It must be noted that creating and maintaining SUPM policies of commands which
administrators are allowed resp. not allowed to execute (basically white-/blacklists) can
be a labor-intensive task. A sometimes recommended approach is to monitor for regularly
used commands and allow only these to be executed; however, the fact that not all
10
commands are needed equally often can lead to over-restrictive policies which may
hinder administrative activities.
SUPM can be run in preventive or detective mode. The detective mode can be used to only
report and not block the usage of commands which are not allowed, thereby making it
possible to investigate if a command was used for illicit purposes or if the SUPM policy is
set too tight for an administrator to fulfill his/her job.
Compared to SAPM and PSM, features integrating SUPM functionalities are, according to
Gartner, much more time consuming.
4.1.4 AAPM
Application-to-application password management gears towards eliminating hard-
coded passwords from configuration files, applications or scripts (e.g., for connecting to a
database). They work in combination with SAPM and enable the credentials to be queried
from the password vault using an API. This makes the modification and testing of scripts
necessary, but removes the significant security risk of passwords stored in scripts or
configuration files being abused for illicit purposes. Additionally, this enables
organizations to regularly change the associated password without having to modify the
affected scripts, applications or configuration files.
The challenge for AAPM is that the script must authenticate to the vault. Placing other
credentials in the script is not really a solution. Real AAPM technologies recognize resp.
identify the script by its unique fingerprint or other information like signatures, which
host and directory it is executed on, user ID, etc.
Compared to SAPM and PSM integrating AAPM functionalities can also be a bigger
challenge..
4.2 Additional Capabilities
Additional capabilities and features of PAM solutions often include, but are not limited to
the following:
4.2.1 Auto-discovery
The auto-discovery feature is used for the automated discovery of administrative and
service accounts (across Windows, Unix/Linux, applications and network devices). It is
included in many solutions.
It must be noted that auto-discovery is not an exact science and will most likely not detect
11
all privileged accounts, which means that additional manual work and discovery is
necessary.
It is recommended to conduct discovery scans not only once, but to scan regularly (or
continuous) for newly created/provisioned accounts (privileged account creation is an
event which should be closely monitored, since -for example during many huge breaches
hackers create their own privileged accounts). In some cases, auto-discovery can also be
used to search for credentials in configuration files.
Examples for stand-alone, free and quick assessments tools which offer auto-discovery
functionality are CyberArk DNA (Discovery and Audit) 7 and the Thycotic privileged
account discovery tool for Windows8.
4.2.2 AD Bridging
AD Bridging tools facilitate the management of users and groups on Unix or Linux
machines in the Active Directory (sometimes they also support some GPOs). It enables
users created in the AD to login to non-Windows systems. For this to work, an agent must
be installed on the respective Unix or Linux systems.
4.2.3 Session Transcription, OCR and the ability to search logs
In regard to PSM functionalities, some vendors offer advanced transcription features of
the recorded session as well as sophisticated possibilities to search logs and jump forward
or backward in the recorded videos based on activities and metadata. In such cases, local
agents are often used in order to collect additional metadata.
4.2.4 “Threat Analytics”
“Threat analytics” features facilitate the behavioral analysis of privileged accounts. Their
goal is to learn what the normal and expected behavior of these accounts looks like. Based
on that they then look for deviations, unusual behavior and anomalies which can indicate
that “something bad” is happening or that the account was hijacked and is involved in
attack activities.
4.2.5 Dual Control—Four-eye-principle
The dual control feature enhances PSM functionalities. When trying to open a connection
to a highly sensitive system (possibly the connection of an external maintenance
7 http://www.cyberark.com/cro-free-risk-assessment/ 8 https://thycotic.com/solutions/free-windows-privileged-account-discovery-tool/
12
technician) an approver first has to authorize the session before it can be established. The
approver is also able to conduct live monitoring and even terminate the session.
4.2.6 Advanced Authentication Support
This functionality encompasses the support for advanced authentication methods like
two-factor authentication or Smartcards when users are accessing credentials stored in
the SAPM password vault.
Vendors, for example CA Technologies, also support the integration with products that
offer risk-based authentication features9.
4.2.7 Cloud and Hypervisio Integration
Beside the management of “traditional” privileged accounts, some solutions also focus on
securing administrative accounts in cloud infrastructure (auto-discovery of cloud
infrastructure, fine-grained management of IaaS and PaaS administrative operations).
Another aspect is the integration and support for controlling hypervisor permissions (e.g.,
what guest images they can start, stop, migrate, and remove, also when, from where, etc.)
A tightly related aspect is the management of social media account credentials which are
often shared among multiple users (in the marketing department). They are usually
considered very valuable and their compromise can have severe and very visible
consequences (e.g., if they are used by hackers to spread malware or false and
inappropriate messages).
4.2.8 SIEM Integration
Most PAM technologies can be integrated with SIEM systems to send detailed usage data
and events to be analyzed and correlated against other information. Some PAM solutions,
for example CyberArk, can also ingest SIEM data and use it within the Threat Analytics
assessment of account behavior.
9 Risk-based authentication solutions provide a risk score of each attempted authentication that can help determine whether an account login is benign or could be performed by an attacker. In these cases, additional, “step-up authentication” methods could be required, the attempt could simply be rejected, or an alarm could be raised. When attackers authenticate to a system, there are often contextual factors that could, if recognized, raise a warning about the validity of the authentication. For example, if someone from Finance working in New York suddenly logs in from Russia, or if someone logs in from Rome, two hours after logging out in New York, it is clear that a fraudulent authentication is in progress. http://www.ca.com/content/dam/ca/us/files/white-paper/dealing-with-insider-threats-to-cyber-security.pdf http://searchsecurity.techtarget.com/definition/risk-based-authentication-RBA
13
Other features include mobile app support—does the solution provide a mobile app for
accessing the password safe (eventually also in offline mode) –, support for multitenancy
(especially important for IT service providers) and SSH key management.
4.3 Implementation Possibilities
Most vendors support a diverse array of implementation capabilities. Important
questions to consider are:
if the solution is deployed agent-based or agentless,
whether it acts as a proxy/gateway or is host-based, and
if it is deployed on site (e.g., as a hardened appliance or virtual appliance), only
software- or entirely cloud-based (some vendors have SaaS based offerings).
Each of these possibilities has its own unique (dis)advantages which should be carefully
compared against the own requirements before coming to a decision.
5 PAM Vendor and Cost Overview
This chapter provides a PAM vendors and pricing overview.
5.1 Important Vendors
The following list comprises selected PAM vendors and is intended as a starting point for
further research and analysis when planning on acquiring a PAM tool. Please note that the
tools might not cover all functionalities and capabilities described in chapter 4.1 and 4.20.
5.1.1 CyberArk
CyberArk10 is a large vendor with a comprehensive portfolio covering all of the PAM main
functionalities (SAPM, PSM, SUPM, AAPM).
5.1.2 BeyondTrust
BeyondTrust11 is one of the largest vendors with a huge portfolio covering all of the PAM
main functionalities (SAPM, PSM, SUPM, AAPM).
10 http://www.cyberark.com/products/privileged-account-security-solution/enterprise-password-vault/ 11 https://www.beyondtrust.com/products/powerbroker-password-safe/
14
5.1.3 ObserveIT
ObserveIT12 is a vendor who focuses on PSM. They offer very advanced search, logging
and session recording features. In addition to the monitoring of privileged users the
company lately started to offer insider threat detection and management software.
5.1.4 Thycotic
Thycotic13 is a vendor who focuses on SAPM and AAPM functionalities. They are highly
regarded for their AAPM functionalities.
5.1.5 CA Technologies
CA Technologies14 is a large vendor with a comprehensive portfolio covering all of the
PAM main functionalities (SAPM, PSM, SUPM, AAPM). In the Forrester Wave for Privileged
Identity Management15 CA Technologies is described as the leading vendor. In 2015, CA
Technologies acquired Xceedium who also provided comprehensive PAM functionalities
especially for virtualized, cloud and hybrid environments which are now being integrated
in the CA Technologies portfolio.
5.1.6 BalaBit
BalaBit16 is a vendor who mainly focuses on PSM. They offer advanced search, logging and
session recording features.
5.1.7 Wallix
Wallix17 is a vendor who mainly focuses on PSM. They offer advanced search, logging and
session recording features.
5.1.8 Dell
Dell 18 is a large vendor with a comprehensive portfolio covering all main PAM
functionalities (SAPM, PSM, SUPM, AAPM).
12 http://www.observeit.com/de/solutions/privileged-user-monitoring 13 https://thycotic.com/products/secret-server/ 14 http://www.ca.com/de/products/privileged-access-management.html?intcmp=headernav 15 The Forrester Wave: Privileged identity Management 2014 16 https://www.balabit.com/de/network-security/scb/features 17 http://www.wallix.com/en/produits-2/wallix-adminbastion-en 18 http://software.dell.com/solutions/privileged-management/
15
5.1.9 Hitachi ID Systems
Hitachi ID Systems19 offer SAPM, PSM and AAPM capabilities.
5.1.10 Arcon
Arcon20 is a vendor who covers all of the PAM main functionalities (SAPM, PSM, SUPM,
AAPM).
Other vendors are for example IBM, Centrify, Bomgar, Osirium Lieberman Software,
Master SAM and NRI Secure.
5.2 Vendor Map
This map shows the countries of origin for various PAM vendors. The majority of vendors
is located in the USA; while there also are some European PAM solutions on the market.
Figure 2 Map of PAM vendors by Security Architects21
19 https://hitachi-id.com/privileged-access-manager/ 20 https://www.arconnet.com/products/privileged-identity-management 21 http://www.slideshare.net/danb02/privileged-access-management-pam
16
5.3 Cost Estimate
PAM vendors work with very diverse pricing models, based on the provided
functionalities and varying metrics, i.e. number of privileged users, managed target
systems and accounts, number of simultaneous sessions, delivery options (physical or
virtual appliance, SaaS), and deployment types (host- or gateway-based).22
Perpetual licenses for on-site deployments (via software and physical or virtual
appliances) are the most common, while some vendors also offer subscription-based
pricing models.23
The table below summarizes average pricing information, based on inquiries made by
Gartner in 2015. This serves as a rough estimation, given the high variability in pricing.
Figure 3 Gartner Market Guide Privileged Access Management
6 Side Topics
The following chapter deals with selected side topics closely related to PAM.
6.1 Reporting and Review of Accounts
As required by many standards and best practice guidelines, existing privileged accounts
have to be reviewed regularly. PAM tools with an automatic discovery functionality can
22 Gartner Market Guide for Privileged Access Management 2015 23 Gartner Market Guide for Privileged Access Management 2015
17
support this process, but organizations must keep in mind that these features are not
perfect and not all accounts can be discovered in an automated way.
The review should check whether the account is still needed—orphaned accounts are a
security risk, which is even more true for orphaned administrative accounts—and who
the associated person is in order to make sure that all accounts are associated with a
specific person. If there is a valid reason for an account to be shared, access to this account
can be made traceable via SAPM functionalities.
The reviews must be executed regularly to make sure that administrators or third parties
who are no longer working with the company do not continue to have access to sensitive
resources.
Reporting should enable organizations to provide auditors with documentation on which
admin has access to what systems.
6.2 Logging and Monitoring
The logging and monitoring of administrative activities is very important and PSM tools
offer various capabilities in this area. Nevertheless, the recording alone is not enough—
the logs and records have to be analyzed in regular intervals. For this analysis,
organizations have to develop respective processes and workflows (responsibilities,
intervals, events to look for, etc.).
Integrating PAM information into SIEM systems can furthermore provide the security
monitoring team with a valuable data source.
6.3 PAM High Availability
Depending on the chosen PAM solution and deployment method, the possibility for
creating a single point of failure may exist.
Therefore, organizations should thoroughly assess whether their solutions are able to
fulfill high availability requirements (active-active or active-passive failover, stretch
cluster or PAM-replication across sites), since the failure of such a critical component
could have a severe impact on the organization’s ability to operate. During this
assessment it is also important to consider possible dependencies on external
components like, e.g., a RDBMS.
18
When deploying PAM solutions, organizations should also consider load balancing,
performance and scalability topics.
Finally, an emergency process which deals with the unavailability or failure of PAM
components—which, e.g., may cause an administrator to be unable to login to the
password vault where his administrative credentials to root or admin accounts are kept—
must be designed. An article published on the webpage of Security Architects provides
some good ideas on this topic, e.g., emergency accounts and secure copies of the password
vault content.24
6.4 PAM Security
PAM technologies are handling highly sensitive information. Therefore, security is of the
utmost importance and PAM tools do provide various security and hardening
mechanisms. Many vendors additionally conduct a certification of their password vault
like Common Criteria or FIPS.
When deploying a PAM solution, security mechanisms of the tool itself as well as
additional protection measures within the company should be thoroughly evaluated.
6.5 Privileged Third Party Access
As already noted in chapter 3, third parties (vendors, partners, contractors, etc.) with
privileged access can pose a significant risk to organizations. PAM tools can be used to
reduce this risk organizations must additionally be dealing with topics like a formal access
request process for third parties, confidentiality agreements, the definition of security
measures which must be adhered to by the third parties, as well as regular account
reviews.25
6.6 Administrator Guideline
Beside technical measures to secure privileged accounts, organizations should also
consider implementing an administrator guideline/policy which deals with topics like
background checks, common principles, accountability and responsibilities, secrecy,
24 http://security-architect.com/how-to-balance-assurance-and-availability-in-pam-systems/ 25 Information on the topic of dealing with privileged third party access is e.g. available via Gartner http://www.gartner.com/document/3161329?ref=solrAll&refval=165534547&qid=73ebe92df248b84375ffc3e4c0352d7c
19
respecting employee privacy, handling of privileged accounts, information on logging,
adherence to change management procedures, restriction of privileged account usage
only for administrative purpose, and surfing, e-mailing, etc. via a restricted account.
6.7 Dealing with Objections against Recording Capabilities
When deploying PAM solutions, administrators can—understandably—be skeptical,
especially regarding the monitoring capabilities of PSM. Such a deployment should
therefore be in close cooperation with the administrators as well as the works council.
They should be assured that the recording of administrative activities is for their own
benefit, since they will be able to prove what they did or did not in case of errors,
malfunctioning or attacks.
It should be made clear that the monitoring only encompasses administrative activities.
If adhering to best practices, administrators should in any case use a dedicated account
for e-mail, surfing, etc. where no additional recording is in place (resp. only the
monitoring which applies and is made known to all employees).
20
7 Appendix
7.1 List of References
7.2 List of Tables
No table of figures entries found.
7.3 List of Figures
Figure 1 Main PAM functionalities ............................................................................................................ 8 Figure 2 Map of PAM vendors by Security Architects .....................................................................15 Figure 3 Gartner Market Guide Privileged Access Management ................................................16
7.4 List of Listings
No table of figures entries found.
21
8 Literature
In the following, the sources for this white paper and additional literature are listed.
Gartner
Gartner Market Guide for Privileged Account Management 2014
Gartner Market Guide for Privileged Access Management 2015: online Version
available via BeyondTrust: http://www.gartner.com/technology/media-
products/newsletters/beyondtrust/1-2GZM0KS/gartner.html
Forrester
The Forrester Wave: Privileged identity Management, Q1 2014: online Version
available via Centrify: https://www.centrify.com/media/1626221/forrester-
privilege-identity-management-wave-report.pdf
SearchSecurity
http://searchsecurity.techtarget.com/magazineContent/Privileged-account-
management-critical-to-data-security
http://searchsecurity.techtarget.com/tip/The-steps-of-privileged-account-
management-implementation
SANS
https://www.sans.org/reading-room/whitepapers/analyst/keys-kingdom-
monitoring-privileged-user-actions-security-compliance-34890
CyberSheath
http://www.cybersheath.com/wp-
content/uploads/2015/03/CyberSheath_APT_Privileged_Exploit.pdf
Security Architects
http://security-architect.com/privileged-access-management-webinar-
recording-available/ Video of a webinar on PAM Technologies
http://security-architect.com/privileged-account-management-pam-is-very-
important-but-deploying-it-stinks/