The Best Implementation Practices for Deploying a PAM SolutionOliver Bock
As valid credentials that provide non-restrictive access to your systems, privileged accounts are as essential as they are dangerous. In the right hands, they are essential tools for managing your IT infrastructure; in the wrong hands, they’re the master key that unlocks all the doors to your most precious assets. That is where a PAM solutions comes into play.
Deploying the right PAM solution is key to managing, tracking, and securing these accounts. We’ve collated 4 of the best implementation practices that will positively impact your deployment. For the first 2 of these, you’ll notice they happen before product selection; that’s because choosing the right solution is a significant prerequisite to a successful deployment.
Let’s take a look at the best implementation practices:
Understanding How The Privilege Management Lifecycle Affects Your Choice of Solution
The privilege management lifecycle model looks like this:
The parts of the lifecycle speak for themselves as to their function and importance, and you’re almost certainly already familiar with this model (or something very similar). The key takeaway is that for an implementation to be successful you must choose a solution that supports your organization through every step of the cycle.
For example, it doesn’t matter how good your monitoring is if you can’t use that information to detect malicious insiders or outside hackers. And it doesn’t matter how good your detection is if your system is so locked-up that responding to a threat quickly is impossible.
The “Improve” step is often overlooked when implementing PAM but is one of the most essential. It is inevitable that there will be threats to your system – whether from a malicious insider, a careless employee, or an outside attack – so your long-term security depends on how can you can improve your PAM to counter these threats.
Choose a Solution That is Easy to Use and Deploy
Different solutions will be easier or harder to use and deploy, which could make all the difference to the success of your implementation project. A solution that is harder and takes longer to implement will require more resources to do so, especially in regards to the time your team has available. This holds true regardless of whether you’re opting for a SaaS or an on-premises deployment.
This is important because lack of budget and lack of resources are two of the most common reasons why an implementation fails. Many businesses underestimate the “hidden” cost of a rollout and under-budget for a deployment that ends up being far more complicated than they had planned for.
The ticket price of your solution is just a fraction of the total cost of ownership – implementation, consulting, and customization must all be considered. Training and documentation are also going to be essential because to achieve best practice, behavioral change needs to take place.
By choosing a solution that simplifies your rollout, or by working with a software provider that provides the high-quality support you need to safeguard the success of your PAM implementation and free up resources for focusing on less technical areas of your implementation.
Principle of Least Privilege
The principle of least privilege is one of the most basic and important principles governing your PAM. Simply, any account (whether human or not) should have its rights reduced to the minimum necessary to operate and complete any tasks it has.
- Inventory – Discover all your privileged accounts.
- Identify – Identify who has ownership over those accounts.
- Limit – Reduce privileges where appropriate.
- Eliminate – Remove privileges wherever possible.
Finding a balance
To achieve this, you must find a balance between efficiency and security. For many tasks, a high level of privileges and a low level of scrutiny will increase efficiency, but at a total loss of security. At the other end of the spectrum, completely reducing access across the board will prevent your systems and users from working effectively, or even at all. Clearly, this is impossible, so while you’ll need to keep privileges as low as possible, you’ll also need to increase scrutiny of areas where access is required. Implementing tools such as session recording can help increase security at no cost to efficiency.
Automating access decisions
The most time-effective tools will largely automate many of the day-to-day decisions about access according to pre-established rules, taking into account a person’s job title, location, time of day, previous history, etc. So, for example, an individual that has to perform a routine change every day might be given privileged access to do so, but only if they are on site and connecting from the correct workstation. If there is no need for them to have privileged access from other locations or workstations, then they should not have it, and blocking this access is key to protecting your organization. In this case, even if a hacker got hold of these credentials, they’d be unable to use them without being on-premises.
Eliminate Shared Accounts
Pay particular attention to shared accounts, and eliminate them if possible. These accounts are often either application-to-database or application-to-application and may be hard coded. For example, some applications will have a login and password to connect to one or more databases. These passwords are often stored in unencrypted files, making them easy to find for anyone who already has some level of access.
Whenever multiple users have access to a single shared account (whether on purpose or because the password is easily obtainable), it becomes difficult to link changes made with the people doing it. This lack of accountability opens your business to risk, makes it much easier for a malicious actor to get away with an attack, and demands a high level of visibility from your IT security team. Some of these accounts may never need to be used by a human, in this case, an appropriate measure would be to eliminate human login for these accounts.
Implement Effective Password Management
Your passwords are the keys to your system. An effective implementation will set a new benchmark for the managing your passwords. Consider the following:
One-Time or Cycling Passwords
If you have not previously implemented a PAM solution, it is likely that some of your users have been using the same weak passwords for years. To be effective, passwords must be unique, hard to guess, and complex enough to defeat brute-force attacks. Best practice is to enable automatic changing of passwords on a regular cycle, for example, every 30 days.
Another, more secure approach, is to use one-time passwords. Changing a password after every session makes it much harder for a hacker to use one and significantly reduces the risk of attack while also increasing visibility and accountability. The added hassle for users means that this may be appropriate for some accounts, but not others.
Another option is to choose multi-factor authentication, adding an additional layer of security for your most important accounts. Many of your legacy devices will not support this, so if you require this, the solution must be provided by your PAM software. Again, this puts another barrier between a hacker and your system, reducing the chances of them gaining access even if they get hold of a set of credentials.
Implement Secure Password Vaulting
Users with multiple passwords and privileged access to many systems will find it hard to manage those passwords, particularly if you are rotating passwords on a regular basis. When a user is unable to keep up with your password policy, poor practices start to creep in. It doesn’t matter how strong your policies are if users resort to writing down passwords or storing them unencrypted on their workstation because they can’t remember them all.
A password vault can reduce complexity by acting as a single point of authentication, allowing users access to various systems (whose passwords are managed by the vault) with just one login. The password vault acts as another step between users and their privileged accounts, representing one more barrier for hackers.
Also published on Medium.