Ransomware attacks, like the one against the Colonial Pipeline in 2021, have shown how a cyber-attack can impact the entire country. Colonial Pipeline supplied around 45% of the fuel for East Coast customers, and when the ransomware attack caused a shutdown, the outage caused a major disruption of transportation in the United States. It cost Colonial Pipeline 75 bitcoin (about $4.5 million) to recover their data.
While President Biden immediately signed an Executive Order requiring companies to strengthen their cybersecurity stance to make the next successful attack less likely, this doesn’t force many specific changes to most companies. Many companies have plenty of work to do before they can protect themselves, and that includes strong identity protection for all user accounts and protecting privileged access rights.
To prevent attacks like the Colonial Pipeline breach, many organizations are implementing simple strategies that help protect user accounts with Identity & Access Management (IAM) solutions. An IAM strategy can be a great foundation for a strong identity-centric security solution, but it will not prevent attackers from moving laterally through your network. The attackers can use compromised accounts to attack your environment to gain additional privileges and increase their potential damage.
Privileged Account Management
To help reduce this type of damage, a dedicated Privileged Account Management (PAM) solution is required. A PAM allows you to provide a simple least-privilege user account to everyone, and as users need additional permissions, they must request temporary elevated permissions. Ideally those elevated permissions are only effective for a short period of time.
If a User Administrator (as one simple example) needs to add some new user accounts, they would request permission to access the systems required to create those new user accounts. The automated system would grant the authorized user elevated permissions for a short period of time (usually just a couple of hours), then the elevated permissions are automatically removed. If they need continued access, they must make a new access request.
Why grant someone 24×7 elevated permissions when they rarely need permission for more than 8 hours per day, and never for the entire day? If the user account is compromised, the malicious attacker would only gain access to a “normal” user account. They would need to request access to gain elevated permissions, and the request could be denied if the request is detected to be coming for an unusual location or without the normal multi-factor authentication (MFA) response.
This simple process helps ensure that even if an attacker gains access to a user’s account that sometimes performs elevated functions, the actual damage the attacker can cause is limited by the current “normal” privileges of that user.
When selecting your PAM solution, you need to look for a solution that fits your basic requirements and environment. There are a few features you may want to consider as you work to improve the security of your environment.
- Those systems that require the most security, such as domain controllers, are often referred to as Tier 0 or Tier 1 resources. You’ll want to select a solution that allows you to identify these sensitive systems and configure additional protections, like granting privileged access to those extra-sensitive systems from a special isolated environment and allowing you to configure robust MFA as extra security.
- You don’t want to forget your SaaS systems, so make sure your PAM solution allows for strict requirements when accessing the admin-level and privileged users on those systems.
- You’ll want to make sure the PAM system allows you to store critical credentials for infrastructure accounts, DevOps accounts, SSH key pairs, and other information shared by admin-level users so they can be checked out and shared from a secure vault.
- To ensure compliance you’ll need enhanced auditing and reporting features.
Once you have implemented these new tools and procedures, you’ll want to test the system and procedures with a penetration testing effort to verify it is as secure as you think. Look for reporting and oversight to help management verify users are using the system in compliance with policies and guidelines.
There are several well-known companies that offer these types of PAM solutions:
JumpCloud Directory Platform
ARCON Privileged Access Management
BeyondTrust Privileged Remote Access
Broadcom Symantec Privileged Access Management (PAM)
CyberArk Core Privileged Access Security
Delinea Secret Server
Foxpass Privileged Access Management
Hitachi ID Systems Bravura Privilege
- Microsoft Privileged Access Management
One Identity Safeguard
You may want to evaluate a couple of solutions in a lab environment before you deploy a solution into your production environment. This will give you an opportunity to verify the product features match your business requirements while also allowing you to determine configuration requirements before moving into production. You may need to consider engaging a consultant to assist in the product configuration and rollout, and you may need to hire a dedicated employee to manage day-to-day management of the system, particularly in a large environment.
Once you understand the primary target of attackers are your privileged accounts, you’ll better understand why privileged accounts require special attention and controls to protect those special accounts. A Privileged Access Management (PAM) program will help ensure that users are always granted a minimum level of privileges for their specific tasks and a security structure is in place to force additional protection like Multi-Factor Authentication, strong Password Management, Secure Storage Vaults for critical shared information, and even conditional access around user location.