To keep your corporate data and IT assets safe, you need to secure control and monitor access to them. Solutions and technologies used to accomplish this are often characterized under the umbrella term of privileged access management (PAM). But as the threat landscape continues to evolve and become more dangerous, the tools IT can use to safeguard your business also must evolve. To understand more about what’s happening in this field, I reached out recently to Adam Laub, the general manager at Stealthbits Technologies, a company that offers solutions that can help your business protect credentials and data from insider threats, audits changes, and automate tasks for security and compliance across your infrastructure. With his many years of experience, Adam is well-placed to describe how PAM has evolved and where it’s now heading, so let’s listen in and learn what he has to say on this subject.
Evolution of privileged access management
Over the past two decades, privileged access management has undergone several transformations. Also known as shared account password management, privileged access management became mainstream early in the millennium. The objective was to control access to and frequently change the password of superuser accounts such as administrator on Windows or Active Directory, and root on Unix and Linux.
Next came the more formal shift to privileged access management with the introduction of session proxy servers, allowing administrators to access high-value assets securely without knowledge of the password. The vault, in addition to the proxy, allowed organizations to record all session data, even across segmented networks.
Soon thereafter, Microsoft best practices recommended administrative account separation, requiring unique accounts for each user to separate everyday tasks from admin tasks, and administrator and root accounts being used only for “break-glass” access.
However, because all privileged accounts are essentially controlled via the same vault and access policy, the use cases between superuser accounts and personal admin accounts became intertwined, blurring the distinction between privileged account management and privileged access management.
The result, counterintuitively to the goal of PAM, has been an increase in an organization’s attack surface because of a substantial increase in the number of privileged accounts that maintain persistent access (aka standing privileges) to the very same resources they’re meant to administer. This has left privileged accounts vulnerable to lateral movement attacks (for example, a Kerberos ticket left in memory), on top of overly complex access control rules.
The future of privileged access management
In the DevOps world, many embrace the idea of immutable infrastructure because of the operational benefits that come from being able to dynamically and rapidly scale. It has the added benefit of never needing to be updated. If it fails or needs to be updated, it is just simply destroyed and replaced. This is exactly the concept that needs to be applied to privileged accounts and privileged access management. In much the same way that DevSecOps has moved away from managing systems and embraced security by disposability, the use of ephemeral privileged accounts provides a mechanism for system administrators to do their jobs effectively without the overhead and the liability of managing the accounts that log them on to their servers. In other words, privileged accounts only exist at the time you need them, and there are no privileges while at rest. (Gartner has referred to this as zero standing privileges or ZSP.)
Why zero standing privileges?
It’s apparent that the one consistent factor in the privileged access management equation is the privileged account itself. So, what if you could remove it from the said equation? It’s kind of hard to compromise an account that doesn’t exist, right?
With a zero standing privilege model driven through ephemeral accounts, an activity token is created (just-in-time) and granted the ability to perform only the desired task (just-enough-privileges) behind the scenes. The activity is then performed interactively or by the system on behalf of the privileged user. When the activity is complete, the privileges are instantly revoked from the activity token and is subsequently destroyed.
Using this approach, and organization’s attack surface is massively reduced to the window during which the administrator is performing the activity (which is a conversation for another day); no passwords or artifacts remain for an attacker to leverage. All the administrator needs to know is the task they need to perform.
Why not zero standing privileges?
Between the success of ephemerality in other technology segments and the frightening level of risk privileged accounts pose to organizations, it’s clear that the removal of privileged accounts is the fastest and most pragmatic way to reduce the risks of privilege account compromise and, thus, lateral movement, privilege escalation, and ultimately data breach. So, what options do organizations have to begin the process of reducing their privileged account footprint?
For organizations heavily invested in Microsoft 365 and largely AD-connected infrastructures, many have found value in Microsoft’s Azure Privileged Identity Management (PIM). Like most privileged access management solutions, Azure PIM provides a just-in-time (approach to granting privileged access with time-bound restrictions, approval workflows, integration with RADIUS-based MFA, and justification and notification facilities. A few limiting factors, however, are constraints in usability to Microsoft-centric technologies, and while effective for mitigating the opportunity for Pass-the-Hash attacks through the use of LAPS, no current capabilities for mitigating other threats like Pass-the-Ticket.
Alternatively, solutions like Stealthbits Privileged Activity Manager (SbPAM) provide these capabilities and much more across any platform, from on-premises Windows, Unix, and Linux systems to cloud-based infrastructure, critical services like Active Directory, network peripherals, IoT devices, and beyond. Regardless of platform, Stealthbits’ solution first discovers and onboards privileged accounts, systematically removing those that don’t need to exist in perpetuity and replacing them with policies that allow administrators to perform a given activity exactly when they need to, with just the right amount of access. Privileged sessions are monitored for security, compliance, and on-demand playback, and privileged accounts destroyed immediately after use, wiping resources clean of any remaining artifacts attackers can exploit and restoring the environment to a zero access by default state.
Featured image: Shutterstock