Privileged access management augmented by bots

Privileged Access Management (PAM) is a very hot topic nowadays. A global survey of over 1,000 IT security decision makers has revealed that 64% believe they've had a direct or indirect breach due to employee access in the last year.

Really alarming figure to be honest.

PAM controls the access of authorised users to privileged accounts across systems and applications. Granting privileged account in a productive environment is a very big risk and can have serious consequences in case of inappropriate usage. Hacking these accounts can even have higher consequences (not to say catastrophic).

Needless to say that it is critical for any organisation to detect unusual activities and trigger the necessary actions in a timely manner. The reaction speed, which is basically the window to flag and stop unintended behaviour from occurring again, is essential.

Reality-check for many organisations

There is a high probability that you are already using some off-the-shelf solutions to manage privileged access (such as CyberArk, BeyondTrust, Centrify, etc.). There is no doubt that these advanced solutions have allowed organisations to increase the level of automation in order to successfully be and stay in control. Built-in approval and password rotation controls, combined with workflow-enabled capabilities have finally been embedded into the end-to-end PAM process.

But paradoxically, the management of privileged access remains a labour-intensive process where end-users are still performing high-volume of routine and mechanistic rule-based activities (especially the review of logs after each usage of privileged accounts).

The good news is that organisations can significantly boost existing capabilities by bringing the next layer of automation. I would call that "privilege access on steroids". Nothing about advanced cognitive automation but just a mix of robots that do and think (just a little bit) in order to orchestrate more efficiently the end-to-end PAM process.

Below an illustrative case (privileged access management in SAP system) where extended usage of Robotic Process Automation (moreover, RPA) combined with conversational bot (Chatbot) can drastically improve process efficiency, quality and compliance.

Here comes the Bot Approver...

Employee starts writing to a chatbot: “I need access to a privileged account in SAP ECC production client”

Chatbot: “Provide a valid incident or change request number”

Employee: “CRN12345”

Chatbot: "Change request is valid. Change owner and privileged account owner have approved usage against your access request and corporate ID. However, I cannot process your request at the moment because you have not completed your mandatory refresher training. Please complete again the e-learning course EASAP-125 (Corporate usage of privileged accounts in SAP) or attend the next instructor-led session planned for 14 June 2019".

Angry employee completes the training and write again to the chatbot.

Chatbot: "Privileged account PIVE023 has now been provisioned in SAP CRM system. Based on the criticality of transaction codes being requested and in alignment with the policy governing usage of privilege accounts in SAP, your access has only be granted for a period of 2 days within the approved change execution window".

"Don’t forget to enter the change request number prior to each login session executed via the privileged access account. This is the second time that deviations to the process have been detected. If you fail to comply and according to the corporate security policy, your access will be immediately revoked. Be also aware that you will not be authorised to raise additional access requests for a period of 2 months".

Angry employee closes the chat and start using the privileged account. Yes, I must admit that this is a very drastic approach!

After having completed the first privileged access logon session, a log review workflow of transactional usage is immediately triggered and sent to...the Bot Reviewer.

...Monitored by the Bot Reviewer...

The bot reviewer will first identify if the logon session has been initiated from a legitimate machine (physical and virtual desktops) and from a legitimate location (by checking IP addresses).

The bot will then immediately verify if a valid change request number has been entered (crucial information allowing to identify planned transaction code usage). If this initial check is positive, the bot will verify if a significant deviations exist between planned and actual transaction code usage.

The word significant here is quite important. In my view, the bot should be able to assess if the additional transactions/ activities that have been executed, but not initially listed in the change request, are actually satisfying the appropriate conditions to pass the log review.

The intelligence (this is probably a very big word in this context) injected into the bot in order to assess if a “pass” condition is met can obviously vary and should be calibrated based on requirements. For example, the bot will verify if the combination of transactions executed during the logon sessions has actually led to a security violation with respect to the existing segregation of duties policy.

If the above conditions are not met, the bot will immediately inform the relevant compliance oversight functions to further investigate the case and will invoke the Bot Enforcer.

...Governed by the Bot Enforcer...

When a log review fails, the bot enforcer will automatically record and compare the name of the offender against a “black list” (which is a historical audit trail of past breaches). Based on that check, different set of actions (from moderate to drastic) will be performed by the bot:

• For first and second time offenders: in addition to immediately revoking the access to the privileged account, the bot will inform the end-user that a training refresher is required and that a new request needs to be raised via the Chatbot. The bot will then send an email to the change owner, privileged account owner, user’s line manager, security team and relevant compliance oversight functions to report the deviation (via an auto-fill mechanism). Change owner will be responsible to undertake a root cause analysis and initiate the appropriate corrective actions (humans can finally focus on performing judgemental and high-value activities).
• For third time offenders: in addition to the above activities, the bot will remove the ability of the end-user to use the privileged access process for a period of 2 months.

Benefits of privileged access management on steroids

In my humble opinion, a key objective when deploying extended automation is that tasks executed by bots should bring more value than activities previously performed by human operators. In other words, bots should bring a tangible added value compared to the “as-is” process…Here are a few benefits:

Increased process efficiency

• Automated verification of information against the approved change request.
• Automated selection of appropriate privileged accounts (based on planned transaction code usage) and assignment duration (based on criticality of transaction codes).
• Automated creation of access requests in the existing PAM system including references to change request numbers (keeping a consistent audit trail).
• Automated and continuous log review of privileged account usage (7 days a week and 24 hours a day).

Increased process accuracy

• 100% accuracy in comparing planned transaction codes usage versus actual usage and detecting process deviations. No human errors during due to lack of attention. THE biggest issue in any privileged access management process.
• Automated analysis of false positives: comparison of additional transaction codes that have been executed (not specified in the initial request) against pre-defined simple and/or complex criteria in order to avoid unnecessary reporting of process deviations.

Increased process compliance and discipline

• Real time training verification ensuring that users have undertaken the necessary training.
• Analysis of history deviation leading to go/no go for the assignment of privileged accounts.
• Very high frequency (almost real-time) of log review leading to early detection of unusual activities and security breaches.
• Disciplinary actions are automatically enforced. Targeted and immediate communications to key stakeholders when repetitive non-adherence to existing policies are detected.

I hope that you enjoyed the reading. If you would like to receive my future posts then please follow me.

Opinions expressed are solely my own and do not necessarily express the views or opinions of my employer.