What Do You Need in a PAM Solution?
Miles Dolphin
Cyber Security, Technology and Risk Executive | Board Member | CISSP | Speaker | Patent Holder | Product Manager
With credential theft being one of the top risks as confirmed by multiple industry reports including the Verizon Data Breach Report it is critical that we understand what is required in a Privilege Access Management Solution.
THE GOAL IS TO MINIMIZE RISK
There are many great solutions out there all with varying features, methodologies and solutions where some of the top solutions include CyberArk , HashiCorp , BeyondTrust , SecureDen , Astrix Security , Saviynt , etc where the goal is ultimately
1. Unauthorized Access - Stolen credentials resulting in unauthorized accessing
2. Unauthorized Change - Systems being changed without approval
3. Non-Repudiation - Lack of visibility of who is using an account
PRINCIPLES
- Least Privilege Access - Have the least level of access, to the least amount of assets for the least amount of time
- Minimize Knowledge of Credentials - Use session brokers to reduce the need to know the credentials
- Segregation of Duty - Split access between who is requesting for access and who is approving
- Require Access Context - Add context for access including incidents/changes/jira numbers and the reason why access is being granted so logs can be validated based on intent
DEFINITIONS
What are Credential anyway?
Passwords, Secrets, Keys, Tokens, Passphrases, Pins, Biometrics, etc..
They are all the same right? Actually they are not. I often hear credentials should be kept secret, however they are not all secrets. Let's acknowledge the elephant in the room that there is a lot of confusion on terms as the words have involved over time.
It is important to understand what each term means as each type of credential does authenticate you but it also has different characteristics and these matters as they influence how you secure it and the level of protection it provides.
PASSWORD ROTATION REQUIREMENTS
NEW CLOUD BASED APPLICATIONS
1. PULL CREDENTIALS - from a central password vault. This is done via API's including webservices, command line and vendor provided packages.
A. Security Requirement - Lock down the credentials used to authenticate to the vault .
B. Security Best Practices - Authenticate using a Certificate or an Encrypted set of credentials
C. Security Best Practices - Restrict the connection by the source IP address
D. Security Best Practice s- Lock down the "calling script" with a checksum check and a manual review to ensure the password is not logged or printed during execution
MOST EXISTING APPLICATIONS
2. PUSH CREDENTIALS - As many applications are not able to be re-architected to change where they store their credentials, this puts a requirement on the password vault to initiate a password rotation and update all of the locations the credentials are stored.
A. Security Best Practices - Standardized Adapters to push passwords across the wire in a secure and open source protocol . ex: HTTPS
B. Security Best Practices - Generic framework to call a script to update a password in a secure manner where the script is customized to change the password and keep it encrypted when stored at rest
C. Security Best Practices - Ability to push credentials to common locations in an encrypted format which includes OS services, scheduled jobs, monitoring processes, jdbc connections, application local user repositories and external password stores.
INTEGRATION CHALLENGES
Challenge - Not all Systems provide an integration api to update credentials.
Solution - You can create 2-password approach where you have the password vault create two different credentials under 2 different accounts. Then have human beings once a quarter check out each password and update the destination system with a combined password.
Ex: Account1 - LeftHalf - Password1
Account1 - RightHalf - Password2
Destination System - LeftHalf + RightHalf
This way no 1 human knows the full password
Challenge - The System has too many endpoints all with the same password and no api. This can happen for systems like AV equipment where there are local accounts to minimize dependencies however each local password can only be changed locally.
Solution - Automate using robotics where this involves screen scraping which can be done via a number of tools such as Automation Suites such as UiPath, AutomationAnywhere, BluePrism or scripting languages such as Python, Powershell, Expect, TCL, etc
PASSWORD DEPENDENCY CHALLENGES
COMMON CREDENTIAL LOCATIONS
RISK - When you change credentials, this is a big concern for many organizations as it may mean an unexpected outage if the credentials are in use and the credentials are hard coded somewhere. This is because the account can be locked out, disabled or create a denial of service attack on your own system by using the old password
RISK - We Don't Know Where the Credentials are Harcoded!! It could be credential files, services, scheduled jobs, monitoring jobs, etc
SOLUTION - Discovery - More and more password vaults are now doing a level of discovery to identify the accounts they need to on board. This can range from simple Active Directory scans to scanning services and local configuration files.
These solutions range from agentless solutions which require very high level of access such as domain admins or agent based solutions which require local admin rights on machines and a wide degree of oversight to maintain distributed agents.
ACCOUNT MANAGEMENT CHALLENGES
Challenge - Managing Multiple Password Rotation Policies
Solution - Standardize policies and minimize them where possible. Try to have common schedules for rotation. Rotate dev, uat, dr, and then prod in that order seperated by a week to allow you to more quickly address gaps before they become a bigger issue.
Challenge - Passwords Changing in more than one place is a recipe for disaster. This can happen if you have passwords expiring and passwords being automatically rotated. It also becomes more likely if you have passwords mastered in both Active Directory and a password vault.
Solution - Choose one location and synchronize them
RESILLENCY CHALLENGES
Challenge - Storing credentials in a vault for an entire company can be tricky if you have resiliency challenges as this can take down all the systems that you are securing.
Solution - Local password caches which can be done with local agents. Replication of password vault databases, multiple application servers and load balancing
LEAST PRIVILEGE CHALLENGES
Challenge - Most accounts over time gain permissions as more and more integrations are setup using the same account. This means system/service/integration accounts typically are not in line with least privilege
Solution 1 - Create High/Medium/Low Accounts with varying degrees of permissions.
Solution 2 - Create a framework to manually assign permissions to accounts
Solution 3 - Have the tool observe how users use their access and restrict access to specific commands and actions
Solution 4 - Standardize Profiles for access based on the function or role
PROPRIETARY CHALLENGES
Challenge - When making something secure, security through obscurity is an old concept. Unfortunately some companies are still using proprietary protocols which while appearing secure can only be validated through a pen test from the outside which is simply not good enough.
Solution - Systems are more secure if open and tested by all parties as this enables the wider security community to create fixes to vulnerabilities. It is better to use standardized encryption and protecting the master key in a external system such as an HSM .
SESSION MANAGEMENT CAPABILITIES
When you have session management when connecting to downstream IT systems you have the additional ability to add
- Logging of Activity in a text based format for easy of searching and
- Video based recording of activity
- Risk Scoring to identify activity that is suspicious and potentially dangerous
- Prevention of Commands - ability to restrict certain activity in a session
- Termination of Sessions - Either by rules or manually
SCANNING FOR PASSWORD EXPOSURE
Challenge - It is a real concern that your passwords maybe findable as they can be found in Code Repositories, Documentation, Sharepoint, Shared Drive, Twiki's, Wiki's, Confluence, User Guides, binaries if decompiled
Solution - Scan for credentials based on common credential signatures. Create workflows to lock down documents and workflows to allow a safe unlock of the documents post being remediated.
-