I know when to log out
Know when to log in
Get things done
In the spirit of David Bowie, let's explore how to navigate the labyrinth of privileged access management without getting "Under Pressure."
No one wants to mistype a common command, copy their proprietary data to a public location, or delete their operating system. Having multiple accounts—one for regular activities and specific privileged accounts to do sensitive tasks—ought to focus effort and prevent mistakes.
No one wants their privileged access accounts to be taken over by malicious actors. Should attackers compromise one account, they can use it to move laterally until they find an account that can grant them access to sensitive resources. Every action cannot be logged - well, technically, it can, but can it then be stored, retrieved, and analyzed to confirm no random oddity happened today? Who has the time and space to do that on every account and every system?
Unfortunately, it's highly inconvenient for a technician who frequently signs into their privileged account. This makes it tempting to perform all tasks with elevated privileges, undermining the purpose of having separate accounts. While security and convenience often clash, technicians need a balance that allows them to work efficiently without spending excessive time managing passwords and logging into various privileged accounts.
I catch another phish
Then, configure firewall rules
As I need to do my job
And tell attackers bye-bye
So I try, I try…
The Role of PIM/PAM
This is where Privileged Identity Management (PIM) and Privileged Access Management (PAM) play a crucial role. These systems, despite their overlapping functionalities, enable technicians to be assigned multiple roles, defining what actions they are authorized to perform. They allow technicians to elevate their privileges as needed and automatically revoke access once the task is completed.
From the technician's perspective, they log in once but must elevate their role for specific tasks. This elevation process can be secured with multi-factor authentication (MFA) and includes time limitations. The technician specifies the duration for the elevated access, or the system may restrict certain activities, such as granting application administration rights for only 15 minutes.
From the perspective of the attacker, if they compromise one account, it's harder to perform those lateral moves - even if they manage to get our tech's account, they'd still need to get past the privilege elevation step in order to achieve their malicious goals – and there's a better chance they'll be discovered.
(Modern auth) Knows this is me
(Modern auth) Knows my roles
(Modern auth) Gets me access just in time
(Just in time) Limits session time
(Just in time) Less attack space
(Just in time) Puts my trust in PIM and PAM
(PIM and PAM) No unlogged actions
(PIM and PAM) No open tokens
(PIM and PAM) 'Cause I implement modern auth
PIM/PAM also includes an analysis component. All activities are logged, and rules can be set to trigger alerts when any unusual behavior is detected.
Looking at Practical Examples
For instance, let's say techs Aladdin and Ziggy both normally log into work at 8 a.m. from Maryland, US. Aladdin tends to elevate her privileges to Exchange Admin immediately most mornings and spends about two hours making changes in that system, then moves on to purchasing equipment and other tasks. Ziggy answers emails first thing, then does twenty minutes of maintenance on firewalls, but on occasion, has to pop into the exchange admin - two different elevations. Aladdin may only have access to administer Exchange, and Ziggy has both Exchange and Firewalls. Since they know how long they tend to be in the systems, they elevate their privileges for the appropriate amount of time, and then their access goes back to normal.
One day, the maintainer of the PIM/PAM system was notified that they saw Aladdin elevating to her Exchange privileges at 2 pm from Singapore for only 15 minutes - normal actions, wrong time, location, and duration. It may be worth checking if she's overseas and working while jetlagged. Another day, Ziggy logs into the Exchange system at 6 am from a California IP address for an estimated six-hour session, performs a lot of queries, and then logs in at 8 am from Maryland. That's not a normal action, and the maintainers of PIM/PAM should notify the Exchange admins of a potential hack in progress.
It stops being work
It's automation
I still can do my job
And tell attackers bye-bye
Though they try, they try...
PIM/PAM is one of many items in the toolbox for protecting privileged accounts, but it does solve the problem of reducing the attack surface for privileged accounts without too much overhead on the techs who work in them.
For more information on Core Security's identity, account, and privileged access management platform for Linux and UNIX, click here.
Apologies to the late great David Bowie.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.
