privilegied access management
Privileged Access Management (PAM) – An essential part of a cybersecurity plan
The digital transformation of companies is accelerating... It affects all sectors of activity.
We are seeing increasing transition to the Cloud, the explosion of the Internet of Things and the generalization of teleworking…. as a result, corporate information systems have become increasingly rich, complex, decentralized and above all vulnerable to new forms of cyber-attacks.
Indeed, the most critical and the most frequent kinds of cyber-attacks involve hackers exploiting vulnerabilities to increase their privileges [According to the latest Verizon report “Data Breach investigations 2020”, 80% of attacks involve the use of lost or stolen credentials]. A company looking to protect itself from cyber-attacks must map, master and monitor privileged accesses that lead to critical company resources .
What is a privileged access?
Initially, the notion of privileged access was limited to accounts used by in-house administrators to manage and monitor on-premise infrastructure resources: servers, network and security equipment (firewall, switch, etc.), backup components, etc. This perception of privileged access has become obsolete. Privileged Access now refers to the end-to-end connection chain, launched by an employer (i.e., an internal person) or by a subcontractor (i.e., an external person) using privileged credentials and with authorizations high enough for that person to be able to access and manage critical resources/services hosted in the Cloud or on-Site or a mix of both.
This new way of looking at privileged access extends the PAM perimeter to new dimensions and new use cases:
- The maintenance actions carried out by the support teams of a software publisher, industrial manufacturer or info-manager are also in the category of Privileged Accesses.
- Securing the end-point device used by internal administrators to manage resources becomes an integral component of offers to manage Privileged Accesses.
- A community manager authorized to post on a company’s social networks is another example of a person with a privileged access (since malicious misuse of these accesses can cause significant damage to a company’s reputation and share price).
In concrete terms, what does securing and managing privileged accesses consist of?
Securing privileged accesses consists of setting up a governance, organization and technological ecosystem to manage privileged accesses.
The main objective of such an ecosystem is to be able to master privileged accesses by means of the following:
- The discovery and securing of privileged credentials (accounts and passwords) in a central, shared e-safe : administration account, service account, machine account (IoT & DevOps platform), maintenance & support account…
- Logging connection sessions to ensure firstly, the thorough traceability of administration actions and secondly, the accountability of actions (case where accounts are shared)
- Centralizing authorizations that give access to critical resources, in this way, we embrace the Principle of Least Privilege
- Implementing password rotation by automatically and periodically changing the passwords of privileged accounts.
- Centralizing accesses leading to resources by means of the Bastion or “proxy” feature in order to establish a protocol break. Other features can complement this vision, such as reporting capabilities or the implementation of a process for requesting privileged access on a temporary basis.
The PAM solution at the heart of the Information System
Considering a PAM solution as a technical solution “away in its corner” from the rest of the Information System would be a serious mistake. It is important to integrate PAM with the rest of the Information System in order to build a 360° identity ecosystem without compartmentalization.
At the very least, a professional PAM solution must be able to:
- Transfer exploitable traces to SIEM systems (IBM Qradar, Splunk…)
- Delegate authentication and supporting strong authentication from an Access Management solution (Okta, Ping, Ilex…)
- Use provisioning orders for automatic account creation or transfer authorizations to IGA solutions (One Identity, Sailpoint, Saviynt…) for recertification campaigns.
- Interface with CMDB solutions to industrialize the recognition of new assets
Most solutions on the PAM market (Wallix, CyberArk, BeyondTrust, Thycotic, IBM Secret server) do have these features, and include connectors as standard with access to their APIs.
What can Synetis do for customers looking to deploy a PAM strategy?
Synetis offers different types of support, adapted to the level of maturity, the desired level of support and the budget customer-side:
- Consulting : expertise and scoping to formalize use cases, requirements, help choose the right market solution, define a PAM target and a pragmatic project plan to reach that target.
- Customized PAM integration project : customized deployment of solutions with a commitment to results, based on a seasoned methodology inspired by the Agile approach
- PAM MVP (Most Valuable Product) integration project : “off-the-shelf” PAM offer, adapted for rapid initial deployment and easy to learn (offer includes a very precise technical and functional scope).
- PAM Service Center : a team with extensive knowledge of off-the-shelf PAM solutions… this team helps with deployments and implements solutions.
Synetis offer to manage Privileged Accounts
- Over a dozen consultants dedicated to PAM
- Active partnerships with major market players such as Beyond Trust, CyberArk, IBM, Thycotic, Wallix, etc.
- Technical certifications from software publishers
- Transversal vision, including integration with AM or IGA solutions
- Over 15 projects in progress (as of August 1, 2020) concerning organizations of all sizes and projects of all types (scoping, audit, integration, third-party application management), with a contractual commitment to results (fixed price) or to means (management).