Last Wednesday’s Coffee Talk dealt with the important area of “Authentication of Privileged Accounts.” The session hosts were Vikram Subramanian, VP of Solutions at Simeio Solutions, and Christopher Hills, Deputy CTO at BeyondTrust. Here are some of the highlights from the session.
Can you provide an overview of privileged accounts and access management?
When most people consider privileged accounts, they think of account access by someone in operations, managing a server, system, or application, rather than a consumer of the application. These are super-user, root, admin, and service accounts.
But technically, every account is privileged. When it comes to cybersecurity, it’s not just administrative accounts that are susceptible to theft and breach. Every account is vulnerable and can put a business at risk. An employee’s computer has access to many enterprise systems, like HR, and shared resources and services, like a network share. As you might expect, social media accounts, like Facebook, Twitter, Instagram, and Google, are the most ignored accounts. Every account can potentially be a front door for hackers to gain access to other systems.
What are some best practices for implementing a PAM solution?
Best practices vary from company to company. An acceptable risk for one company, might not be acceptable for another. A best practice is all about what principals and processes are needed to mitigate risk and what risk tolerance each company is willing to accept.
However, if a company is not doing anything in the realm of PAM, they’re not doing best practice. There are many factors that go into determining best practices for each company, with some of the drivers being audits and material risk.
One strategy to follow is to determine a project scope for PAM. Defining the scope will help avoid potential pitfalls. Just remember, don’t try to do everything at once. Define narrow projects with a scope. To achieve success, start with a quick win that you can achieve with PAM, like getting super-user, root, and admin accounts into the PAM system. These are systems where you really need to know who is logging in. PAM will answer the question of who is accessing a system, with a specific user account that can be traced back to an identity. Next, go to the applications. Then address the APIs that integrate the systems.
Since best practices vary from one company to another, what are some pitfalls to avoid?
Sometimes we get so busy collecting and recording session data, that we forget to go back and review all the logs and data. We don’t invest the time to understand what we are doing with the data. If you have all that data, but you’re not watching over it, monitoring and analyzing it, checking and validating entitlements, and running reports, nothing of any great value will be gained from the data.
Do regular and privileged accounts make for a complicated user experience affecting security?
Yes. I’m actually a proponent of having shared accounts among common users and having them access through the PAM system. Just segregate them, and assign different permission types. The key is to use shared accounts in conjunction with PAM and session management, so you have accountability and an audit trail. This will significantly reduce the volume of named privileged accounts to keep track of, and the management complexity.
What is your opinion on just-in-time privileged access for accounts?
Just-in-time PAM can be used in several scenarios. Moving forward, we are going to see more adaptive controls around authentication. It does take more work because there are many more up-front controls and context that needs to be put in place. We’re just beginning to implement more adaptive controls. For many years we’ve been protecting the exterior to keep intruders out. Now we’re focusing on the interior, protecting and validating users, and putting more controls in place.
What is your perspective on zero-trust?
I think zero-trust has been taken out of context from the way it was stated by its originator. In my opinion, zero-trust is not something that is tangible. It should be used as a philosophy. Don’t get me wrong, certain organizations can go to the zero-trust, zero-password architecture. But, if you look at the bigger scale of trying to achieve zero-trust within a cloud-only solution, I don’t believe it’s going to happen. Passwords aren’t going away any time soon. You may or may not see them, because they may be vaulted somewhere. There will be more technology innovation around behavior and AI related to proofing and adaptive controls. This will integrate with a zero-trust philosophy, to validate and authenticate users, no matter where they are.
We’ve just touched upon some of the conversation. If you want to learn more, you can watch this, and other on-demand Coffee Talk sessions at https://www.brighttalk.com/channel/17142.
We hope you can join our next Coffee Talk where you can chat with IAM experts, ask questions and gain insights into how you can lower operational costs, and achieve greater security and privacy using IAM. Click here to sign-up.