One of the major concerns for any identity and access management environment is how to control privileged accounts. Internal employees, or external contractors, are increasingly the source of threat within an organization.
by Graham Williamson
Editor’s note: This chapter is excerpted from chapter 4 of Identity Management: A Business Perspective.
Recent hacking events at some very large organizations have been the result of either overt or surreptitious stealing of login details for privileged accounts. Such events highlight inappropriate procedures to thwart surreptitious approaches to staff and a lack of a risk-management strategy to adequately identify and manage internal staff threat vectors.
Privileged accounts are not normal user accounts. They have special permissions that allow a user logged on with one of these accounts to do specialist activities that are not available to the normal user. A system administrator account is a typical example. In order to manage a system, the administrator needs access to special functions that allow them to do dramatic things. A system administrator can typically access all files, even restricted ones, modify or remove users, and even shut down the system, if necessary. Such actions must necessarily be restricted to trusted staff, and access must be strictly controlled. A “four-eyes” policy will normally be established that, at a minimum, will notify a manager that an account at administrator level has been accessed.
To this end, IT audits typically target the management of privileged accounts to ensure that there is proper governance over the granting of elevated privileges, the monitoring of special account management, and rescinding of privileges as soon as they are no longer required. Failed audits are a major driver for privileged identity management (PIM) system sales.
Types of Elevated Privilege Accounts
All systems have accounts with administrative privileges that normal users cannot access. These include standard system administrator accounts that can undertake special functions at the system level, such as turning on and off services, or the application level, such as adding or deleting users.
For UNIX systems, access at the root level provides access to all management features of the system, including CRUD (Create, Read, Update, Delete) permissions on the file structure.
There are also special accounts for database administrators. Such accounts can manage access to database elements, restricting access to rows, columns, or specific attributes. Tools are available now that will perform real-time redaction on data elements based on the attributes of a user accessing the database.
Principle of Least Privilege
The principle of least privilege states that at any point in time a user should have permissions at the lowest level of access they require to perform their job. Most users only need to access standard functionality, so a user’s normal account should provide permissions only at this level. For instance, if your job requires you to be able to manage printers, your account permissions should allow you access to the printer administration function. Normal users do not need this functionality, so they should not be able to access printers at the management level.
An extension of this principle is very important for privileged accounts. The timeframe during which a user requires special privileges is actually quite small. Most of the time, a system administrator is not managing file shares, removing users, and turning the system off and on; thus, most of the time, standard user permissions are quite satisfactory. The principle of least privilege will therefore suggest that system administrators’ access at an “elevated” level should last for only as long as is necessary to perform the required activity; then the account permissions should revert to a normal user level.
An obvious benefit of such an arrangement is to reduce the incidence of inadvertent system administration activity. If the time a system administrator account is active is limited, the time available for mistakes or malicious activity is reduced. Least privilege also assists in forensic analysis. If accounts operating at an administrative level are minimized, it becomes easier to identify accounts that may have been compromised.
Types of Privileged Account Management
There are several mechanisms used to manage accounts with elevated privileges.
Note: The terms privileged account management (PAM) and privileged identity management (PIM) are often used interchangeably.
Password Vault
PAM systems become the gateway to the systems they protect. They typically comprise a password management facility that manages access to the protected resources. In effect, the PAM becomes the only way users can access the protected systems because they use complex passwords that would take an inordinately long time to crack with a brute-force attack.
PAM systems have the big advantage in that they provide a single location where privileged account passwords are managed. By taking a user out of the PAM system, their access is removed from all relying systems (other systems using complex passwords managed by the PAM system). A password vault system also provides a single sign-on (SSO) facility for users who have elevated privileges. Because the system is managing user accounts in the relying systems, once a user has authenticated to the PAM system, if they can click on the systems that are attached to their account, they can be automatically logged into the new requested system if the PAM has been configured to do so.
ERPM
Enterprise random password manager (ERPM) systems take the PAM operation to the next level. They monitor systems that have privileged accounts and periodically change the account passwords. They typically use a complex password to make any access outside the ERPM system difficult. One advantage of such as system is password rotation. If a management account is ever compromised, it won’t be long until the password is changed.
Default System Password Replacement
A useful capability of some PAM products is the ability to prompt networked systems to identify and update any system that maintains a default password. Systems that have been installed without the default password being changed are automatically updated to a complex password and are then accessed via the PAM system. Though it may be hard to believe, many ransomware attacks have been enabled by systems being deployed without the default password being changed.
Next time: PAM Systems. Want to learn more now? Buy Graham's book today at the MC Press Bookstore.
________________________________________________________________________________________________________________________________________
2 To counter potential corruption in granting access controls, a “four-eyes” policy may be adopted. Such a policy requires more than one person to authorize a user’s access permissions to a sensitive resource.
LATEST COMMENTS
MC Press Online