13
Fri, Dec
4 New Articles

Authentication and Authorization: Why? Part 4: PAM Systems

Security - Other
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

The main reason for installing a PAM system is to provide greater security to the granting of access to systems at a specialist functionality level.

Editor’s note: This chapter is excerpted from chapter 4 of Identity Management: A Business Perspective.

Benefits

There are some added side benefits:

  • Logging and monitoring of access to systems at a privileged level can be enabled. If a user remains online for extended periods of time, an alert can be raised and action taken. While this might not indicate nefarious activity, limiting access and returning users to a lower privileged account can minimize the opportunity for mistakes that might inadvertently cause business disruption.
  • PAMs can be configured to automatically notify a manager whenever a privileged account has been accessed. This provides an extra level of monitoring that lessens the likelihood of privileged account abuse.
  • PAMs can also be used to provide additional protection to relying systems. For instance, if system administration work is undertaken only in business hours, the PAM system can restrict access to elevated privilege accounts outside business hours.

Drawbacks

There are some issues to contend with when deploying a PAM system:

  • Business continuity—centralizing account management in one system creates a business dependency on the system and, in fact, PAM systems become mission-critical infrastructure, for obvious reasons. If a PAM system experiences an outage, it is likely that access to other systems, at a privileged level, will be lost. It is therefore very important that PAM systems are built on high-availability or redundant systems and are adequately backed up. Backup data is also critical and must be adequately protected.
  • Audit data—anyone wishing to subvert a system and remove audit trails of covert activity needs access to the system logs of the PAM It is therefore important to ensure that logs are adequately protected in a remote data store. Various technologies can be used to ensure that logs and audit reports remain tamper-proof. These might include storing logs on a protected subnet, the use of encryption, and/or requiring the use of electronic signatures for access.
  • Assurance levels—as noted previously, system administration accounts require a high level of authentication, and PAMs give access to multiple systems at these elevated permission levels. If the PAM provides SSO for privileged users to access multiple systems, it is important that the selected authentication level for the PAM system matches the security level of the most stringent account access available from the system. For instance, an account requires strong password authentication for access to a mail system administrator account but also provides access to a medical records system requiring a smartcard certificate. The PAM system must require users to use their smartcard for access to the system, or prompt for a second factor if the user is not authenticated at the required level.

Strategic Approach to PAM

A PAM system acquisition should be approached from a strategic viewpoint that considers the wider implications of managing elevated privileges. Too often a PAM solution is acquired to provide a point solution for a specific problem. This obviates the benefit of comprehensive identity and access management. It is better to consider the management of elevated privileges as one component of a mature IdM environment and leverage the other components as part of this task.

Other aspects of an IdM environment that should be addressed in light of the PAM requirement are:

  • SSO—does the PAM solution allow system administration personnel SSO? If there is an SSO solution in place within an organization, what are the rules for including PAM-controlled accounts in the SSO environment?
  • Security information and event management (SIEM)—does the PAM system need to communicate with the SIEM system? If the organization uses a SIEM system, is there a need for visibility on out-of-band system administration usage? Any abnormal privileged account usage would normally be visible in the PAM system; the PAM system should also notify the organization’s monitoring and audit facilities of such events.
  • Identity federation—in some cases, privileged account access must be given to external For example, a common requirement is for a heating and air-conditioning contractor to have access to a building control system. In this instance, it is important for the system to be part of an identity federation environment that avoids the use of a generic account for the contractor but at the same time does not require the organization to maintain contractor accounts in its identity management system.

A strategic approach treats the PAM requirement as part of a holistic solution for an organization’s identity and access management task. Privileged accounts are but one aspect of the provisioning and access control task. Many IdM solution vendors have a solution for privileged accounts that is integrated with the identity management system. Thus an organization’s PAM requirement should ideally be added to the system requirements list for the IdM environment and not treated in isolation.

Bottom Line

A PAM system is an important component of an organization’s security and data loss prevention solution. PAMs often represents “low-hanging fruit” when it comes to delivering a quick and effective solution to the protection of accounts with elevated permissions. But PAM systems should be part of the organization’s strategic approach to identity and access management and not a “quick fix” as a result of an audit failure.

Conclusion

Access control is the target of IAM environments. There’s no one-size-fits-all because each organization is on its own trajectory from basic authentication to role-based authentication and may or may not have an application for

authorization. Organizations must develop their own approach to role-based systems and determine how to provision into target applications. Options range from the use of AD groups to setting entitlements directly into target system databases.

For organizations that adopt ABAC systems, the ability to modify legacy systems for policy enforcement and develop a policy administration capability is important.

Use Case: StateGov

Scenario

A state government conducted a review of agency requirements and found that most departments were adding external identities to the government directory in order to give commercial service providers access to departmental systems. It was identified that this was a major source of annoyance for the departments. It was also identified that there were security holes that was raising the risk profile of StateGov.

Strategy

The Department of Transport added certified vehicle safety technicians from over 250 companies to allow them to file roadworthy certificates with the department. This took one full-time employee to maintain.

The Health Department was maintaining the user accounts of 75 radiologists who provided services in the state’s five main hospitals and 55 clinics.

The Family Services Department outsourced social worker activity to four service companies. Due to the churn within this cohort of contractors, generic accounts were used for each company to allow their staff access to the case note files.

Solution

A federated solution was deployed for the Health and Family Services departments whereby reviews of the registration processes of the radiology companies and the social worker organizations were conducted. On the basis of these reviews, a federated authentication service was deployed, which sent a SAML request to the respective organization’s identity provider service when a user requested a login. The resultant SAML assertion was then used to connect the user to the appropriate service.

For the automobile service centers, user accounts were maintained in StateGov’s directory, but a self-service process was initiated with an approval cycle to the director of vehicle safety for authorization of each new person added.


Q & A

Q. Is ABAC a natural progression from RBAC?

A. No. ABAC is a different approach from RBAC. A mature RBAC environment, whether it provisions in AD groups or directly into relying applications, will satisfy most organizations and should only be replaced by an ABAC deployment if there is a need for:

  • A more fine-grained authorization environment that evaluates multiple attributes, including context attributes such as time of day or geo- positioning
  • Better governance with centralized policy administration to harmonize policy across multiple applications
  • Reduced software development costs by externalizing decision-making, and removing access control logic from computer programs

It is expected that more fine-grained attribute-based access control will be adopted by specific industry sectors. For instance, health care could significantly improve access to medical applications with an ABAC installation that checks a health professional’s credentials to operate a machine before giving access, or checks the hospital’s roster before allowing access to an OT application.

Q. Should an ABAC system be XACML based?

A. Not necessarily. While XACML is arguably the most sophisticated ABAC protocol, there are other options. In fact, NIST strongly supports a Next Generation Access Control model (refer SP-800-162). XACML does, however, provide a complete framework, defining communication protocols between the decision point and the policy information point as well as the request-response messages between an application’s PEP and the decision point. This means that, in a fully compliant deployment, components of the system should be easily swapped out and replaced by components from other suppliers.

It is noted that there are some variants of XACML. For instance, while the XACML protocol is XML-based, due to market pressure, a JSON variant is supported, which allows data between the enforcement point and decision point to be communicated in JSON arrays.

It’s also important to realize that not all XACML system are fully compliant, with system suppliers often developing proprietary extensions for specific purposes.

Q. When is a standalone PAM system indicated rather than using the organization’s identity management system?

A. PAMs are often installed after an audit failure or a data breach as a result of a compromised privileged account. Installing a PAM will immediately fix the problem and provide a level of governance over the management of accounts with elevated privileges.

Ideally a strategic view of account management should be taken, which includes the need for management of system administration and service accounts in the organization’s access control policy and procedures. Often PAMs are deployed after an audit that identifies that there are too many privileged accounts and/or orphaned accounts with elevated privileges that have never been disabled. This does not indicate a need for a PAM; rather, it indicates poor identity management practices that need to be rectified.

Check back for another article excerpt series. Can't wait? Buy Graham's book today at the MC Press Bookstore.

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: