Securing privileged access through access management is vital because it ensures that an organisation’s people are only granted access to what they need to do their jobs, and only for the period for which they need it. Access management also allows security teams to be notified of malicious activities associated with privilege abuse and to subsequently react to remediate risk.
A privileged account is a user account that has more privileges than an ordinary user. For example, they can read and modify the security-relevant configuration of a system, perform functions that can affect many users, and so on. As such, these accounts are the favourite of attackers (with 75% of organizations having experienced a breach involving privileged access) and so need the maximum amount of security by a business.
This webinar focused on securing access to IT assets such as servers. However, it is important to understand that secure access is also required in many other elements (such as applications) and that there are many different types of privileged access, making security not a one size fits all solution.
Traditional security approaches used by organizations, including the traditional PASM solution, are not solely enough to secure privileged access from attackers because they do not address the 5 key questions that need answering for strong security, which are:
- How to deploy strong authentication?
- How to secure built-in superadmins?
- How to control effective permissions?
- How to manage a large number of servers?
- How to closely monitor operations?
To address this issue, companies can improve the PASM solution to make it more effective at securing privileged access. This is done by:
- Automating permissions as much as possible: Servers are numerous and change frequently which is the same for users – standardizing and automating permissions will allow them to keep up with the pace.
- Addressing other use cases beyond interactive administration: this involves considering other needs to avoid users bypassing the PASM. Such examples include scripts using admin credentials, break-glass, and DevOps / machine-to-machine.
- Designing your account model with least privilege in mind: For example, designing it so that there is 1 single nominative centralised account per user to simplify management, although this does not propagate lateral propagation. Designing a local generic account would be the most favourable in this instance, although it is the hardest for an organisation to implement and raises the question of who is responsible for the local accounts which makes governance more complex.
Are there any risks to PASM?
There runs the risk at project phase where admins reject the PASM solution because there was insufficient change management to onboard the admins on this solution from the start. To avoid this, onboarding and training admins on the PASM solution from the beginning is critical. Additionally, difficulty to deploy and cost can be a blocker of PASM solutions to organisations. Thus, the simpler the access model, the easier the solution will be to deploy and the less time it will take, meaning costs are reduced. Lastly, an on-premise PASM solution can run the risk of being very heavy and costly in terms of architecture so defining a SaaS solution would be beneficial. Although a thorough security solution, PASM solutions alone may not be the future of security solutions with the emergence of the ZSP strategy…
Zero-standing privilege (ZSP) is an alternative security strategy that aims to replace persistent accounts and privileges with just-in-time and just-enough cases and can be applied at both the user and server level.
User level:
- Zero standing privilege: Users are eligible to a pre-approved set of privileges, but those privileges are not activated by default.
- Just enough admin: When they need to perform an operation, they can activate the minimal privileges…
- Just-in-time: …for the required period of time; privileges are automatically revoked then.
ZSP applied at the user level increases the awareness of users, improves the traceability of organisations’ operations, and helps limit the fat-finger risk.
Server level:
- Zero standing privilege: Accounts do not persist on servers, or they do not have any permission.
- Just enough admin: When a user needs to access the server, an account is created on-the-fly only on the targeted server…
- Just-in-time: … only for the duration of the session.
ZSP applied at the server level avoids the compromising of an account in the case of a breach, avoids bypassing of PAM tools, and avoids gaps between theoretical and effective solutions.
Is ZSP the future of privileged access management?
ZSP is designed for the future of IT where lots of users have access to lots of changing resources and it enables efficient user of Zero Trust approaches. However, ZSP does not address all use cases (such as machine-to-machine) and it is still immature in its development, meaning solutions are different and field experience is lacking.
Subsequently, Wavestone’s optimum strategy advice is to first define your global PAM strategy, followed by a solid PASM solution to effectively secure privileged access to your servers and then considering the introduction of a bit of ZSP in the estate. For example, at the user level for high privileges or for users with occasional needs and at the server level for cloud instances
Webinar accessible here: https://www.thesasig.com/calendar/event/23-10-11-networks/