What do you and your security team need to successfully improve privileged access controls? The first blog in this series offered direction on making the core decisions that power your overall strategy. Next we recommended ways to engage stakeholders across your organization. Now it’s time to provide guidance on the team, techniques, and tools you’ll need to drive this initiative.
Here’s What You Need to Get It Done
- Realistic expectations
Make sure you go into your privilege account management (PAM) deployment with a clear view of the process and its impacts on your organization. It is common to scope the initial “quick win” phases to be completed in a matter of weeks, in order to gain traction and prove the value of the initiative. From there, the initiative is often launched with a phased approach. Rolling-out better-privileged access controls across an enterprise can typically be a year to multi-year effort. Your organization can expect to see results in terms of risk reduction almost immediately after deploying improved controls around the first set of accounts.
During implementation, there will be some temporary disruption to business processes. Post-deployment, business processes are often sped up. If well-planned, improving privileged access controls can provide benefits such as increased efficiency, fewer user errors, increased uptime, and easier troubleshooting. After the initial deployment, an ongoing effort will be required to ensure that privileged access controls keep up with changes in the environment.
- The right people with the right skillsets
PAM deployments can be fairly complex to deploy and maintain. Solutions typically touch multiple IT domains (Windows, Unix, databases, network devices, etc.) and require a broad set of skills from basic troubleshooting to creating custom scripts and code. This typically requires at least two dedicated engineering resources, a project manager, a service owner, and some engagement from professional services.
Required skillsets include:
- Technical/design – Members of the security team must be skilled in handling technical issues, and questions and any arguments that might arise. Areas of expertise should include:
- The infrastructure used in the organization
- Platforms such as Microsoft Windows and Linux
- Applications and databases
- Application development practices with respect to permissions
- Privileged account security controls
- Security control design
- Processes around technology service management
- Security governance and risk – The team should be able to help business and IT leaders make governance and risk decisions and guide the optimization of policies and processes. This requires a thorough understanding of business operations and goals. Knowledge of identity and access management (IAM) and account provisioning and maintenance practices are also important aspects.
- Project management – A large-scale privileged access security initiative requires methodical planning and has many moving parts. You will need people with strong project management skills on the team to keep all of the various stakeholder groups aligned and focused on what needs to be done and to make sure it happens.
- Soft skills – The security team will need people with diplomatic skills and an aptitude for negotiation, politics, and communication. Members of the team need to be able to explain why new processes need to be followed and be competent at listening to stakeholders and taking their concerns into consideration.
- Measurable and meaningful metrics
Your PAM deployment needs to deliver results and measurable outcomes. Metrics are valuable to illustrate the need for better controls, measure improvements, and demonstrate the value of the program.
Use metrics to:
- Test effectiveness of controls – Through penetration tests, measure the potential vulnerabilities of credentials and show how vulnerabilities have been reduced after implementing improvements. Test how long it would take for an attacker to get control of domain admin accounts.
- Show when to make course corrections – Measure access violations before and after implementing control changes. Be prepared to rework controls if expected results are not materializing.
- Gauge the effect of controls on efficiency – Calculate the amount of time admins are spending on tedious tasks, such as resetting passwords.
- Measure how the controls impact system availability – Applications with embedded credentials must periodically go through scheduled downtime so credentials can be changed. Take note of the amount of downtime required. Admin errors can inadvertently bring down a system. Compare the time required to recover from an outage before and after implementing control changes.
- Assess impact on application performance – Test application performance and functionality before and after removing embedded passwords from applications.
- A plan with milestones
After identifying priorities, you’ll need to further break down the identified priority areas into phases. Here is one approach to how to phase your PAM deployment.
- Phase 0: Installation and basic configuration of the PAM solution
- Phase 1: Built-in accounts – Identify and onboard built-in accounts and enable password rotation on the accounts.
- Phase 2: Domain admins and individual account privilege revocation – Address the onboarding of domain admin accounts into CyberArk. Isolate and monitor sessions of Tier 0 assets. Remove or minimize any local server privileged accounts or users that have been added to the “Administrators” group on local servers, with the exception of any that are required for service accounts. Create a process to do this as an ongoing process.
- Phase 3: Databases, exchange admins and Tier 1 session isolation – Isolate and monitor Tier 1 assets. Onboard any privileged database and exchange admin accounts you may have.
- Phase 4: Network devices, business apps, security systems, legacy systems – Identify any onboard network devices, business apps, and various security appliances. Use Privilege Session Management and the PAM’s MFA capability to protect privileged account access to legacy systems.
- Phase 5: Service accounts – Identify and begin addressing the management of service and App IDs.
- Phase 6: Desktop least privileged model and whitelisting of apps (OPM/EPM) – Allow only certain users to elevate their permissions. Limit which apps and commands can be run by which users.
- Phase 7: Corporate accounts – Protect corporate communication and external financial systems accounts and other accounts. Use privilege session management to allow users to use these accounts without revealing the password.
Keep your momentum. Implementing more advanced controls across a large enterprise often requires a certain persistence and fortitude. A common reporting model is a weekly status meeting for the project team and a monthly review by an executive steering committee.
- The Right Tools
Start by understanding your strategic goals and formulating your approach, then find tools that will help achieve those goals. Take the time to select privileged account security and management tools that support your specific security and enterprise requirements. Adopt processes to get the most out of tools and to help you stay on track. Some technology features that are especially important include the ability to:
- Securely store credentials in an encrypted vault
- Create a single sign-on environment
- Uniquely identify users and restrict their use of privileged accounts
- Limit the length of privileged sessions for a user or application
- Centrally monitor and record the use of privileged accounts
- Automate password changes to run on schedule or trigger when an employee leaves the organization
- Scale and meet performance demands in a large enterprise environment
- Integrate with the organization’s infrastructure, applications, and other security technologies
Other key tools and technologies that can be helpful include:
- Enhanced monitoring and alerting systems such as Security Information and Event Management systems (SIEM) and Security Analytics/Big Data Platforms
- Technology for two-factor authentication to be used for remote access, third parties, and infrastructure administrators who have root or domain admin privileges
The theft of privileged credentials and privilege escalation are key stages in most successful cyber attacks. Today’s threat environment is prompting many enterprises to address the gaps in their security program to better protect privileged credentials. It requires a strong combination of technical and soft skills, a methodical project plan, appropriate tools, and persistence.
CyberSheath has helped implement comprehensive enterprise-wide initiatives in privileged account security. We work with over 50 organizations ranging from the largest financial, healthcare, and development firms with thousands of users to new implementations at organizations with only a handful of IT users. Contact us to get your PAM initiative started.
You’ve made the three decisions necessary to start building your privileged account management (PAM) plan. The next step is to build consensus and create stakeholder buy-in by having four pivotal conversations with key members of your executive, business process, and IT teams.
Who You Should Talk to – And What You Should Say
Executive Team – Lead with, “It’s time to make privileged account management a priority.”
Getting Ready & Intel
- Secure buy-in from the top – The initial deployment will require senior leadership to understand the risks of unsecured privileged accounts, and just as importantly they will need to specify deadlines by which all privileged accounts need to be compliant. The prioritization of a successful PAM project will be driven from the top down. In addition to establishing accord with the CIO/CTO/CISO, It’s important that you have engagement with the compliance and financial executives.
- Garner support to obtain budget and resources – Executive leadership can rally employees to make your PAM initiative an organizational priority, impart a sense of urgency and ownership across the organization, and prevent it from being derailed by minor issues.
- Analysis of high-profile breaches – Describe how privileged access controls factored into particular breaches and relate it to your company’s own risk profile.
- Penetration testing results – Assess how long it would take for a skilled adversary to compromise your organization’s privileged accounts. Show what assets an attacker can get to.
- Benchmarking – Reference industry practices for securing privileged access.
- Compliance requirements – Outline the privileged access regulations applicable to your organization.
- Proof-of-concept results – Do a proof-of-concept in which you implement increased privileged account monitoring and report on the results.
Business and IT Process Owners – Lead with, “Let’s optimize how privileged credentials are used.”
Getting Ready & Intel
- Emphasize teamwork and desire to increase task efficiency with initiative – Privileged accounts will be involved at some level in almost every critical business and IT process. For the most part, improving the security around privileged accounts will not deeply affect existing processes. Work closely with the owners of these processes to understand the underlying credential usage, and bring that knowledge into the design of controls and see opportunities to improve security, streamline tasks, and reduce errors.
- Make business users allies – By helping leaders in business and IT to improve the security and efficiency of their processes, your security team can gain important allies. If prominent leaders in business and IT are champions of the initiative to improve privileged access controls, it can influence the privileged users within their groups.
- Who needs elevated privileges and when – Review how privileges are used as an opportunity to reinforce the principle of least privilege.
- Feasibility of restricting an account’s use of certain commands – Talk about automated privileged access technology and how granular restrictions can be enforced.
- Risks and process change necessities – Balance the level of protection with the need to meet other business goals such as efficiency.
- Principle of separation of duties for this process – Look for ways to redesign processes so that technology automatically enforces separation of duties.
- Preventable error patterns – Talk about configuring controls to ensure certain steps require approval.
- Applications in use – Uninstall applications with embedded credentials if the application is no longer used.
- Session script requirements – Consider redesigning a script so that it requires shorter privileged sessions.
IT Admins and Other Privileged Users – Lead with, “We’re going to change privileged access procedures for the better.”
Getting Ready & Intel
- Show empathy and challenge perceptions – Buy-in from IT Admins is essential for the success of your PAM initiative. The “default” view of IT administrators is that they could do their job better with unfettered access and freedom to choose their own tools. They may see any additional steps or restrictions as making their job harder and slowing them down.
- Select security team spokesperson wisely – The team member that you put in charge of this type of conversation needs to articulate the threat and technical knowledge of the platforms and applications involved. If your security team doesn’t deal with objections at a detailed technical level, it’s possible that the process will be derailed.
- Know that other privileged users are typically more accepting – Staff in non-IT roles who have privileged access – such as those who need to work with financial reports and bank accounts – tend to be more accepting of new controls.
- Changes to workflow – Demonstrate that the PAM effort will streamline some tasks and make how they operate with credentials much more efficient .
- Strong executive mandate – Discuss the importance of the initiative and persuade administrators to accept changes.
Developers – Lead with, “How can we better secure the use of privileged credentials in these apps?”
Getting Ready & Intel
- Acknowledge that refactoring applications can be a challenge – Many applications, scripts, and configuration files include hardcoded privileged credentials. There are inherent difficulties in updating older code and platforms make it hard to operate with less than the highest possible permissions.
- The right level of privilege for each application – Work together to determine the privilege rights for all your organization’s applications.
- Understanding least and excessive privileges – Discuss the principle of least privilege. Help developers understand the consequences of excessive privileges.
Be prepared to manage objections that may emerge during deployment.
- “You can’t take away those rights – I need them!” – Often you will need to convince people that the privileges they are losing are not necessary. Point out that the change protects them by reducing the risk that their accounts will be compromised.
- “I tried it and it doesn’t work.” – As changes to controls are implemented, users may report problems. Proactively set up a process ahead of time for responding to concerns. Be responsive as people adopt new processes and technologies. Maximize usability of the control design.
- “I don’t have time for this.” – When you encounter pushback, strong executive sponsorship of the initiative is extremely important. Focus on the value you bring to users and help them to see the benefits.
- “This feels like Big Brother.” – Administrators can be sensitive about increased monitoring. Reassure them and address governance issues such as what reports are run when and by whom.
Technical expertise and soft skills are needed to pull off these conversations. The third and final blog will expand on the skillsets you need to be successful and will explore some of the elements of an effective PAM deployment.
And if you’d like assistance from our team on how to have these conversations with your stakeholders, contact us. We’ll here to help.