Privileged Access Management – lessons learned

In Nixu, we have carried out a large number of Privileged Access Management (PAM) projects ranging from advisory to implementation during recent years. We have been asked quite a few times about lessons learned from PAM projects. We gathered some dos and don'ts, so you don't have to learn the hard way. 

Privileged Access Management in a nutshell

Privileged Access Management is a particular IAM solution area. Privileged Access Management solves problems related to privileged credentials. PAM covers the management of privileged accounts and privileged access to applications, systems, and devices so that end users can perform their duties efficiently and in a secure manner. Monitoring and collecting audit trail play a vital role in PAM. 

At a higher level, PAM provides two top-level use cases. First of all, PAM offers secure, controlled access to privileged credentials. The secure access method can be a Windows Remote Desktop (RDP) connection, Secure Shell (SSH) access to a server, or a web-based admin console protected with HTTPS. The second use case is the management of the credentials itself, including password and SSH key rotation based on policy. All actions are auditable, regardless of are the activities done by an end-user or by PAM itself. With PAM solutions, the organization can get visibility and control for any actions taken with privileged accounts. 

Preparation is the key

DO

1. Scope data and user groups accurately. Try to identify all the information. 
   • We have experiences where a critical set of credentials did not belong in the scope. Eventually, this forced us to make significant changes to our already agreed data and access model.
2. Consider using PAM vendors' discovery and scanning tools to understand the current situation better 
   • During our projects, we have found credentials which "shouldn't be there" and heard "we didn't know anything about those" a few times. 
3. Design a data model properly and verify the data model with end-users. The data model can impact the choice of technology.
4. Plan use cases and business requirements thoroughly. Once completed, identify technical requirements. 
   • There are plenty of vendors who can do the same functions, but technical requirements may narrow down your options. The implementation may differ based on the technology. 
   • Once the technology is selected, these will help you with the implementation
5. Select PAM ownership wisely. 
   • Even though the IT department drives the majority of PAM projects, I am not sure if that's the best option. 
   • Well-implemented PAM is an organization-wide tool, protecting both business and the infrastructure.
6. Define responsibilities. 
   • Clear responsibilities are vital for PAM solution management. Who takes care that the PAM solution is up-to-date and who take care of various maintenance actions? Each privileged account managed in a PAM solution must have an owner. The owner should be responsible for access and audit reviews.

DON'T

1. Do not underestimate the migration work from the old PAM (or even just database or excel sheet) to a new fully functional PAM. Especially with integrations, the amount of work can be more massive than expected.
2. Do not forget to set valid policies and security controls for all target systems. 
3. Do not forget application integrations.
   • Take a broad look into the organization and review how different applications could use and benefit from PAM.
   • Numerous applications benefit from the PAM solution. One of the most common business applications is different RPA solutions. 
4. Do not forget to talk with business owners.
5. Do not underestimate how much process modeling is needed. 
   • Even in a smaller PAM project, the process modeling might take a while.
   • Don't forget to plan how to handle exceptions, for example, when a 3rd party needs to access the service. Break glass scenarios are useful.

Implement wisely

DO

1. Reach low hanging fruits as the first step. 
   • You gain the most when the PAM integrates to all systems organization-wide, but this can be a massive task in any larger organization.
   • Identify the most urgent problems/challenges and address them in the first stages. Beware of scope creep, though.
2. Have a proper roadmap. Ensure the whole organization is covered. 
   • To get most of your PAM, you should protect more than just passwords, for example, SSH keys, etc.
   • Use PAM in/for/to DevOps, microservices, scripts, applications, RPA, or anywhere else where automation and credential protection is needed.
3. Review all processes linked to the service.
4. Be extra careful with security. Consider auditing the PAM system before production use. 
   • Implement multi-factor authentication on day one 
   • Implement SIEM/SOC integration on day one 
   • Hardening - remember to include all related platforms and services
   • Verify backup, high availability, and disaster recovery scenarios. By verification, I mean real testing, not a paper exercise. 
   • Verify break glass scenarios
   • Verify that there aren't role mismatches and excessive access rights.

DON'T

1. Do not leave implementation to the low hanging fruits!
2. Do not limit PAM usage to the graphical user interface.
3. Do not hurry! Implement hardening and verify design.

Keep maintaining PAM with regular routines

DO

1. Audit PAM users' access, especially new users and PAM system administrators. 
   • Enforce separation of duties policy and the principle of least privilege.
   • Review the access rights of PAM user groups at regular intervals.
2. Ensure that all new endpoints and credentials are enrolled in PAM, either by integration or manual process. Use discovery features, if suitable.
3. Use alerts and reports. 
   • For example, system owners should verify systems audit logs regularly.
4. Monitor/audit PAM usage, especially PAM admins 
   • Use SIEM/SOC or privileged behavior analytics kind of tools if needed
5. Follow system and software updates and patches
6. Keep evolving with your organization. 
   • Promote PAM within your organization
   • On-board new user groups when the need arises
   • Implement support for new use cases based on need

DON'T

1. Forget your PAM and stop maintaining it.

Where are you at?

Track down all your privileged accounts and see where you have risks. Try the Privileged Account Discovery for Windows tool by PAM provider Thycotic.