Levi, Ray & Shoup, Inc.

The how and why of PAM

3/21/2019 by Kirk Wilson

By Kirk Wilson

For most organizations that don’t have a formalized PAM program overseeing a technology solution that implements it, the time to get started is now. Even smaller shops can now get in on the action as some providers have begun offering licenses on a truly per-privileged-user basis, driving the initial cost further down.

If you don’t know PAM, or Privileged Access Management, it’s a solution that helps organizations manage and audit privileged access across multiple technologies, such as Active Directory, databases, web app logins, local accounts and many more.

The standards and regulations that drive direction for many Information Security departments contain provisions for managing and auditing privileged access. What used to be a nice to have – that thing we’ll get to when we have the cycles – has become a hard requirement; a potential finding, if lacking, in your next audit.

But organizations that haven’t implemented PAM have many concerns:

  • “This is just another layer I have to work through.” This is a common misconception. When implemented well, PAM solutions can save time. They can provide a single place from which employees can click to gain access to their resources.
  • “The IT team does not like Big Brother.” That’s okay. Nobody does. However, the policy about no expectation of privacy on company assets applies to everyone, for all uses. Implementing PAM is not about catching Joe Switch-Jockey misconfiguring a router. It is about accountability. It’s about adding security to the accounts with which the most damage to a company’s infrastructure and data can be made possible.
  • “We’re concerned about system ownership.” Many organizations will have multiple teams vying for ownership of the PAM tool. It may be helpful to consider the following industry norms when coming to this decision point. In large organizations further along the Cyber Security Capabilities and Maturity Continuum, the PAM system is usually owned by the IAM team. In large organizations without a defined IAM Team, the ownership is often with the IT Risk and Governance Team. In medium to large organizations with neither of those team, the ownership will frequently be in the IT Security Team.
  • “What are realistic timeframes for deployment?” While some of the commercially available products have straight-forward and easy installations, considering all the varying kinds of privileged access, deployments can be lengthy. Chunking these into manageable portions is the way to go. Secure accounts with similar types of privileges, Active Directory, database, sudo, HRIS, etc., together. The deployment will require working with the employees who have the access. Functionally chunking the work makes things easier.
  • “How do we choose a PAM solution?” There are many commercial solutions. Of course, the normal activities in software/vendor selection apply here: POCs, Magic Quadrant review, working with a trusted partner. Be sure to consider the following:
    • Does it perform session recording?
    • Can an admin kill an active session?
    • Does it have a checkout procedure?
    • Can it discover privileged accounts?
    • Can it discover dependencies (ex: a service that uses the privileged account)?
    • Can it auto-update dependencies on password rotation?
    • Does the licensing model work for my organization? Do you want to manage per-feature licensing models?
    • Can it grow with our needs? Does the solution include ways to widen the deployment into less IT-related and more business-centric functions, for example bank tellers?

For reference, these standards all discuss management of privileged access:

  • Controlled Use of Administrative Privileges – Basic CIS Control #4
  • Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. – HIPAA 164.308(a)(1)(ii)(d)
  • Standard: Information access management. Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part. – HIPAA 164.308(a)(4)
  • All systems within the Cardholder Data Environment should have sufficiently configured access control to ensure only authorized internal individuals have access to the environment, systems and sensitive cardholder data. All other access by non-authorized individuals must be denied. The access control must be granular and linked directly to established job role and responsibilities. – PCI DSS Requirement 7
  • Detailed information that organizations may consider in audit records includes, for example, full-text recordings of privileged commands… - NIST SP 800-53 AU-3(1)

Once again, PAM is a hard requirement for today’s Information Security department. If you would like assistance in choosing and implementing a PAM solution, just fill out the form below.

About the author

Kirk Wilson is our Information Security Advisor. He has 15 years of information technology experience across industries including manufacturing, energy, and consulting services. He works with customers in both advisory and technical capacities, covering assessments, implementations, and remediations.