Building A Roadmap To A Successful PAM & IAM Solution
Privileged Access Management (PAM) is a hot topic. According to Gartner, PAM technologies provide secured privileged access to critical assets to meet compliance requirements by securing, managing and monitoring privileged accounts and access. Confusion often arises when there is also an Identity and Access Management (IAM) aka Identity Governance and Administration (IGA) tool at an organization as well. These tools deal with provisioning, de-provisioning and certifying accounts within a system. Where is the line drawn? Which accounts are excluded from IAM and only handled in PAM? Which accounts are excluded from PAM and only handled by IAM? Which accounts should be handled by both tools?
As an organization that specializes in both Privileged Access Management consulting and Identity Governance Administration consulting, we have worked with organizations that are in all different phases of each program. We have found that when trying to determine a path forward, it is helpful to know where you want to go before you start. By defining our Utopian state, we can create a roadmap to get there. As consultants, we call this process the Identity and Access Management Assessment phase. These assessments are focused on mutual education. Our consulting teams do not know your business but are experts with these tools, their best practices and how to implement them successfully. We aim to learn your business while providing education to your teams on the best practices, processes, methods, and tools used to create successful PAM and IAM/IGA programs.
PAM programs can be broken up into three stages of maturity. As experts in both PAM solutions and IAM solutions, we recognize that in each stage, IAM tools can help the PAM program forward, but it is important not to overthink the involvement, or things will become more complex than are necessary.
PAM Program Stage 1 – Access Control
Access Control is the aspect of PAM that most people seem to overlook. Many organizations do not control who is allowed to attempt to connect to the protected resources in their organization. Very few people need the ability to use RDP or SSH to manage a server or make direct SQL calls to an Oracle or MS SQL database. The Access Control aspect uses a bastion host approach to funnel all of these administrative activities through a hardened host that can control access, monitor activity, and audit usage.
The idea is to ensure that anyone needing access to privileged resources must go through an additional hop. This will help reduce the number of brute force attacks on your critical systems by ensuring that the only way to attempt a login is first to get authenticated and authorized at a hardened bastion host. Policies can be enforced at the bastion host to restrict the ability to attempt logins to only the servers the authenticated user is authorized to use. In this access control step, the authorizations on the individual systems have not been determined yet, only authorization for who can attempt to connect.
To put this into practice, imagine an Internet Service Provider (ISP). An organization like this will have many different switches and routers. There will also be quite a few techs that need to be able to service these switches and routers. There are also a significant number of employees who have no business logging into any of the equipment. By using a bastion approach, to gain access to a switch or router for maintenance, any user must first authenticate to the bastion, where it will determine which switches and routers if any, they can connect. After authenticating, a list can be presented based on the authorizations and they can continue on to whichever system they need to perform maintenance. If a sales representative connected, the list would be empty.
Best practices recommend that in most cases the source for authentication and authorization be a directory, such as Active Directory. IAM tools can assist PAM programs by handling the lifecycle of the Active Directory accounts for the users in the organization. IAM can also provide roles based and request based provisioning of the authorizations used by the policies of the bastion hosts, allowing the user to attempt connectivity to various systems.
Back in our ISP example, this translates to a few simple scenarios:
- (Role) New technician is hired – the IAM system can assign a role that will automatically grant them access to connect to all routers and switches in their region.
- (Request) Technician helping another region – the technician can request access to the routers and switches in the other region, approvals can be obtained, and the authorizations are granted.
- (Request) Vendor assistance – a vendor consultant, is brought in to assist with some of the network equipment. A request can be made to give them access to a specific system or set of systems, optional approvals, start date and end dates can be provided as well.
Some additional benefits provided by the access control is that we now can monitor the activity of all usage passing through the bastion. All keystrokes can be logged, and in the case of GUI based applications, we can also provide video recordings. Compliance teams and auditors want to see this functionality, but it also provides the ability to retrace exact steps when performing a root cause analysis for an issue.
At the end of the first stage in the PAM program’s maturity, compliance and audit requirements for who is accessing what can be satisfied. While no features for maintaining the lifecycle of credentials have been added, all usage can be audited successfully. IAM tools, if present, are also leveraged to help with roles, requests, and approvals for access to connectivity.
Stay tuned for part 2 and part 3 of this article where we explore PAM Program Stage 2 – Password Vaulting and PAM Program Stage 3 – Privilege Escalation and Delegation.