The Complete Guide to Ransomware [Updated for 2022] Download eBook

Privileged Access Management (PAM): Where to Start

Danny Murphy by Updated On - 05.28.2020 Data Security

Last Updated on May 28, 2020 by Satyendra

Privileged Access Management (PAM) is something that many organizations still struggle with on a day to day basis. One of the biggest reasons that this happens is because organizations do not prepare their Active Directory environment properly before starting their PAM project.

What is Privileged Access Management (PAM)?

Privileged Access Management (PAM) solutions usually center around an organization’s Active Directory environment and function as a way of delegating privileged access from a central and monitored location. PAM solutions are usually deployed for three primary reasons; to identify which of your users have privileged access, to centrally manage all privileged accounts throughout the business and to reduce the risk surrounding those privileged accounts.

Privileged Access Management (PAM) Risks

Planning a Privileged Access Management (PAM) project is a major undertaking. One of the main challenges you will need to overcome is that PAM often relies heavily on Active Directory integrations. So, if the Active Directory is not as ‘tidy’ as it should be, then the value of the whole project is in jeopardy and you risk replicating your AD failures across to your new PAM project.

What to Do Before Starting Your Privileged Access Management (PAM) Project

Here are our key recommendations of the top five things you should get in place prior to, or in parallel to your Privileged Access Management project:

1. Determine Which Active Directory Accounts Need to be Monitored

The first step to any successful Privileged Access Management (PAM) project is to identify which of your accounts have administrative access to your Active Directory. PAM solutions do not focus on this, they focus more on authentication. So, before you start your PAM project, you should have a way of identifying the accounts that have high level access and the ability to make potentially disastrous changes to your Active Directory. Essentially, you will need to create a list of your Domain Administrator Accounts, Domain Administrator Groups and Domain Service Accounts.

2. Perform a Clean-Up of Your Inactive User Accounts

If your Active Directory is unclean, meaning full of inactive user accounts, your Privileged Access Management project won’t get off the ground. You will need to be able to identify these inactive user accounts and take action to streamline your Active Directory. Typically, this will involve deleting the accounts, disabling them or moving them to a different OU. If you don’t want to do any of these, then the minimum step to take would be to reset the passwords of these accounts to avoid potential misuse from unauthorized access.

3. Track Changes to Maintain the Integrity of Your Active Directory

It’s not enough to do a one-off audit of your privileged accounts. What happens if permissions change and more privileged accounts are created without your knowledge? For a successful Privileged Access Management project, constant vigilance is required when auditing and monitoring permission changes being made within your Active Directory.

4. Identify Which of Your User Accounts Present the Most Risk

You’ve identified which accounts have the ability to make administrative changes to your Active Directory. Now, you need to identify those user accounts that have privileged access to data. These are users that have access to personally identifiable information, confidential business information, intellectual property and any other data that is deemed to be sensitive. Users with this level of privileged access present the biggest risk to the security of your AD and the success of your Privileged Access Management implementation.

5. Understand Which AD Accounts are Frequently Locked Out

High numbers of account lockouts in Active Directory can derail your ongoing Privileged Access Management activities. High numbers of account lockouts need to be investigated as they can be damaging to business continuity and security. Before you fully commit to your PAM project, ensure you have a way of identifying and troubleshooting Active Directory account lockouts.

Tips for Managing Privileged Access

Below are the key tips we think will help you to better managed privileged access.

Use Multi-Factor Authentication (MFA) Where Possible

99.9% of compromised accounts did not use multi-factor authentication.MFA is a relatively simple and effective way to safeguard your privileged accounts. However, despite the benefits of adopting MFA, companies are still reluctant to use it. It’s often the case where management doesn’t see the value of using MFA, or they perceive it to be too expensive and difficult to implement.

In fact, it’s often the case where both management and employees actively reject the idea, as it is seen as just another obstacle. These are understandable concerns, however, if you are a CISO, it is your responsibility to keep the company’s data secure.

If there’s any way you can convince management to use MFA, then it’s worth doing. In situations where MFA is not a viable option, the CISO will at least need to ensure that they have a comprehensive password policy in place, which also deals with password resets. Whilst some advise against the practice of periodically resetting passwords, it can be particularly useful for shared accounts.

Naturally, when using shared accounts, there’s a greater risk that the credentials will end up in the wrong hands. Regularly resetting shared account passwords will help to minimize these risks.It should be noted that there are tools available that will automate the process of reminding users to reset their passwords.

Keep an Inventory of All Privileged Accounts

It is imperative that CISOs know exactly what privileged accounts they have. They must review all accounts that have shared access, and check that shared access is actually required.

The ability to list all privileged accounts depends on the access control solution or directory service you are using. For example, in Active Directory, there are privileged users such as Administrators, Domain Admins, Enterprise Admins, and Schema Admins.

You will need information about who has access to domain controllers, OUs, GPOs and any other privileged groups (including groups that are nested). Regardless of which platform you are using, you must be able to identify who has the authority to reset/change the passwords of other users.

While it is theoretically possible to compile a list of privileged accounts manually, a better way would be to use a dedicated PAM solution, which will automatically discover and display all privileged accounts via a single dashboard.

Make Sure That You Know Exactly Where Your Sensitive Data Resides

PAM isn’t just about identifying and managing privileged accounts, but also the data which those accounts will have access to. However, this is only possible if companies know where their sensitive data resides.
Unfortunately, a lot of the time, they don’t.

However, there are solutions available that can automatically discover and classify a wide range of data types, and some solutions can even classify the data at the point of creation. Naturally, knowing where your sensitive data resides, makes it much easier to assign the appropriate access controls.

Assign Access Controls Using Role-Based Access Control (RBAC)

With RBAC, instead of setting up access controls for each user, they are assigned to groups (roles), which users are added to. In some cases, these groups are nested. Although mainly used by organizations that employ a large number of staff, RBAC is arguably the most popular approach to assigning access rights, as it is generally easier to manage and less prone to errors than other methods.

One of the issues that CISOs may encounter when implementing RBAC is that there isn’t a clear definition as to what constitutes a “role”. For example, we would typically think of a role as an employee’s job title, such as CISO, Web Developer, Payroll Clerk, or Marketing Manager.

However, roles can also include specific tasks, such as “Delete User Account”, or “Reset password”. Additionally, a role could be based on other factors such as competency, department, location, or the length of time an employee has worked for the company.

As mentioned above, there will also be roles that are specific to the access control system you are using. It is therefore important that CISOs take time to understand the organizational structure of the company, and carefully review the data to ensure that the roles they setup are suitable.

Fortunately, RBAC is flexible enough to allow CISOs to easily change the structure of the roles/groups even after the controls have been assigned.

Monitor the behavior of privileged users

Assigning access controls to privileged user accounts is just the first step of your PAM strategy. You will need to continuously monitor those accounts for any anomalous behavior. However, in order to identify anomalous behavior, you must first gain an understanding of what type of behavior would be considered normal.

To do this, you will need a solution that uses machine learning to effectively learn typical usage patterns, which can be used as a reference. If behavioral patterns were to deviate from these patterns beyond a certain threshold, the administrator will be notified instantaneously. Administrators may wish to be informed of all events affecting data that is highly sensitive.

Detect and Manage Inactive Privileged Accounts

A privileged user may leave the organization, for whatever reason, and it is crucial that their account is deactivated the moment it is no longer required. However, there may be times when a business fails to terminate an inactive account.

Perhaps they were planning to do it, but forgot, or it simply didn’t cross their mind. Either way, hackers may be able to find out when someone has left their organization and will check to see if their account is still active. And even if a hacker is not able to successfully gain access to this account, the ex-employee themselves may decide to log back in.

Generating Reports for Regulatory Compliance

Finally, in order to satisfy the relevant compliance requirements, CISOs will be required to provide reports that demonstrate their knowledge of who is accessing what data, and when. Again, as opposed to doing this manually, it would be better to adopt a solution that can automatically generate pre-defined reports that customized to meet the demands of the data protection laws that are relevant to their industry.

A Solution to Complement Your Privileged Access Management (PAM) Project

To ensure that your Privileged Access Management (PAM) project is successful, you will likely need to deploy a Data Security Platform either before you start or in conjunction with your PAM solution. When choosing which Data Security Platform suits your environment you need to make sure that it has the ability to address each of the points listed in this article.

As it happens, we have a solution that can help. Lepide Data Security Platform perfectly complements PAM solutions. If you want to see how we can help you complete a smooth PAM implementation, take a demo of Lepide today.