July 1, 2019 | Posted in GRC and Strategy by Mike Pinch
Privileged Account Management (PAM) is a critical function in a modern cyber security program. PAM programs have a high fail rate for a variety of reasons, including:
- Lack of understanding of key risks around privileged accounts
- Resistance from system administrators due to (perceived or actual) onerous workflows for common tasks
- Workflow design compromises to accommodate user requests
- Failure to bench test implementation against common attack techniques through penetration testing or Purple Teams
One key challenge in successfully selecting, implementing, and operating a PAM platform is the lack of explicit guidance from common security frameworks. PAM “best practices” have for many years been a mishmash of guidance from PAM vendors – some good, some aimed at quick and easy implementations (aka not in the best interest of security). Recently, an effort to address these shortcomings was undertaken in the document series NIST SP1800-18, Privileged Account Management for the Financial Services Sector. Reading this you might think, well I’m not in the Financial Services sector, so this isn’t for me. However, the details of this framework have no specific relevance to any industry; the only thing related to Financial Services is a mapping to FFIEC controls (there is also NIST CSF, SP800, and ISO 27001). Be aware that in its current state as of this writing, the framework is in a draft state, though a very complete draft.
One of the key strengths in the SP1800-18 framework is the communication and visualization of different acceptable architectures. These can assist significantly in helping cyber security professionals understand how effective PAM workflows should look.
The modeled workflows in SP1800-18 are not the only effective mechanisms available, because every implementation is unique. Another excellent resource for PAM architecture and approach is the Microsoft PAWS methodology (https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-access-workstations). The PAWS (Privileged Account Workstation Solution) is a representation of “The Microsoft Way” of PAM, and excels in that it is highly pragmatic and largely vendor and tool agnostic. It provides a phased approach that walks through a real-world way to go from nothing to the desired level of control in a reasonable period of time. Interesting concepts here include:
- Use of privileged accounts through an Administrative Jump Server, usually paired with a password management system and multi-factor authentication
- Local Administrative Password single-time use with randomization
- Recommending use of the “Clean Source Principle”, meaning that users are not able to even reach the Administrative Jump Server, unless they are coming from a specific, hardened and secured device.
- Most interesting about the “Clean Source Principle” is that the recommendation is to give administrators a second workstation, often bound to a different domain, segmented from general network traffic, and with no access to common attack vectors, including the internet or email.
- An alternative to providing a second physical workstation is to use a virtual machine setup, where high risk computing (internet, email, etc) is accessed using a virtual machine on the physical host, while the physical host serves as the administrative PAW. This containerizes high risk actions within the realm of the VM.
- Advanced domain architectural designs, known as Enhanced Security Administrative Environment (ESAE), sometimes referred to as a Red Forest design. This design implements a single AD forest with downward trust and several layers (Tier 0/1/2) that represent Domain Administrative functions, Server Administrative functions, and Workstation Administrative functions, respectively. These effectively create “blast zones” that makes it significantly harder to gain widespread access to a user environment.
At SRA, nearly all of our penetration tests and Purple Teams include some level of domain compromise, which demonstrates widespread access to internal systems and resources. From an attacker standpoint, one of the single most critical things an organization can do to improve in this area is to implement the people, processes, and technology to properly protect privileged credentials.
There are many tools and vendors on the market, and it can be highly confusing; tools often do some, but not all of the functions outlined within, and some of the most effective mechanisms you can put in place require cultural and process change. As part of our H24 Cyber Security Framework, we created a CMMI based maturity scoring mechanism to stitch together key criteria for enhancing the maturity of your PAM program, including many of the technical controls outlined in NIST SP800-53, NIST SP1800-18, and MS PAWS. We have included this framework here below for your reference, as a way to assess your own maturity level and start to plan to enhance your overall maturity scale. We’d love to hear your feedback
|Control Capability - Privileged Account Management|
|1 - Initial||Cybersecurity inventories and reviews domain administrator accounts with IT for appropriateness, a minimum of annually. ||☐|
|Hard coded passwords and privileged password sheets are prohibited by policy. ||☐|
|Powerful account privileges are separate from standard user accounts.||☐|
|Cybersecurity helps critical application owners and custodians review and reduce the number of privileged accounts. ||☐|
|2 - Repeatable||Privileged network accounts are hardened including reduction of trusts and rights, logging, and reduction in use of local administrator. ||☐|
|Privileged account use logs are identified and available for inspection, even if in decentralized platforms.||☐|
|3 - Defined||A defined PAM governance policy is in place that defines privileged accounts and defines the process to ensure that accounts are created, documented, assigned, used, and monitored. ||☐|
|Cybersecurity maintains a list of known privileged network, database and critical application accounts and risk ranks them. ||☐|
|Monitoring and correlation rules are developed in SIEM/UEBA including privileged network, database and priority application logins. ||☐|
|Local administrator use is removed from all domain-joined workstations and monitored for compliance. ||☐|
|A password vault platform helps govern privileged domain and local administrative accounts, requiring check-in/checkout procedures.||☐|
|Standard operating system images use protected memory space for password and secret storage (such as W10 credential guard with TPM chip).||☐|
|4 - Adaptable||Password vaulting tools are extended beyond domain and workstation administrative accounts to other types of systems, including network infrastructure, databases, and application-level accounts.||☐|
|Checkout of privileged accounts requires multi-factor authentication. ||☐|
|Password vaulting is implemented in such a manner that critical artifacts, such as password hashes, are not able to be exploited for access after they are used. ||☐|
|Privileged accounts follow quarterly recertification processes by their owners and custodians.||☐|
|The password vault is hardened and closely monitored in SIEM/UEBA rules and requires multi-factor authentication to administer. ||☐|
|SIEM/UEBA behavioral rules and algorithms create alerts on unusual privilege use, creation of new powerful accounts, etc for investigation by the CyberSOC.||☐|
|A responsible team conducts annual risk assessment of privileged account attack vectors to improve preventive and detective controls.||☐|
|A responsible team operates privileged account discovery tools on a quarterly basis to identify and investigate new privileged accounts.||☐|
|5 - Optimized||Application and service accounts use PAM tools for systems interfaces, secret management, and SSH & API key management.||☐|
|Cloud infrastructures operate at parity with on-premise systems for PAM processes, using on-premise tools or cloud-based systems like AWS Secrets Manager or Azure Key Vault. ||☐|
|The organization uses PAM tools for managing social media accounts.||☐|
|Supplier access is governed by PAM tools and processes for all remote access and support needs.||☐|
|Privileged session recording is enabled for full audit trails of privilege use. ||☐|
|Cybersecurity searches for hard-coded privileged accounts in source code on file shares, collaborating with stakeholders to remove them and replace with secure solutions. ||☐|
|Service and Application accounts are designed with A2A (Application to Application) relationships. ||☐|
|Dedicated directory architecture designs have been implemented (such as AD Red Forest or ESAE) to further reduce attack surface and ability for attackers to gain access. ||☐|
|The “Clean Source” principle only allows access to PAM tools from hardened, dedicated systems disconnected from the internet and email.||☐|
About the H24
The SRA H24 Framework provides a similar level of maturity evaluation detail across 24 different cyber security topics, and is aligned with NIST, ISO, HITRUST, and FFIEC frameworks. Each tile contains a detailed maturity scoring system that helps assess current state and prioritize items for future implementation. It provides a visual and quantitative means for communicating about your security program and is used by many of our clients for everything from board level reporting to the backbone of their tactical security program.