Over the past 18 months the need to adapt to large-scale remote working, coupled with increased reliance on BYOD, and other challenges to the traditional ways of doing business, forced organizations to accelerate their digital transformation (DX) journeys. On the whole, this rapid evolution is widely being hailed as successful.
On the downside, each new technology and step in the transformation journey has the potential to multiply the attack surface and expose more assets to the internet. Another challenge is that much of digital transformation is shadow IT, occurring outside of IT’s view or control. Partly as a consequence of accelerated DX, we have seen major cyberattacks and breaches proliferate in the last year as the threat surface rapidly expanded.
According to a global McKinsey survey of executives, organizations accelerated digitization of their customer and supply-chain interactions and of their internal operations by three to four years. Plus, the share of digital or digitally-enabled products in their portfolios accelerated by a remarkable 7 years.
Did the advancement of cyber defenses and security maturity also leap forward by 7 years in that same span? Almost certainly not. Digital transformation initiatives greatly expanded the attack surface, creating more vulnerabilities. Many organizations hastily stood up remote access technologies to enable digital transformation and remote work, without ensuring those technologies could securely handle all the new use cases and privileged sessions generated.
For instance, internet-facing RDP ports surged d by 50% early in 2020 to support WFH initiatives. Unsurprisingly, 52% of ransomware attacks leveraged publicly accessible RDP servers to gain initial access. Ransomware also surged 150% over the past year—and it shows no signs of relenting. Tricky fileless / living off the land attacks also surged 888% in 2020. These are often techniques used in advanced persistent threats (APTs)—such as in the SolarWinds Orion attack—helping threat actors hide while expanding their presence over weeks, months, or years.
Almost every cyberattack involves compromised or misused privileges/privileged credentials. Most malware needs privileges to execute and install payload. Once a threat actor has infiltrated an IT network, privileges are typically needed to access resources or compromise additional identities. With privileged credentials and access obtained, a threat actor or piece of malware essentially becomes a malicious “insider”.
Privileged access management (PAM) prevents or mitigates privileged threat vectors and is a fundamental cybersecurity technology that is essential for organizations to securely unlock the benefits of digital transformation. PAM security controls protect against a broad swathe of external and internal threats, and even provide a blended defense against ransomware and zero-footprint, living off the land attacks. Outside of PAM, there are few defenses that provide robust protection against a rogue insider.
In the rest of this blog, I’m going to break down 10 steps of achieving Universal Privilege management across your enterprise’s digital footprint.
Securing Digital Technologies & Assets with Universal Privilege Management – 10 Phases
The acceleration of digital transformation has increased the urgency for maturation of PAM security capabilities, which includes enforcing least privilege, securing remote access, and managing privileged credentials for human and machine accounts.
The BeyondTrust Universal Privilege Management model entails securing every privileged user (human or machine), session, and asset across your IT environment—leaving no privilege undiscovered, unmanaged, or unaudited. The 10 phases can be implemented via the four solution areas that comprise a complete PAM platform—Privileged Password Management, Endpoint Privilege Management, Secure Remote Access, and Cloud Privilege Protection.
While organizations most frequently begin with securing privileged credentials, you can start anywhere, so long as your PAM platform is flexible. With each PAM layer implemented, your organization eliminates and mitigates additional privileged attack vectors, while realizing new security and operational synergies.
1. Secure & Audit Privileged Account Credentials
Gaining control and accountability over privileged accounts—both human and machine—is often the first step organizations take on their PAM journey. Privileged password management solutions can automate the discovery, onboarding, management (i.e. enforcement of password uniqueness, complexity, rotation, etc.), and monitoring of the ever-expanding types of human and machine privileged accounts/credential types (privileged user passwords, application passwords, DevOps secrets, SSH keys, certificates, etc.), and bring those accounts/credentials under management within a centralized password safe. This is an important step for preventing or mitigating password re-use attacks and other backdoors (orphaned accounts, etc.) into the IT environment.
2. Enforce Least Privilege on Desktops (Windows and MacOS)
Enforcing least privilege on desktop devices is one of the most powerful ways to reduce endpoint security risk across the enterprise. Endpoint privilege management solutions can remove local administrative rights and default every user as a standard user. Rather than being enabled, persistent, and always-on, the privileges are only elevated on an as-needed basis and only for the targeted application or process. Limiting both the amount and duration of access condenses both the attack surface and threat window for malicious applications and activity that can abuse privileges.
3. Apply Least Privilege Across Your Server Environment (Windows, Unix, Linux)
IT admins often require elevated rights to perform their jobs. Unfortunately, in the wrong hands, high levels of privilege can be abused to inflict considerable damage to an IT environment and exfiltrate data.
While sudo can help organizations “get by” in simple environments, it’s not an enterprise-class tool. Sudo suffers from significant security and administration drawbacks. Enterprise-class PAM solutions can enable organizations to efficiently and effectivelydelegate server privileges without disclosing the passwords for root, local, Active Directory domain, or bridged administrative accounts. Least-privileged, just-in-time access should always be enforced, and every privileged session should be closely audited and monitored.
4. Implement Application Reputation
PAM solutions should be able to enforce various application reputation strategies as part of endpoint privilege management. Some of these include:
- Application control capabilities, including allow listing, block listing, and reputation-based listing to restrict applications to only those approved to execute, with the correct privileges, within the appropriate context
- Applying real-time risk intelligence to inform privilege delegation and elevation decisions
- Command filtering (on Unix and Linux systems) and PowerShell script management (on Windows systems)
- Trusted application protection to add context to the IT process tree to prevent threats (i.e. fileless attacks) that leverage trusted applications to perform malicious activities (on Windows systems)
5. Control Remote Access
VPNs and other widely used remote access tools lack connection isolation, granular privilege and access controls, and application-based audit capabilities. With the recent, largescale shift to remote work, tools like VPNs and RDP are often stretched way beyond their legitimate use cases, contributing to a surge in attacks opportunistically exploiting these weak points. PAM platforms with privileged remote access capabilities can enforce least-privilege access and session auditing for remote access sessions—for both vendors and employees better than traditional VPN solutions alone. These solutions can also be used to proxy and lockdown remote access for cloud control planes and other SaaS-based consoles.
6. Extend PAM Best Practices to Network Devices and IoT/IIoT
Some non-traditional endpoints and edge devices, like IoT, have minimal computing power, which means they may not be candidates for traditional endpoint security tools, like AV. Additionally, IoT and network devices may have embedded or easy-to-guess credentials, among other design flaws. That’s why it’s critical to extend credential management, least privilege, and other PAM controls to these devices and keep them properly segmented across your environment. Remote access also needs to be secured between edge systems, with full monitoring of all privileged access. All these types of controls are also especially important with operational technology (OT) environments that include critical infrastructure. PAM solutions can help enforce proper segmentation for OT, while also managing privileged access and accounts.
7. Extend PAM Best Practices to the Cloud and Virtualized Environments
In addition to suffering from many of the same privileged access weaknesses as on-premise environments, the cloud presents unique use cases, such as hypervisors, cloud management consoles, and APIs. In the cloud, ephemeral privileged accounts and credentials are rapidly instantiated and disposed of when new cloud and virtual instances are spun up and, just as easily, spun down. When managing any privileged account, discovery is the critical first step to gaining control over these assets and the many planes of privileges across cloud environments. Organizations need a clear view of the privileged entitlements across their multicloud infrastructure. Once cloud and virtualized instances and their assets are found, they must be managed to limit exposure, and all session access should be monitored and audited. Simply put, PAM has a substantive role to play when it comes to both cloud security and API security, regardless of the access and implementation of privileged accounts.
8. Extend PAM to DevOps, DevSecOps, and Automation Workflows
DevOps seems to magnify many of the worst PAM challenges due to the heavy emphasis on automation and speed. Common DevOps risks include:
- Insecure code and hardcoded passwords
- Scripts or vulnerabilities in Continuous Integration/Continuous Deployment (CI/CD) tools, that could deploy malware or sabotage code
- Over-provisioning of privileges
- Sharing of DevOps secrets
While DevOps presents some special use cases, PAM’s role in DevOps security is comparable to any other environment—managing privileged accounts/credentials (including for CI/for CI/CD tools, service accounts, etc.), enforcing least privilege, etc. It is also essential that the PAM solution does not disrupt or delay workflows, but rather enables peak DevOps agility. Securing the accounts, secrets keys, and certificates required for automation is a fundamental part of extending PAM into your development and automation practices. Similarly, PAM technologies should be used to secure the credentials and privileges of other automated workflows, such as with robotic process automation (RPA).
9. Integrate PAM and Identity Access Management
As IT environments become more distributed and perimeters dissolve, an identity-centric (or, “identity-defined) approach to security is becoming increasingly important. While identity and access management (IAM) solutions help IT teams answer, “Who has access to what?” PAM solutions answer the questions of “Is that access appropriate?” and “Is that access being used appropriately?” Complete visibility and accountability over identities requires bi-directional integration of privilege management and IAM solutions. Some PAM solutions also include AD Bridging capabilities, which help further centralize identity management and authentication by providing single sign on across Windows, Unix, Linux, and macOS environments using the same account for simplified access, monitoring, and reporting.
10. Integrate PAM with Other IT Tools
PAM + IAM integration is imperative, but your privileged access security workflows and data should also integrate with the rest of your IT and security ecosystem. Gaps in this ecosystem translate into security vulnerabilities and lost productivity. The better your PAM platform integrates (such as with SIEM, ITSM, etc.), the more effective your ability to orchestrate pinpoint responses to problems—or opportunities. As a a general rule, any security technology that solves a problem, but that does not integrate into the rest of your ecosystem, is a point solution with a finite lifespan. Therefore, make sure your PAM investment works with, and integrates with, your overall IT and security ecosystem to best serve your environment.
To learn how to secure every instance of privileged access across your digital enterprise, visit BeyondTrust.
Matt Miller, Director, Content Marketing & SEO
Matt Miller is Director, Content Marketing at BeyondTrust. Prior to BeyondTrust, he developed and executed marketing strategies on cybersecurity, cloud technologies, and data governance in roles at Accelerite (a business unit of Persistent Systems), WatchGuard Technologies, and Microsoft. Earlier in his career Matt held various roles in IR, marketing, and corporate communications in the biotech / biopharmaceutical industry. His experience and interests traverse cybersecurity, cloud / virtualization, IoT, economics, information governance, and risk management. He is also an avid homebrewer (working toward his Black Belt in beer) and writer.