A Faraday Cage is an enclosure used to block electromagnetic fields from intruding into the cage. The cage itself is made by covering an enclosure with a conductive material in either solid sheets or mesh tuned by porosity to block specific frequencies. It was created by Michael Faraday in 1836, and operates because an external electrical field causes the electric charges within the cage's conducting material to be distributed such that they electromechanically negate the field's effect in the cage's interior. This principle is used to protect sensitive electronic equipment from external radio frequency interference.
If you have ever opened a radio, cell phone, or other radio transmitter and receiver, you may have noticed a metal box within the circuitry. That is a Faraday Cage. It is used to block other electromagnetic noise from affecting the operations of critical circuits within the device. This is where our correlation to privileged access management (PAM) begins with containment from external interference. Privileges should be treated as if they are contained within a Faraday Cage, and be blocked by external and internal interference.
To better understand this analogy, think of all your privileged accounts. Think of where they all are and who may have them. Think of technology you have implemented and whether those privileges extend beyond your traditional perimeter. Are they in the cloud, used by DevOps, and do people outside of your organization, like contractors or partners, have them? The figure below summaries these permutations:
This is where we need a Faraday Cage, and in some cases, maybe a few of them. We need to protect privileged credentials, shared accounts, and other forms of authentication with a shield, like a segmented network zone, to ensure they are not misused or tampered. These traits are the basis for privileged access management. By building a zone for managing privileges, and defining a perimeter even if it is outside of the corporate firewall, you contain the usage and exclude any interference.
One of the foundational aspects of PAM is enterprise password management, and it is relevant to the analogy. Password management under PAM relies on a secure data storage medium (typically a commercial database) to store passwords. The system allows for check in, check out, and automatic rotation of passwords. The entire process should be contained within our “Faraday Cage.” We do not want anything to tamper with or extract passwords inappropriately, or compromise attestation reporting of privileged passwords. Otherwise, the end result could be inappropriate privilege requests, malicious user behavior, and even tampering with privileged attestation logs. The perimeter for privilege management must be secured and free from interference. And this is how we got to our analogy.
Regardless of how far privileges extend beyond your perimeter, you need to consider the “Faraday Cage” that protects PAM from misuse. Architectures, security best practices, VPN access, 2FA, MFA, reverse proxies, and vulnerability management are all conductive materials to build a cage around your PAM solution. It cannot do it on its own and it needs proper protection. After all, it does contain all the privileged credentials to your environment and all of your extended resources.
For more information on BeyondTrust’s PAM solutions, and how they can help you secure your extended perimeter, contact us today. We have reference architectures and security best practices to make sure your implementation is designed in a secure zone, an electronic PAM “Faraday Cage”, to ensure it helps you reduce risk, and never becomes a liability for your organization.
