Documente Academic
Documente Profesional
Documente Cultură
id=1-1XQL30U3&ct=191106&st=sb
Overview
Key Challenges
Many security and risk management leaders have “business as usual” PAM practices
that violate the principle of least privilege by granting undifferentiated privileged access
to users on a permanent basis.
PAM approaches using vaulting and session recording (basic PAM) have been
prioritized in many organizations. But their focus is on visibility and control of existing
privileged accounts and activities, which leaves privilege elevation and delegation
approaches immature to nonexistent.
Many privileged accounts for interactive use are “fully armed” with an unnecessarily
high level of standing privileges, violating the principle of least privilege and leaving a
risk surface.
Organizations struggle to introduce changes to privileged access operational models
because administrators and IT operations staff are used to having personal privileged
accounts they can use at their discretion.
Recommendations
To properly mitigate the risk of standing privileged access, security and risk
management (SRM) leaders responsible for IAM should closely follow the vision of the
principle of least privilege and:
Drastically reduce, with a goal toward eliminating, standing (i.e., “always on”) privileged
access by using just-in-time (JIT) approaches. This will ensure that privileges are only
granted when a valid reason for them exists, with zero standing privileges (ZSP) as the
goal.
Investigate the different approaches for JIT privileged access, and choose the
combination that best balances the expected effort to change organizational practices
against the security, risk and operational outcomes.
Map required and desired JIT capabilities against product offerings to choose the right
PAM tools (or augment existing tools with additional solutions). Keep in mind that some
capabilities are not generally available in most PAM tools but may be roadmapped by
vendors.
Introduction
Proper management of privileged access requires following the principle of least
privilege. This principle states, broadly speaking, that someone or something should
have exactly the minimum rights required to carry out a specific task. However, many
organizations start from a point where certain users have access to highly privileged
accounts and, in many cases, personal privileged accounts, which provides them
privileged access whenever they want and with little limitation. This violates the principle
of least privilege in multiple ways:
Rather than limiting the time when privileged access is granted (“at the right time”),
access is granted to users on a standing basis (“always on/always available”).
Rather than limiting access to the minimum required for a particular task, privileged
accounts often have broad administrative privileges (i.e., superuser or equivalent). This
is done to cover all possible administrative tasks that may be required of the privileged
users within the near or medium future.
Rather than granting access to the specific system or application in scope for a
particular administrative task, privileged accounts are often granted on multiple systems
at the same time, by using central authentication and directory services, allowing
access that is not required.
Without a structured plan to instill proper secure practices and processes, in
combination with the deployment of appropriate PAM tools, users will routinely receive
more privileges than required for administrative tasks. These excessive privileges
introduce significant risk. The net effect will be that PAM initiatives will have limited
effectiveness, while a considerable attack surface remains. How should SRM leaders
plan a successful PAM initiative that follows the principle of least privilege as closely as
possible?
The answer lies in drastically reducing, with a goal toward eliminating, standing (i.e.,
“always on”) discretionary access to privileges by using just-in-time (JIT) approaches for
privileged access.
Analysis
In the 2019 Verizon Data Breach Investigations Report, three of the top four attacks
represented failures in IAM practices, stolen credentials, phishing and privilege
abuse.1 The volume of news about breaches of confidential data comes at a pace that
leaves consumers numb, and creates the illusion that, given the failure of so many for
protecting confidential information, the principle of least privilege is an unattainable goal.
In the area of privileged access management (PAM), tools exist today to dramatically
reduce that attack surface. Yet, many organizations are not using PAM tools and
approaches. Or, the organizations that have created a PAM practice have stopped at
“basic PAM” (vaulting and session management). But an effective PAM practice
embraces the entire concept of least privilege, granting only the right privileges to only
the right system and to only the right person for only the right reason at only the right
time.
PAM vendors are maturing in placing tools in the hands of leaders that help them
implement the fundamentals of least privilege. PAM practices in the market have found
some success in only allowing the right person the right access to the right resource;
however, achieving this at only the right time is where many have fallen short of the
mark for least privilege.
Zero standing privileges (ZSP) is the purest form of JIT, which addresses the final
guidance of the principle of least privilege “at only the right time,” by eliminating the risk
of standing privileges. Standing privileges can take multiple forms: accounts with
continuous privileges in the form of privileged group memberships or static rules that
allow the execution of privileged commands. One very common example of a practice
that violates the principle of least privilege is personal privileged accounts. These are
accounts that are routinely issued to administrators in many organizations. These
accounts typically hold excessive privileges to a broad number of systems and are
available for use any time. When personal privileged accounts exist in an environment,
even when controlled by a PAM tool, the account and, therefore, the privileges exist,
leaving the risk of standing privileges in the environment.
Standing privileges present a risk surface by their nature of being “fully armed and
always available,” even when under the management of a PAM tool. ZSP “disarms”
privileged accounts until the time when those privileges are really required. The
fundamental purpose of a JIT/ZSP approach is to reduce the attack surface for
privileged access abuse. Basic PAM (vaulting and session management) will
help mitigate the risk of the existence of privileged accounts. JIT reduces the risk of
privileged access abuse, and ZSP reduces the attack surface of the privileged accounts
themselves.
The fundamental approach to PAM has not changed; a mature PAM practice must still
capture all privileged risk for an organization. It remains paramount that organizations
implement a strategy and practice that successfully address the four pillars of PAM
(see “Best Practices for Privileged Access Management Through the Four Pillars of
PAM”).
ZSP is the next natural step for privileged access maturity. It “disarms”
privileged accounts when not in use, until such time when those
privileges are really required.
Briefly, the four pillars of PAM represent the fundamental approaches for mitigating risk
represented by privileged access within the modern enterprise: track and secure,
govern and control, record and audit, and operationalize. All pillars apply to ZSP and
JIT, but the first two pillars are particularly relevant to understanding why ZSP and JIT
must be prioritized in your PAM practice:
Pillar No. 1, track and secure, ensures all privileged accounts are tracked in terms of
their life cycle. It includes discovery of all privileged access and is foundational for a
successful PAM practice. Divide access into two categories: people-based (interactive)
and software-based. Inventory and vault all accounts that provide elevated access, and
inventory and group use cases according to common patterns.
Pillar No. 2, govern and control, eliminates excessive privileges and plans and governs
privileged access according to the privileged use patterns and use cases. This is where
JIT is critical, and a ZSP approach becomes a powerful method for eliminating
excessive privileges.
JIT is necessary to reach the minimum level of maturity in pillar No. 2, meaning
that after discovery and vaulting of all privileged access accounts is in place, the PAM
practice must be expanded to remove standing access to privileged accounts through
JIT approaches.
After basic JIT steps, ZSP is the next natural step for privileged access maturity. It
“disarms” privileged accounts when not in use, until the time when those privileges are
really required. ZSP is attained by refining and complementing existing JIT concepts.
PAM basics like vaulting and session management help mitigate the risk
of the existence of privileged accounts. JIT reduces the risk of privileged
access abuse, and ZSP reduces the attack surface of the privileged
accounts themselves.
A set of processes and workflows (defined by PAM policy) that manage both privileged
access requests and fulfillments for an environment (including employees, consultants,
vendors and, potentially, software).
o For a JIT approach to be successful, some elements of adaptive access, or predefined
approval policies, should be applied to help reduce complexity and friction. For
example, using risk scoring, or predefined approvals, to automatically approve access
for a defined task in a defined time window for a defined user access request.
A mechanism to allow privileged task execution for a normal (nonprivileged) user ID for
a defined amount of time on a defined resource, or set of resources, for a defined set of
tasks. Or, the ability must exist to create one-time (ephemeral) privileged access that
has these same restrictions.
An ability to record and monitor all activities completed with the temporarily elevated
access during the time of privileged access.
Enlarge Table
Meets Principle
Meets Zero Standing
JIT Approach Description of Least Privilege
Privileges Approach
Approach
Privilege Elevation A normal, No. This pattern No. This does not meet the
(PEDM, Sudoers) nonprivileged does not meet standard for ZSP since even
account is the principle of though the account is only
granted least privilege. used when required, the
privileged privileges granted through
Even if sufficient
access by a policy are always there and
policy exists to
static elevation available.
refine access to
Meets Principle
Meets Zero Standing
JIT Approach Description of Least Privilege
Privileges Approach
Approach
ZSP Privilege A normal, Yes. This pattern Yes. This meets the
Elevation nonprivileged does meet the standard for ZSP because
account is principle of least no privileges exist prior to
temporarily privilege if the grant of access or after
granted “one- sufficient policy the grant of access has
time” privileged exists to refine expired.
access for a access to only
defined set of what is
tasks, for a necessary and
defined period sufficient visibility
of time. in terms of
recording is
available.
JIT Group A normal, Yes. This pattern Yes. This meets the
Membership nonprivileged does meet the standard for ZSP because
account is principle of least the group membership is
temporarily privilege as long temporary.
added to a as granular The user only has access to
group, which access is the privileged access
grants privileged defined. associated with the group
access (such as For example, if during the time of need, and
local local it is removed afterward.
administrator). administrator is
The group the only group
membership is defined,
controlled by a excessive
tool, and users privilege is likely
Meets Principle
Meets Zero Standing
JIT Approach Description of Least Privilege
Privileges Approach
Approach
JIT Account Automatic Yes. This pattern Yes. This meets the
Creation and creation of a does meet the standard for ZSP because
Removal privileged principle of least the account only exists for
account for a privilege as long the period of time necessary
period of time, as the granted for the privileged task to be
for a specific privileges are accomplished.
task. sufficiently
granular in
The account is
nature.
deleted when
the assigned
task is
complete.
Limiting access
to only critical
personal
privileged
accounts is the
way most
organizations
manage this risk.
JIT Security An ephemeral, Yes. This pattern Yes. This meets the
Tokens one-time access does meet the standard for ZSP since the
(many times a principle of least account will only exist on a
mechanism like privilege as long one-time basis, leaving no
a certificate) as the account standing access after the
account is created is task has been completed.
created for a provided granular
specific task, access, only the
device and required access
person. for the required
task on the
required system.
Source: Gartner
Map Required and Desired JIT Capabilities Against
Product Offerings to Choose the Right PAM Tools
After you have implemented a privilege discovery process, inventory and group use
cases for privileged access according to the model shown in Figure 2. Weigh each use
case against the five W’s model to define access in terms of:
Next Steps
The goal of a mature PAM practice is to implement the principle of least privilege across
all privileged access use cases. Security and risk management leaders seeking to
properly mitigate the risk of standing privileged access must continue to mature their
PAM practice through the following:
Immediately plan for removal of all personal privileged accounts, migrating that access
into shared accounts managed by a PAM tool or to JIT/ZSP approaches.
Upon completion of discovery of PAM use cases, weigh use cases against the “five
W’s” (see Figure 2) to find additional use cases for JIT access and to map migration
paths from vaulting and session management to JIT, if appropriate.
Leverage the JIT capability that exists in your PAM tool, or if you’re choosing a PAM
tool, evaluate JIT capabilities of vendors (including roadmapped items) as part of your
selection process. While the entirety of PAM risk must be captured by a PAM tool,
perhaps your most prominent PAM use, Windows server access, for example, can be
addressed using a JIT approach.
Tighten identity life cycles for users as part of an overall identity governance and
administration strategy. Governance of administrative accounts is critical in a vaulting
and session management approach. But a JIT approach depends on bulletproof identity
life cycle management that guarantees no unauthorized users have access. Remember
that normal user accounts have the potential to be granted administrative JIT access;
thus normal accounts must be properly secured.
Evidence
Gartner recorded over 550 inquiries on PAM over the past 12 months. In talking with
clients about PAM, they regard it as a top security initiative, with clients at various
stages of maturity in implementation.
1
“2019 Data Breach Investigations Report,” Verizon.