Puleng News


Mandate control and drive strong audit across the enterprise

n almost every recent breach, attackers have used stolen or guessed login accounts to access sensitive systems or have exploited people or systems to install malware. Sensitive login accounts, credentials, passwords, and vulnerabilities can be controlled if you take a few steps to build a plan and methodology.

In most organisations there are people and computer systems that have a normal operation, operations that are special, privileged, or have the ability to change things important to you or important to the continued operation of your company. At each of these layers, there is a job people are supposed to do, a job that people have the ability to do, but shouldn't, and special roles and responsibilities that have "special purpose" to your business or computer operations.

What do you do to protect your company, acknowledging that there are all of these people that you need to trust to do their job, knowingly having special/privileged access to your most important data? You certainly could simply trust them or you can follow best practice and protect against inappropriate privileged operations, and immediately take action against abuse.

In the industry, we call building and executing on your strategy a PIM/PAM project. No matter what you call it, it is still the concept of developing definitions, implementing rules, and executing the ongoing management of the privileged decisions, rights, roles, groups, entitlements, and passwords that some users in your environment have.

There are four common groupings that can conceptually explain what types of PAM/PIM use cases you need to work through to build this out and how to execute this for real.

The general four representative groups are "Front Office", "Back Office", "Systems and Network", and "Developers/Data/Application".

Firstly, in the "Front Office" there are folks who often provide customer service, answer the telephones, or provide a set of services that change only when you want a business process to change. For the front office, your goal is to provide a set of standard computer systems and applications for people to do their jobs. They should never have access to change their systems or applications, to install software and would be considered general "users" of the system. These folks follow a defined set of processes and procedures and if they service customer data, they likely only touch one or two records at a time. This group of users will end up having them most stringent controls in place, such as removing administrative rights, disallowing the installation of software, and tracking any privilege action any user performs.

Secondly, in the "Back Office" there are folks who often provide more advanced financial analysis, perform business process work, perform money transfers, write checks, or work with large data sets. These employees might not have access to the systems themselves, but they likely have access within applications or are the application administrators you trust enough to give them rights within that application and to supervise others who have access to the data or financial transactions that can impact your company. These users may have legacy software to control, and are unlikely to need administrative rights to their workstation of the ability to install software. They need business data access, but very few need systems privileges and the ones that do should have privileged accounts that are separate from their normal business accounts.

Thirdly, Security, Systems and Network require people to perform critical administrative functions against these assets and across the data centre. They may have the "keys" to everything important. Even though they have the keys, you still must protect their entry workstations, access into critical areas, and monitor what these users execute on your most critical systems. Even though they have the rights, they should not be unsupervised and allowed to change "everything" because most global regulations require change monitoring, integrity control, and separation of rights and privilege between types of users. For outsourced resources, you may even want to go as tight as limiting what they do to single systems or command sets while monitoring what everyone else does without limitation.

Finally, Developers, Data, and Application staff provide administrative functions to business software, and almost always need direct access to real customer data or program source code. They may always have access to critical data to do their job. From a privilege management standpoint, you would want technology that implements full monitoring, and allows the users to install much software, but be sure that there are no vulnerabilities or malware. Developers that are working on production releases should start from a standard image with slight customisation. It is best practice to stop developers from modifying the underlying operating system. They can work with whatever software they want, just don't allow them to reduce the security of the easiest entry point into your network... the people. It is very important to require authentication with separate credentials to move code or data into production, and ensure the privileges of these users are appropriate to systems, are recorded for change management purposes, and when promoting to production - ensure that alternate approvals, or change gates exist.

Puleng Technologies has discussed a number of concepts that you can think through as you build your privileged access lock-down program. Remember that this is a lengthy journey and unless you are building a company from scratch, you will need to communicate to people, purchase software/hardware products, and change behaviour. This all comes after careful planning, use case development, and following best practices.

As you start to lock down your environment, you will make it harder and harder for insiders or external attackers to perform improper operations against your company. You will never be 100% secure, but by employing these strategies, you can get to where attackers will have to try harder than ever to break in... or just move on to the next target.