A privileged access management (PAM) solution provides the link between users and the privileged accounts they use on systems.
A PAM solution manages administrative access, so the people who are using it have the highest level of access to systems. They often have “god rights” across multiple systems and could do the most damage, whether intentionally or not. Because of this, companies need visibility into what these users are doing and need to substantiate that the users who have this degree of access are using it appropriately.
Auditing PAM: Access Reviews
This is where PAM auditing comes in. Companies should audit the level of access PAM users have so that they are only able to access the systems needed to do their jobs.
For example, a System Center Configuration Manager (SCCM) architect should have access to the SCCM servers, consoles, and the database the system sits on. An auditor’s job is to make sure that the SCCM architect does not have more access than needed or too little access. This can be accomplished through access reviews.
Rogue administrators pose a serious risk to companies because they can access confidential assets and essential networks and systems. For example, a fired system administrator at a boot manufacturer created a backdoor to the company’s systems on his way out the door. He was able to shut down the company’s email and application servers, delete the core system files, and downgrade account permissions of IT staff. The company had to hire an outside contractor to repair the damage, which resulted in weeks of lost orders. The disgruntled employee was ultimately caught and arrested, but the initial damage might have been stopped by monitoring his privileged access and reviewing the systems he was accessing prior to leaving the company.
In another case, a Trend Micro employee gained unauthorized access to a customer-support database, stole data of 68,000 customers, and sold it to cybercriminals. The criminals then called customers pretending to be Trend Micro support staff.
In fact, 30 percent of data breaches involve insider threats, according to the latest Verizon Data Breach Investigation Report. Internal actors can make mistakes that lead to a breach or intentionally abuse their privileges for unauthorized access to systems. A rogue employee can compromise networks, communications, or other IT resources. They can also steal or destroy sensitive data.
Whether they know it or not, many companies are open to an insider threat. More than half of companies examined by Varonis had more than 1,000 sensitive files available to every employee, 17 percent of sensitive files were accessible to all employees, and more than one-third of users had a password that never expired.
Auditing PAM: Session Monitoring and Recording
Another type of PAM auditing involves session monitoring and recording. This could be used to review the activities of administrators during sessions.
For example, an auditor could review whether an Active Directory administrator is performing the right types of tasks. A PAM solution could tell what the administrator was doing and set controls so that, if certain behaviors or keystrokes occur, a notification is sent to indicate a review of the administrator’s activities is needed. Companies should also conduct periodic reviews to determine if people are using tools responsibly.
If an audit finds out that a user is overstepping his or her authorized access, companies can respond in a number of ways. The user’s access could be restricted or, if the malfeasance is significant, the user could be fired. Employing an escalation path for access policy violations would be beneficial, so management can take appropriate actions. And setting up an Identity Governance Committee can help by communicating and enforcing leadership's vision for identity access across all business units.
Auditing PAM: PAM Logs and SIEM Tools
PAM logs can be fed into a log management tool so the logs can be correlated with other security events within a Security Information and Event Management (SIEM) tool. PAM logs can be used to carry out forensics in the case of a security incident.
PAM can help prevent and detect a rogue administrator or an external attacker who has gained access to the network. PAM can detect when a user escalates privileges, while a SIEM tool can detect lateral movement and reconnaissance activities by evaluating logs and traffic patterns.
Once a rogue administrator or intruder reaches the target, escalation of privileges is required before data can be stolen. This is one area where PAM and SIEM can work together.
How Identity Solutions Can Help with Auditing PAM
Companies get the most out of PAM solutions when they are kept as simple as possible. A company shouldn’t try to overcomplicate the PAM solution, but should instead focus on what it is trying to accomplish by using one.
PAM provides complete monitoring and oversight capabilities and an irrefutable audit trail. If a security incident or accidental data loss occurs, you will have a record of what happened and you will know where to look. A PAM tool can keep track of your administrators’ privileged access activity, so if you have a breach or other security incident that requires auditing to prove compliance, you will have the documentation within easy reach.
Identity Solutions can help you find the right PAM tool to take the uncertainty out of managing administrative privileges and establish cradle-to-grave auditing. We will assess how you are currently granting privileged access, then assist in choosing a solution that uses the latest PAM technology, like least-privilege permissions, session and change tracking, the most secure authentication and authorization security practices, and an audit trail that gives you peace of mind. Identity Solutions can help you find the right PAM solution and the auditing capabilities you need and make implementation a breeze.
When it comes to security and identity management solutions, understanding the differences between and key components of IAM, IGA, and PAM can get complicated. To simplify the information, we created a free infographic to help our readers learn and understand which solution, or combination of solutions, is right for them. You can download the infographic by clicking below and begin making an informed, data-driven decision on which security and identity management posture is best for your business.