Privileged Access Management - securing remote access
Privileged access management (PAM) is becoming a high-priority cyber defense capability. As organizations are under increasing strain due to destructive cyber attacks, it's becoming apparent that securing identities, especially privileged ones, is a priority.
Attackers are of course after the privileged users as it allows access to all the company's data and resources. The usual way to protect identities is to introduce identity management which includes single sign-on (SSO) coupled with multi-factor authentication (MFA) and sometimes password vaulting. However, as privileged users access sensitive systems typically via remote desktop (RDP) or remote shell (SSH) protocols, it makes sense also to introduce governance and session recording around all the access events.
By covering both human-to-machine and machine-to-machine service accounts, organizations can thwart the attack vectors such as service accounts, privilege escalation and lateral movements, typically used when compromising a network.
PAM solutions can work as software agents installed on each asset to be monitored, or as a network based inspection solutions. The latter involve segregating the servers on a network level so no direct access is allowed other than via the PAM system. This is achieved either via a transparent in-line connection mode or a bastion host approach. Additionally, the system can discover directory accounts and automatically ensure password rotation based on a policy, thus forcing access via the PAM system.
In the above case, an example PAM solution from Fudo Security acts as a proxy between users and monitored servers and it registers users’ actions, including mouse pointer moves, keystrokes and transferred files. PAM records complete network traffic along with meta data, enabling precise session playback and full-text content search (for ex. in RDP sessions).
The PAM solution becomes the "portal" for all remote access, applied to both internal and external privileged users.
This introduces a new level of visibility for CIOs, as it also allows searching for particular text appearing or entered during a privileged session, as shown in the video below. It also enables viewing current connections and intervening in a monitored session in case of a potential misuse of access rights.
In addition to core privileged session monitoring features, the PAM solutions should also:
manage secrets i.e. automatically manage login credentials on monitored servers and periodically change passwords at specified time intervals (for ex. 1 hour), forcing users to obtain privileged access only via the PAM proxy;
allow for management approval workflows, also using mobile push notifications to grant privileged access on a just-in-time basis;
automatically discover managed accounts and onboard them into a quarantine or password rotation workflow via the secrets manager;
tracks users’ actions and provide precise information on their activity and idle times, thus offering insights into administrators productivity, particularly in outsourcing scenarios;
enable secure passwords exchange between applications in machine-to-machine scenarios.
offer analytics via machine learning to achieve automation in detecting anomalous behavior in privileged sessions. Helping security admins and CIOs quickly identify and block suspicious activity is key in today's threat landscape.