Privileged Account Management

Administrative Accounts—Securing the keys to the kingdom!

PHILIPP REISINGER, SBA RESEARCH

1

Contents 1 Introduction .............................................................................................................................................. 3

2 Executive Summary................................................................................................................................ 5

3 Risks of Privileged Accounts .............................................................................................................. 6

4 What is PAM? ............................................................................................................................................ 7

4.1 Main Functionalities ..................................................................................................................... 7

4.1.1 SAPM ......................................................................................................................................... 8

4.1.2 PSM ............................................................................................................................................ 9

4.1.3 SUPM ......................................................................................................................................... 9

4.1.4 AAPM ......................................................................................................................................10

4.2 Additional Capabilities ..............................................................................................................10

4.2.1 Auto-discovery ....................................................................................................................10

4.2.2 AD Bridging ..........................................................................................................................11

4.2.3 Session Transcription, OCR and the ability to search logs ...............................11

4.2.4 “Threat Analytics” ..............................................................................................................11

4.2.5 Dual Control—Four-eye-principle ..............................................................................11

4.2.6 Advanced Authentication Support .............................................................................12

4.2.7 Cloud and Hypervisio Integration ...............................................................................12

4.2.8 SIEM Integration ................................................................................................................12

4.3 Implementation Possibilities ..................................................................................................13

5 PAM Vendor and Cost Overview .................................................................................................... 13

5.1 Important Vendors .....................................................................................................................13

5.1.1 CyberArk ...............................................................................................................................13

5.1.2 BeyondTrust ........................................................................................................................13

5.1.3 ObserveIT ..............................................................................................................................14

5.1.4 Thycotic .................................................................................................................................14

5.1.5 CA Technologies .................................................................................................................14

5.1.6 BalaBit ....................................................................................................................................14

5.1.7 Wallix ......................................................................................................................................14

5.1.8 Dell ...........................................................................................................................................14

5.1.9 Hitachi ID Systems.............................................................................................................15

5.1.10 Arcon .......................................................................................................................................15

5.2 Vendor Map ....................................................................................................................................15

5.3 Cost Estimate .................................................................................................................................16

6 Side Topics .............................................................................................................................................. 16

6.1 Reporting and Review of Accounts ......................................................................................16

6.2 Logging and Monitoring ...........................................................................................................17

6.3 PAM High Availability ................................................................................................................17

6.4 PAM Security .................................................................................................................................18

2

6.5 Privileged Third Party Access ................................................................................................18

6.6 Administrator Guideline ...........................................................................................................18

6.7 Dealing with Objections against Recording Capabilities ............................................19

7 Appendix .................................................................................................................................................. 20

7.1 List of References ........................................................................................................................20

7.2 List of Tables .................................................................................................................................20

7.3 List of Figures ................................................................................................................................20

7.4 List of Listings ...............................................................................................................................20

8 Literature ................................................................................................................................................. 21

3

1 Introduction

Privileged Account Management (PAM), often also referred to as Privileged Access (or

Identity) Management, is a very important topic which is lately receiving increasing

attention. It deals with the controlling, securing, managing and monitoring of

privileged accounts. Due to their far-reaching and often unlimited capabilities and system

access possibilities, administrative and service accounts are highly critical and play a key

aspect in the security posture of every organization. With that in mind, it is not surprising

that privileged accounts are often referred to as “keys to the kingdom”.

Most of today’s severe cyberattacks and data breaches involve the abuse, compromise or

exploitation of administrative accounts. Privileged accounts are frequently abused, e.g., in

APT attacks for moving laterally through a victim’s network; they furthermore play an

important role regarding insider threats.

One prominent example for the “power” of privileged accounts are the data leaks initiated

and executed by Edward Snowden who was a system administrator and used his privileged

position to accomplish one of the highest-impact data breaches in recent history.1

The control of privileged accounts is a common audit requirement and an essential

component of various compliance mandates, which further underlines their importance and

the need to manage and secure them appropriately.

Main functionalities and features of PAM technologies include:

secure centralized storage and management of account credentials

controlling access to shared accounts

recording and monitoring of privileged activities

control and limitation of commands which can be executed by administrative users

removal of privileged credentials from configuration files or scripts

Today PAM is most prevalent in the financial, insurance and IT services industry where it is

used to control, monitor and log administrative activities in order to comply with

regulations like PCI DSS or ISAE 3402. IT service providers—managing the infrastructure

for multiple customers—also leverage PAM capabilities in order to create an audit trail and

to provide customers with assurance and visibility (who has access and which actions are

performed).

1 https://en.wikipedia.org/wiki/Edward_Snowden#NSA_sub-contractee_as_an_employee_for_Dell

4

Questions?

If you have any questions or comments regarding this document, feel free to contact me.

Philipp Reisinger

SBA Research gGmbH

+43 1 505 36 88 – 1305

PReisinger@sba-research.org

5

2 Executive Summary

Potential abuse and exploitation of administrative accounts as well as regulatory

requirements are pressuring enterprises to secure their privileged accounts. In the wrong

hands, privileged accounts can represent one of the biggest threats to an enterprise’s

security since far-reaching and often unlimited capabilities are associated with them.

Their capabilities can for example be used to override

security measures, breach data, perform unauthorized or

malicious changes resp. transactions and hide those

activities by deleting audit logs.

Privileged accounts exist in every organization and in

many forms and shapes. Examples span from the root account in Unix or Linux

environments resp. Windows administrator accounts (be it local or domain wide) to

accounts used for the administration of databases or applications to accounts for network

devices, security technologies, cloud platforms or third parties and vendors.

PAM deals with the critical tasks of controlling, securing, managing and monitoring

these privileged accounts. Therefore, main functionalities and features of PAM

technologies include:

discovery of privileged accounts

secure centralized storage and management of account credentials

automatically changing account credentials at regular intervals

controlling access to shared accounts

providing access to shared or administrative accounts without permanently

disclosing the password

recording and monitoring of privileged activities

control and limitation of commands which can be executed by administrative users

removal of privileged credentials from configuration files and scripts

Control and management of privileged accounts is an important topic covered by many

standards and recommendations, for example ISO 27001/27002, NIST SP 800-53, PCI-

DSS and the CIS Top 20 Critical Controls.

This whitepaper provides an overview over the topic of Privileged Account Management, a

description of the technical capabilities and features offered by common solutions as

well as a list of vendors and pricing scenarios.

The misuse of administrative

privileges is a primary method for

attackers to spread inside a victim’s

network.

CIS Critical Security Controls

6

3 Risks of Privileged Accounts

Due to their often unlimited capabilities and system access possibilities, administrative

and service accounts are highly critical and play a key role in the security posture of every

organization.

Most of today’s severe cyberattacks and data breaches involve the abuse, compromise and

exploitation of administrative accounts. Risks associated with the abuse or misuse of

privileged accounts are manifold and include, but are not limited to the following

points:

Insider Threat

o data theft (the Snowden as well as the Bradley Manning leaks are two of

the most prominent examples)

o theft of trade secrets

o unauthorized access, modification or deletion of critical information

o placement of logical bombs2 in scripts or applications

Overriding Security Measures

o usage of privileged accounts to override or disable security measures

Manipulation of Audit Logs

o Administrative access can be abused to manipulate audit logs and hide

malicious activities

Malware Abusing Privileged Accounts

o Malware can cause much more damage if executed with elevated

privileges.

2 A famous example is the the Fannie Mae Logic Bomb: On October 24, 2008, a UNIX engineer at Fannie Mae named Babubha Makwana was informed that he would be let go from the company at the end of the day. Rather than following best practice of immediately revoking all system access and escorting him from the building, Fannie Mae allowed Makwana to stay on site and finish the work day. During this time, he created a series of scripts that could have caused enormous damage to the company upon execution by first disabling monitoring and then disabling all system access to Fannie Mae’s 4,000 servers, finally wiping all data from the servers and their backup systems. The code that should launch the series of scripts—which was set to trigger on January 31, 2009—was embedded in a key script that ran every morning. Fortunately for Fannie Mae, another engineer found the embedded logic bomb before it went off and alerted the authorities. (Source: https://www.sans.org/reading-room/whitepapers/analyst/keys-kingdom-monitoring-privileged-user-actions-security-compliance-34890); For more examples see http://www.infoworld.com/article/2621894/it-management/it-admins-gone-wild--5-rogues-to-watch-out-for.html

7

Compromise and Abuse by Hackers

o Privileged accounts are one of the main targets of hacking activities.

Usage for Lateral Movement in APT Attacks3

Uncontrolled Access and Lacking Oversight over Persons Having Access to

Privileged Accounts

o In many organizations it is not clear who (of the many individuals) has

access to administrative accounts or which privileged accounts even exist

within the infrastructure. This is especially a risk if these accounts are

used in a generic, non-personalized way (shared administrative

accounts). This causes (adverse) changes to be overlooked and to be

untraceable to a specific person.

Third Parties or Vendors with Capabilities for Privileged Access

o Often third parties or vendors have privileged access to an organization’s

applications or infrastructure. The target breach is a good example in

which credentials of a vendor responsible for HVAC maintenance were

used for the initial compromise.4

4 What is PAM?

Privileged Account Management (PAM) deals with the controlling, securing, managing

and monitoring of privileged, administrative, shared and service accounts which are

highly critical in regard to the security posture of a company.

Privileged accounts exist in every organization in many forms and shapes and include

for example the root account in Unix or Linux environments, Windows administrator

accounts (local or domain-wide), accounts used for the administration of databases or

applications as well as accounts for network devices, security technologies, cloud

platforms or third parties and vendors.

4.1 Main Functionalities

According to the Gartner Market Guide for Privileged Access Management5, there are four

main functionalities of PAM solutions:

3 For example: http://www.cyberark.com/blog/keys-kingdom-credentials-lateral-movement/ 4 See http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/ and http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/ 5 Gartner Market Guide for Privileged Access Management 2015

8

Shared account password management (SAPM): Securely store and manage

account passwords and control access to shared accounts.

Privileged session management (PSM): Establish privileged sessions to

multiple systems (often leveraging SSO) and/or monitor as well as record their

activity.

Superuser privilege management (SUPM): Enable fine-grained filtering of

commands and actions which administrators are allowed to perform.

Application-to-application password management (AAPM): Eliminate hard-

coded passwords used by applications or scripts.

Figure 1 Main PAM functionalities

4.1.1 SAPM

Shared account password management provides a hardened and encrypted password

safe or vault which can be used to centrally store administrative, service and shared

account credentials or keys.6 The stored credentials can be automatically changed at

regular intervals based on a predefined policy. SAPM also enables enforcement of a

password policy (regarding password length, complexity, change intervals, etc.).

SAPM features manage logins to these accounts. After a user authenticates to the solution

6 With some tools (e.g., Thycotic or CyberArk) it is also possible to use the vault to store credentials for authenticated vulnerability scanning.

PAM

Privileged Account Management

SAPMShared

Account Password

Management

PSMPrivileged

Session Management

SUPMSuperuser Privilege

Management

AAPMApplication to

Application Password

Management

9

logins are for example handled via SSO or by providing the user with the required

credentials—this can be done on a check-in/check-out basis. Logins ideally happen

without disclosing the password to the user. It is also possible to automatically change a

password every time it was disclosed. This feature enables shared account usage—

without permanently disclosing the password of the shared account—and traceability via

check-in/check-out logs.

SAPM also provides an audit trail of account usage. Additionally, workflow features and

functionalities to request and authorize account access (sometimes with integration in IT

service management tools to verify access requests) are often included.

4.1.2 PSM

Privileged session management offers two main functionalities: First of all, it is used to

establish privileged sessions. This achieves that all administration activities are

conducted via one central point whereby a proxy/gateway approach is most common.

Secondly PSM enable session monitoring and recording (recording of command input and

output, video recording of graphical sessions).

Most PSM tools offer various possibilities to transcribe the recorded sessions (e.g. OCR of

recorded videos) and enrich these recordings with additional metadata (often collected

with an agent, examples include windows opened, text input/copied, commands and

applications executed, file names, URL’s, system calls, resources affected etc.). Finally, the

offer various capabilities to monitor and search these recordings.

When researching PSM technologies it is important to pay attention which protocols are

covered (e.g., ssh, rdp, telnet, citrix, vnc) and to think about deployment and integration

options in order to make sure that administrative activities—at least on critical servers

and infrastructure components—can only be conducted via the PSM solution, i.e. that

monitoring can’t be avoided by establishing a direct connection to the target servers.

4.1.3 SUPM

Superuser privilege management functionalities are mainly used to control and restrict

the commands which can be executed by an administrative user. They can also enable

“normal” users to run privileged commands (via methods similar to sudo or run as).

It must be noted that creating and maintaining SUPM policies of commands which

administrators are allowed resp. not allowed to execute (basically white-/blacklists) can

be a labor-intensive task. A sometimes recommended approach is to monitor for regularly

used commands and allow only these to be executed; however, the fact that not all

10

commands are needed equally often can lead to over-restrictive policies which may

hinder administrative activities.

SUPM can be run in preventive or detective mode. The detective mode can be used to only

report and not block the usage of commands which are not allowed, thereby making it

possible to investigate if a command was used for illicit purposes or if the SUPM policy is

set too tight for an administrator to fulfill his/her job.

Compared to SAPM and PSM, features integrating SUPM functionalities are, according to

Gartner, much more time consuming.

4.1.4 AAPM

Application-to-application password management gears towards eliminating hard-

coded passwords from configuration files, applications or scripts (e.g., for connecting to a

database). They work in combination with SAPM and enable the credentials to be queried

from the password vault using an API. This makes the modification and testing of scripts

necessary, but removes the significant security risk of passwords stored in scripts or

configuration files being abused for illicit purposes. Additionally, this enables

organizations to regularly change the associated password without having to modify the

affected scripts, applications or configuration files.

The challenge for AAPM is that the script must authenticate to the vault. Placing other

credentials in the script is not really a solution. Real AAPM technologies recognize resp.

identify the script by its unique fingerprint or other information like signatures, which

host and directory it is executed on, user ID, etc.

Compared to SAPM and PSM integrating AAPM functionalities can also be a bigger

challenge..

4.2 Additional Capabilities

Additional capabilities and features of PAM solutions often include, but are not limited to

the following:

4.2.1 Auto-discovery

The auto-discovery feature is used for the automated discovery of administrative and

service accounts (across Windows, Unix/Linux, applications and network devices). It is

included in many solutions.

It must be noted that auto-discovery is not an exact science and will most likely not detect

11

all privileged accounts, which means that additional manual work and discovery is

necessary.

It is recommended to conduct discovery scans not only once, but to scan regularly (or

continuous) for newly created/provisioned accounts (privileged account creation is an

event which should be closely monitored, since -for example during many huge breaches

hackers create their own privileged accounts). In some cases, auto-discovery can also be

used to search for credentials in configuration files.

Examples for stand-alone, free and quick assessments tools which offer auto-discovery

functionality are CyberArk DNA (Discovery and Audit) 7 and the Thycotic privileged

account discovery tool for Windows8.

4.2.2 AD Bridging

AD Bridging tools facilitate the management of users and groups on Unix or Linux

machines in the Active Directory (sometimes they also support some GPOs). It enables

users created in the AD to login to non-Windows systems. For this to work, an agent must

be installed on the respective Unix or Linux systems.

4.2.3 Session Transcription, OCR and the ability to search logs

In regard to PSM functionalities, some vendors offer advanced transcription features of

the recorded session as well as sophisticated possibilities to search logs and jump forward

or backward in the recorded videos based on activities and metadata. In such cases, local

agents are often used in order to collect additional metadata.

4.2.4 “Threat Analytics”

“Threat analytics” features facilitate the behavioral analysis of privileged accounts. Their

goal is to learn what the normal and expected behavior of these accounts looks like. Based

on that they then look for deviations, unusual behavior and anomalies which can indicate

that “something bad” is happening or that the account was hijacked and is involved in

attack activities.

4.2.5 Dual Control—Four-eye-principle

The dual control feature enhances PSM functionalities. When trying to open a connection

to a highly sensitive system (possibly the connection of an external maintenance

7 http://www.cyberark.com/cro-free-risk-assessment/ 8 https://thycotic.com/solutions/free-windows-privileged-account-discovery-tool/

12

technician) an approver first has to authorize the session before it can be established. The

approver is also able to conduct live monitoring and even terminate the session.

4.2.6 Advanced Authentication Support

This functionality encompasses the support for advanced authentication methods like

two-factor authentication or Smartcards when users are accessing credentials stored in

the SAPM password vault.

Vendors, for example CA Technologies, also support the integration with products that

offer risk-based authentication features9.

4.2.7 Cloud and Hypervisio Integration

Beside the management of “traditional” privileged accounts, some solutions also focus on

securing administrative accounts in cloud infrastructure (auto-discovery of cloud

infrastructure, fine-grained management of IaaS and PaaS administrative operations).

Another aspect is the integration and support for controlling hypervisor permissions (e.g.,

what guest images they can start, stop, migrate, and remove, also when, from where, etc.)

A tightly related aspect is the management of social media account credentials which are

often shared among multiple users (in the marketing department). They are usually

considered very valuable and their compromise can have severe and very visible

consequences (e.g., if they are used by hackers to spread malware or false and

inappropriate messages).

4.2.8 SIEM Integration

Most PAM technologies can be integrated with SIEM systems to send detailed usage data

and events to be analyzed and correlated against other information. Some PAM solutions,

for example CyberArk, can also ingest SIEM data and use it within the Threat Analytics

assessment of account behavior.

9 Risk-based authentication solutions provide a risk score of each attempted authentication that can help determine whether an account login is benign or could be performed by an attacker. In these cases, additional, “step-up authentication” methods could be required, the attempt could simply be rejected, or an alarm could be raised. When attackers authenticate to a system, there are often contextual factors that could, if recognized, raise a warning about the validity of the authentication. For example, if someone from Finance working in New York suddenly logs in from Russia, or if someone logs in from Rome, two hours after logging out in New York, it is clear that a fraudulent authentication is in progress. http://www.ca.com/content/dam/ca/us/files/white-paper/dealing-with-insider-threats-to-cyber-security.pdf http://searchsecurity.techtarget.com/definition/risk-based-authentication-RBA

13

Other features include mobile app support—does the solution provide a mobile app for

accessing the password safe (eventually also in offline mode) –, support for multitenancy

(especially important for IT service providers) and SSH key management.

4.3 Implementation Possibilities

Most vendors support a diverse array of implementation capabilities. Important

questions to consider are:

if the solution is deployed agent-based or agentless,

whether it acts as a proxy/gateway or is host-based, and

if it is deployed on site (e.g., as a hardened appliance or virtual appliance), only

software- or entirely cloud-based (some vendors have SaaS based offerings).

Each of these possibilities has its own unique (dis)advantages which should be carefully

compared against the own requirements before coming to a decision.

5 PAM Vendor and Cost Overview

This chapter provides a PAM vendors and pricing overview.

5.1 Important Vendors

The following list comprises selected PAM vendors and is intended as a starting point for

further research and analysis when planning on acquiring a PAM tool. Please note that the

tools might not cover all functionalities and capabilities described in chapter 4.1 and 4.20.

5.1.1 CyberArk

CyberArk10 is a large vendor with a comprehensive portfolio covering all of the PAM main

functionalities (SAPM, PSM, SUPM, AAPM).

5.1.2 BeyondTrust

BeyondTrust11 is one of the largest vendors with a huge portfolio covering all of the PAM

main functionalities (SAPM, PSM, SUPM, AAPM).

10 http://www.cyberark.com/products/privileged-account-security-solution/enterprise-password-vault/ 11 https://www.beyondtrust.com/products/powerbroker-password-safe/

14

5.1.3 ObserveIT

ObserveIT12 is a vendor who focuses on PSM. They offer very advanced search, logging

and session recording features. In addition to the monitoring of privileged users the

company lately started to offer insider threat detection and management software.

5.1.4 Thycotic

Thycotic13 is a vendor who focuses on SAPM and AAPM functionalities. They are highly

regarded for their AAPM functionalities.

5.1.5 CA Technologies

CA Technologies14 is a large vendor with a comprehensive portfolio covering all of the

PAM main functionalities (SAPM, PSM, SUPM, AAPM). In the Forrester Wave for Privileged

Identity Management15 CA Technologies is described as the leading vendor. In 2015, CA

Technologies acquired Xceedium who also provided comprehensive PAM functionalities

especially for virtualized, cloud and hybrid environments which are now being integrated

in the CA Technologies portfolio.

5.1.6 BalaBit

BalaBit16 is a vendor who mainly focuses on PSM. They offer advanced search, logging and

session recording features.

5.1.7 Wallix

Wallix17 is a vendor who mainly focuses on PSM. They offer advanced search, logging and

session recording features.

5.1.8 Dell

Dell 18 is a large vendor with a comprehensive portfolio covering all main PAM

functionalities (SAPM, PSM, SUPM, AAPM).

12 http://www.observeit.com/de/solutions/privileged-user-monitoring 13 https://thycotic.com/products/secret-server/ 14 http://www.ca.com/de/products/privileged-access-management.html?intcmp=headernav 15 The Forrester Wave: Privileged identity Management 2014 16 https://www.balabit.com/de/network-security/scb/features 17 http://www.wallix.com/en/produits-2/wallix-adminbastion-en 18 http://software.dell.com/solutions/privileged-management/

15

5.1.9 Hitachi ID Systems

Hitachi ID Systems19 offer SAPM, PSM and AAPM capabilities.

5.1.10 Arcon

Arcon20 is a vendor who covers all of the PAM main functionalities (SAPM, PSM, SUPM,

AAPM).

Other vendors are for example IBM, Centrify, Bomgar, Osirium Lieberman Software,

Master SAM and NRI Secure.

5.2 Vendor Map

This map shows the countries of origin for various PAM vendors. The majority of vendors

is located in the USA; while there also are some European PAM solutions on the market.

Figure 2 Map of PAM vendors by Security Architects21

19 https://hitachi-id.com/privileged-access-manager/ 20 https://www.arconnet.com/products/privileged-identity-management 21 http://www.slideshare.net/danb02/privileged-access-management-pam

16

5.3 Cost Estimate

PAM vendors work with very diverse pricing models, based on the provided

functionalities and varying metrics, i.e. number of privileged users, managed target

systems and accounts, number of simultaneous sessions, delivery options (physical or

virtual appliance, SaaS), and deployment types (host- or gateway-based).22

Perpetual licenses for on-site deployments (via software and physical or virtual

appliances) are the most common, while some vendors also offer subscription-based

pricing models.23

The table below summarizes average pricing information, based on inquiries made by

Gartner in 2015. This serves as a rough estimation, given the high variability in pricing.

Figure 3 Gartner Market Guide Privileged Access Management

6 Side Topics

The following chapter deals with selected side topics closely related to PAM.

6.1 Reporting and Review of Accounts

As required by many standards and best practice guidelines, existing privileged accounts

have to be reviewed regularly. PAM tools with an automatic discovery functionality can

22 Gartner Market Guide for Privileged Access Management 2015 23 Gartner Market Guide for Privileged Access Management 2015

17

support this process, but organizations must keep in mind that these features are not

perfect and not all accounts can be discovered in an automated way.

The review should check whether the account is still needed—orphaned accounts are a

security risk, which is even more true for orphaned administrative accounts—and who

the associated person is in order to make sure that all accounts are associated with a

specific person. If there is a valid reason for an account to be shared, access to this account

can be made traceable via SAPM functionalities.

The reviews must be executed regularly to make sure that administrators or third parties

who are no longer working with the company do not continue to have access to sensitive

resources.

Reporting should enable organizations to provide auditors with documentation on which

admin has access to what systems.

6.2 Logging and Monitoring

The logging and monitoring of administrative activities is very important and PSM tools

offer various capabilities in this area. Nevertheless, the recording alone is not enough—

the logs and records have to be analyzed in regular intervals. For this analysis,

organizations have to develop respective processes and workflows (responsibilities,

intervals, events to look for, etc.).

Integrating PAM information into SIEM systems can furthermore provide the security

monitoring team with a valuable data source.

6.3 PAM High Availability

Depending on the chosen PAM solution and deployment method, the possibility for

creating a single point of failure may exist.

Therefore, organizations should thoroughly assess whether their solutions are able to

fulfill high availability requirements (active-active or active-passive failover, stretch

cluster or PAM-replication across sites), since the failure of such a critical component

could have a severe impact on the organization’s ability to operate. During this

assessment it is also important to consider possible dependencies on external

components like, e.g., a RDBMS.

18

When deploying PAM solutions, organizations should also consider load balancing,

performance and scalability topics.

Finally, an emergency process which deals with the unavailability or failure of PAM

components—which, e.g., may cause an administrator to be unable to login to the

password vault where his administrative credentials to root or admin accounts are kept—

must be designed. An article published on the webpage of Security Architects provides

some good ideas on this topic, e.g., emergency accounts and secure copies of the password

vault content.24

6.4 PAM Security

PAM technologies are handling highly sensitive information. Therefore, security is of the

utmost importance and PAM tools do provide various security and hardening

mechanisms. Many vendors additionally conduct a certification of their password vault

like Common Criteria or FIPS.

When deploying a PAM solution, security mechanisms of the tool itself as well as

additional protection measures within the company should be thoroughly evaluated.

6.5 Privileged Third Party Access

As already noted in chapter 3, third parties (vendors, partners, contractors, etc.) with

privileged access can pose a significant risk to organizations. PAM tools can be used to

reduce this risk organizations must additionally be dealing with topics like a formal access

request process for third parties, confidentiality agreements, the definition of security

measures which must be adhered to by the third parties, as well as regular account

reviews.25

6.6 Administrator Guideline

Beside technical measures to secure privileged accounts, organizations should also

consider implementing an administrator guideline/policy which deals with topics like

background checks, common principles, accountability and responsibilities, secrecy,

24 http://security-architect.com/how-to-balance-assurance-and-availability-in-pam-systems/ 25 Information on the topic of dealing with privileged third party access is e.g. available via Gartner http://www.gartner.com/document/3161329?ref=solrAll&refval=165534547&qid=73ebe92df248b84375ffc3e4c0352d7c

19

respecting employee privacy, handling of privileged accounts, information on logging,

adherence to change management procedures, restriction of privileged account usage

only for administrative purpose, and surfing, e-mailing, etc. via a restricted account.

6.7 Dealing with Objections against Recording Capabilities

When deploying PAM solutions, administrators can—understandably—be skeptical,

especially regarding the monitoring capabilities of PSM. Such a deployment should

therefore be in close cooperation with the administrators as well as the works council.

They should be assured that the recording of administrative activities is for their own

benefit, since they will be able to prove what they did or did not in case of errors,

malfunctioning or attacks.

It should be made clear that the monitoring only encompasses administrative activities.

If adhering to best practices, administrators should in any case use a dedicated account

for e-mail, surfing, etc. where no additional recording is in place (resp. only the

monitoring which applies and is made known to all employees).

20

7 Appendix

7.1 List of References

7.2 List of Tables

No table of figures entries found.

7.3 List of Figures

Figure 1 Main PAM functionalities ............................................................................................................ 8 Figure 2 Map of PAM vendors by Security Architects .....................................................................15 Figure 3 Gartner Market Guide Privileged Access Management ................................................16

7.4 List of Listings

No table of figures entries found.

21

8 Literature

In the following, the sources for this white paper and additional literature are listed.

Gartner

Gartner Market Guide for Privileged Account Management 2014

Gartner Market Guide for Privileged Access Management 2015: online Version

available via BeyondTrust: http://www.gartner.com/technology/media-

products/newsletters/beyondtrust/1-2GZM0KS/gartner.html

Forrester

The Forrester Wave: Privileged identity Management, Q1 2014: online Version

available via Centrify: https://www.centrify.com/media/1626221/forrester-

privilege-identity-management-wave-report.pdf

SearchSecurity

http://searchsecurity.techtarget.com/magazineContent/Privileged-account-

management-critical-to-data-security

http://searchsecurity.techtarget.com/tip/The-steps-of-privileged-account-

management-implementation

SANS

https://www.sans.org/reading-room/whitepapers/analyst/keys-kingdom-

monitoring-privileged-user-actions-security-compliance-34890

CyberSheath

http://www.cybersheath.com/wp-

content/uploads/2015/03/CyberSheath_APT_Privileged_Exploit.pdf

Security Architects

http://security-architect.com/privileged-access-management-webinar-

recording-available/ Video of a webinar on PAM Technologies

http://security-architect.com/privileged-account-management-pam-is-very-

important-but-deploying-it-stinks/