Dr. Heiko Clarell, Chief Marketing and Sales Officer, IC Consult
Closed gas stations disrupt flight schedules, nationwide emergency: In May 2021, a ransomware attack on a colonial pipeline – which supplies 45 percent of the East Coast’s fuel – plunged the region into chaos. The attack was organized by the hacker group Darkside, who first stole about 100 gigabytes of data, then compromised the billing system and eventually shut down the pipeline for good. The company received a slow decryption tool after paying 75 bitcoins (at the time, about $ 4.4 million) and backed up and launched on May 12. On the same day, President Joe Biden signed an executive order to strengthen cyber security. In such cases. Of course, companies can do a lot to protect themselves without executive help. At the top of the list: Strong security for identities and accounts, especially those with privileged access rights.
Colonial pipeline hacks and the government’s rapid response explain how dangerously inadequately protected IT infrastructures are and why it is best to control access to these networks extensively. This is especially true for important infrastructures – for example, organizations that are so important that their destruction would have a detrimental effect on physical or economic security, public health or safety. To prevent a situation like the one above, more and more companies are implementing Zero Trust strategies and protecting their users with powerful identity and access management solutions. And they’re right – a strong IAM strategy is a great foundation for a strong identity-centric security solution. But by itself, the IAM will not prevent invading or malicious insiders from gaining additional rights and maximizing their chances of harm from compromised accounts and side-by-side transfers through the network through servers. For this, Dedicated Privileged Account Management (PAM) is required.
What is PAM?
In the case of identity and account protection, the so-called ‘minimum privilege policy’ has always been an important best practice: it ensures that each certified user is given a sufficient minimum level of privilege to perform only their intended purpose. This ensures that even if an attacker gains access to a user’s account, the greatest harm they can cause is limited by the privilege of the user in question: for example, if a user only has access to selected resources, the risk is relatively manageable. For optimal protection, it is recommended to assign privileged roles (i.e., roles with particularly broad rights) only for a short period of time and never permanently. At the same time access will help companies reduce the attack surface of important network functions.
Additional proposed measures
Most vendors support this basic PAM solution with a wide range of additional technologies, and at first glance, the manufacturers’ strategies differ greatly. However, close examination reveals many common features and key elements:
- High-level Tier 0 or Tier 1 resources, such as domain controllers, require the highest degree of protection. As a result, most vendors only grant their privileged access to an isolated environment and protect access through robust multi-factor authentication.
- The requirements for accessing the identity and credentials of SaaS administrators and privileged business users are equally strict. Here, the focus is on robust password management strategies, such as applying strong passwords and automating regular password changes.
- The infrastructure account, the DevOps account and the SSH key pair should always be possible for important certificates to store in a secure vault.
- To ensure extra cyber resilience, most vendors recommend further steps, such as Red Team practice or improved auditing and reporting features.
Which solution fits best?
When evaluating the PAM market for the first time, the wide selection of available solutions can be a bit daunting. To find the right product for their organization, identity leaders should ask themselves the following key questions:
- What assets and accounts are we looking to protect? What specific risks do we want to reduce?
- Are we facing a real Greenfield project? Or do we already have a unique PAM solution used in certain areas or even an enterprise-wide legacy solution that we are not satisfied with?
- What legal and industrial compliance regulations do we need to consider?
- Are we in favor of a cloud-native, hybrid or on-premises approach?
Experience has shown that internal parties often struggle to answer these questions completely and ultimately make decisions without external consultation: CyberArc, DeLinia or OneIdentity, to name a few, are best suited for their business.
Start your project with a workshop
Therefore, it is often worthwhile to discuss the project with a vendor-independent consultant or system integrator at an early stage. They should be familiar with the products of the various leading manufacturers and help to evaluate which solution would fit best in the architecture of a company. For a successful kickoff, a comprehensive, free PAM workshop is recommended to explore sustainability and set specific goals for the project. It should help:
- Set priorities and business goals for PAM migration
- Evaluate existing solutions and analyze existing performance gaps
- Current PAM maturity assessment
- Outline of existing dependencies (e.g., inheritance system and necessary customization)
- Develop a structured PAM approach
Such workshops will help the organization to realize the project in all its complexities, ensure support from all relevant stakeholders and pave the way for successful implementation.
As the main target of multiple modern cyber attacks, privileged accounts require special attention and dedicated protection. Strong Privileged Access Management (PAM) ensures that users are always granted only a minimal level of privilege for their specific tasks and provides additional security layers such as multi-factor authentication, strong password management and a secure storage vault for important keys. PAM migration is a complex task, though, and the onboarding of an external expert should be strongly considered to set the stage for a successful implementation of internal security teams.
About the author
Dr. Heiko Clarell, Chief Marketing and Sales Officer, IC Consult Group
Dr. Heiko Clarell has been active in Identity and Access Management (IAM) for over fifteen years. He wants to bridge the gap between business and IT to create holistic solutions: all the way from customer strategy to technological implementation. To date, he has successfully completed a wide range of IAM projects in various industries, including automotive, banking and logistics.
As Chief Marketing and Sales Officer at IC Consult Group, she is passionate about understanding her clients’ challenges and working with them to find the most appropriate solution.
And on our company’s website http://www.ic-consult.com
Notice of fair use: Under the “fair use” law, other authors may restrict the use of the original author’s work without permission. 17 In accordance with US Code § 107, certain use of copyrighted material “for the purposes of criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not a copyright infringement.” As a matter of policy, fair use is based on the belief that parts of copyrighted material are free to be used for the purpose of public comment and criticism. The privilege of fair use is perhaps the most significant limitation of the exclusive rights of a copyright owner. Cyber Defense Media Group is a news reporting company that reports cyber news, events, information and much more on our website Cyber Defense Magazine at no charge. All images and reporting are done exclusively under the fair use of US copyright law.