Privileged Access Management - Compliance Review


Introduction


Privileged Access Management (PAM) has recently emerged as a critical foundation for the realizing the business benefits in terms of cost saving, management control, and operational efficiency. Enterprises need to manage access to information and application scattered across internal and external application systems. PAM comprises of people, processes and product to manage Privileged identities and access to resources of an enterprise. Additionally, enterprise shall have to ensure the correctness of data in-order for the PAM Framework to function properly. 

Attackers, both internal and external, exploit privileged accounts in multiple ways. They use privileged accounts to bypass controls, cover the tracks of an attack, improperly access confidential data, install malware, and make changes that impact system and data security. Proper auditing of privileged accounts access can help uncover inappropriate privileged account use, and can also provide part of the check-and-balance required for compliance with IT Security Standards.

What is a Privileged Account?


Privileged accounts are valid credentials used to gain access to systems. These accounts provide elevated, non-restrictive access to the underlying platform to alter, create, delete, modify and provide ability to access resources across the network. These accounts are designed to be used by System Admins to deploy and manage IT technologies, like Operating Systems, Network Devices, Applications, databases and more.

These accounts are highly critical to infrastructure, therefore, attractive to attackers, hackers, and malicious insiders seek to steal them. It is important to manage, monitor, review and audit the activities associated with privileged accounts and comply with Identity management life cycle.

Privileged Access Management


Most breaches involve gaining access to privileged credentials because they provide unlimited access to systems and data – creating a major security and compliance concern. The principles of Privileged Access management are generally as follows

  • Ensure that only those users who absolutely need access to a given set of privileges on desktop and servers have those privileges, and only those systems for which they have a need
  • Ensure that least-privileged policy is enforced
  • Ensure that privileged access is only used when it is needed and ideally, is only granted when it is needed and un-granted when it is no longer required
  • Centrally manage privileged access such that access can be granted and revoke quickly
  • Ensure that there is an audit logs for any privileged activity
  • Ensure that privileged accounts are monitored correlatively
     

Privileged Access Life Cycle – Strategy and Governance


The IAM life cycle illustrate the steps below that privileged users process through when joining a business workforce and obtaining privileged access to tools, systems and application to do their job. This also include the step to ensure that employee maintain appropriate access as they move within the organization with access being revoked or changed when they separate or change roles.

  1. Privileged access request and approve

    • Gaining access to the applications, systems and data required to be productive
    • Process that is based on ‘request and approval’ must be in place

  1. Provisioning and De-provisioning

    • Granting users appropriate privileged access in a timely manner
    • Revoking privileged access in a timely manner when no longer required due to termination or transfer

  1. Enforce the authentication method

    • Enforcing privileged access to applications and system using authentication and authorization
    • Enforcing compliance with privileged access management policies and standards

  1. Report and Audit

    • Audit privileged user access and activities
    • Report on business-relevant KPIs and metrics

  1. Review and certify

    • Review privileged access periodically to realign it with job function and role
    • Document the process for audit purpose

  1. Reconcile

    • Enforcing that access within the system is matching with approved access levels
    • Remediate and document the changes

Compliance Objectives


The objectives of the compliance is to assess the controls implementation and effectiveness of the governance, risk management, and control over the Privileged accounts and their access to ensure that:

  • Review the Privileged Access Life-Cycle processes, and procedures followed by the organization for granting and revoking the Privileged Access
  • Review the Privileged accounts’ roles and responsibilities, policies, and standards are defined and implemented to enforce role base access controls (RBAC)
  • Systems, applications, databases, network devices are securely provided privileged access based on least-privileged access control
  • Review and documents the use of shared accounts, default accounts come with application or appliances
  • Third party service provider(s) supporting the Privileged Accesses are effectively managed to provide consistency and quality of service delivered
  • Identify and management of common types of privileged accounts: systems, application, databases, network devices
  • Identify and mitigate the risks associated with privileged access accounts and documents
  • Controls for monitoring, audit trails and security of the Privileged Access Accounts are designed and implemented effectively

Privileged Access Management - Best Practices


  • Identify and Inventory all the Privileged Accounts and Assign Ownership and purpose
  • Implement complex password policies for privileged accounts
  • Minimize service accounts with ‘non-expiry’ password
  • Implement least-privileged, role-based access control policy
  • Use Shared Accounts for sporadic and Contingent Use
  • Minimize the Number of Personal and Shared Privileged Accounts
  • Limit Scope for Each Privileged Account
  • Implement “Separation of Duties” Model to manage Administrative Privileges
  • Establish Processes and Controls for Managing the Use of Shared Accounts
  • Use Default Administrator, Root or similar accounts only in Extreme Circumstances
  • Monitor and Reconcile all the Privileged Access Activities
  • Establish a Privileged Access Governance Model by Extending Identity Governance Controls to Privileged Accounts
  • Train employees in the proper use of elevated access privileges including logging out after doing required tasks
  • Use of industry-recognized Privileged Access Management (PAM) tools

No comments:

Post a Comment