Category: Event

Why Privileged Access Management Must Be Part of Your Overall IAM Strategy

This article is written by Patrik Horemans (IBM) Source: Security Intelligence.

In the past, the urgent need to secure privileged accounts has led organizations to implement a privileged access management (PAM) solution as a standalone track. Many companies have invested or are investing in products to help them secure access, get usage under control, provide detailed audit trails and implement processes.

Securing the use of these accounts is, and will remain, a good security practice. After all, a recent survey from Centrify revealed that more than 70 percent of breaches involved the abuse of privileged accounts in one way or another.

Today, however, companies are starting to understand that the management of access to privileged accounts should be an integral part of their overall identity and access management (IAM) strategy. This means it should be built into core IAM processes such as provisioning, deprovisioning, access risk mitigation and segregation of duties. Furthermore, the implementation of such a solution should be integrated into company security processes to gain visibility into risks across the landscape of both privileged and nonprivileged users, and be part of the business’s overall security monitoring and risk mitigation strategy as well.

A Life Cycle for Privileged Account Access

When you implement a PAM solution as a standalone project, you will often face the same challenges that you had before.

In other words, granting access to privileged accounts is not necessarily better than the manual process you had before, and will result in collecting more and more access rights over time, leaving you again in a vulnerable state with too much access. Administrators, developers and third parties need certain access levels to do their jobs, but PAM solutions alone age poorly through the life cycle of giving, maintaining and revoking access to privileged accounts. In fact, they rely on external processes, such as adding the right people to the right groups, either in the PAM solution or directories such as Active Directory.

There has to be a process around the PAM solution to manage the hygiene of access. Companies that do not have the proper automated processes in place will face an issue they had before: permission scope creep, or the expanding collection of access to privileged accounts over time by a user as a result of changing roles, jobs, departments, etc. The challenges these security teams had before with shared passwords and the management of personal administrative accounts are now moved to the access model for privileged accounts. This is why it’s crucial for organizations to implement an automated life cycle process for privileged account access.

Avoid Toxic Access Combinations That Lead to Risk

PAM solutions give you a simple way to know who can access and use privileged accounts. However, the combination of access to systems, devices and applications, as well as any related privileged accounts, often presents a risk to the enterprise.

For example, a user has access to an application that uses a database to store its data. That same user also has access to the privileged account to manage the database. As such, he or she will be able to change things in the database, circumventing the business and authorization controls from the application. If they also have access to the privileged account that manages the operating system, they could clear audit traces. This could be a toxic combination of access that should be avoided from a security and compliance perspective.

Toxic access combinations related to PAM solutions usually fall into three categories:

  1. Combinations related to the PAM solution itself, for example, the capability to create access to a privileged account and the capability to approve.
  2. Combinations related to the privileged account, for example, the capability to manage a server and the application running on it.
  3. Combinations related to business services and privileged accounts, such as in the example described above.

To avoid these toxic combinations of access, security teams should implement segregation of duties (SoD) controls. But these can only be implemented when you have adequate visibility into the access for both privileged and nonprivileged accounts. PAM solutions typically don’t have SoD enforcement capabilities and therefore another system, such as an identity governance tool, should be implemented.

To be able to implement SoD controls, you need visibility across privileged access and normal business user access. You will need a solution that can read and combine information from both sources.

Optimize Recertification Campaigns With Identity Governance Tools

Another area to consider, both as part of the access life cycle for privileged accounts and for compliance reasons, is the capability to recertify access to privileged accounts on a regular basis. PAM solutions typically don’t have this capability. Some companies use manual processes with spreadsheets and emails. While this might work, it is a cumbersome and error-prone process. It also provides little context on why someone would still need that access.

Integration with identity governance solutions can provide capabilities to automate regular recertification campaigns in an understandable business language so that approvers understand clearly what they are approving. Recertification campaigns will help companies to prove compliance as well. Proving compliance and maintaining clean and healthy access requires a solution that can automate recertification campaigns in an optimal way. Integrating campaign results with life cycle automation also improves efficiency and consistency.

By integrating a PAM solution with identity governance and administration (IGA) tools, you will get a holistic view across your enterprise over privileged and nonprivileged users. This will allow you to introduce processes across both domains and manage access seamlessly. It will help to analyze access and permissions, find anomalies, understand risk and consolidate audit and reporting capabilities. Risks such as segregation of duties can also be mitigated.

Integrating a PAM solution with an IGA tool will accomplish the following:

  • Access life cycle to avoid scope creep and good access hygiene.
  • Recertification campaigns to prove compliance.
  • SoD controls to avoid risks across privileged accounts and business infrastructure and applications.

Secure Your Privileged Access Management Solution by All Means

Finally, events related to privileged access should be processed by a security information and event management (SIEM)platform to compare indicators of compromise with other real-time threats to prioritize alerts by risk. User behavior analytics (UBA) can also help organizations flag unusual activity, such as high-risk behaviors or the granting of uncommon access levels.

On last consideration is the area of secured access to the PAM interface. Think about it: A PAM solution contains all the keys to the kingdom. A PAM user can access a whole bunch of privileged accounts during his or her work day. This also means that if a PAM user’s credentials are stolen, the thief has access to these privileged accounts and could have total control of the environment.

Therefore, it’s crucial to secure access to your privileged access management solution with capabilities such as multifactor authentication (MFA) and risk-based access controls. You want to avoid malicious access to your PAM solution — as well as your identity and access management system as a whole — by any and all means.

Source: Security Intelligence.

Learn more and join our Round Table on the 25th of September!


FIDO2 is on the rise

The Passwordless web is coming

The FIDO alliance is now one of the most influential cross-industry alliance. It launched its FIDO UAF and U2F standard in 2014, recently the FIDO2 specification.

Yubico helped to create FIDO2 to extend the FIDO standard beyond external security keys to include new built-in fingerprint readers and facial recognition technologies.

The promise is to have a solution for MFA that does not need drivers or software to be installed on systems, protection against man in the middle attacks and that the need for passwords are coming to an end. All of this with a low operational support cost and portable everywhere – used for corporate login but also as a consumer.

In this authentication landscape, the YubiKey takes on the important role of a root of trust. As users move between different platforms and computing devices, having this portable root of trust is essential for enabling rapid bootstrapping on new devices and for recovering when devices are lost, stolen or replaced.

Many companies are embracing this technology which led to the recent announcements that Microsoft supports with the latest Windows 10 Windows Hello and Edge. Also Google turned Android 7+ Phones into FIDO2 devices and +500 companies are certified, also Yubico’s newest security keys support FIDO2 for a while.

Join us in this webinar where we will present and demonstrate:

  • The opportunity for companies using FIDO2 for MFA
  • How consumers can benefit
  • How you can enable FIDO2 support for your web and mobile applications
  • What the concern and limitations are
  • The YubiKey, the portable root of trust
  • The impact of enabling FIDO2 support
  • Integration with legacy systems

Practical information

When: 20 June 2019
Where: Webinar
How late: 15:00 CET (not GMT!!)


About SecurIT

Founded in 1999, SecurIT has over 18 years of extensive experience of designing, implementing, maintaining large Identity Management/Governance infrastructures. With more than 30 specialists permanently employed in the Netherlands SecurIT offers its customers high quality consultancy, implementation, management and support services (24*7). 


IBM SECURITY ACCESS MANAGER (ISAM) UPDATE SESSION ON MARCH 26th

ISAM: where we are today, and where we are heading to

On March 26th, we are holding an IBM Security Access Manager (ISAM) Session at the IBM headquarters in Amsterdam. 

Come and learn about all the exciting additions and exciting roadmap. At the same time, you can meet your peer users and learn about their experiences. Items we will cover in this session are:

  • ISAM: where we are today, and where we are heading to
  • ISAM & FIDO2
  • The role of ISAM for API protection
  • How to consume MFA from the cloud with ISAM
  • Cloud Identity to enable your VPN with MFA (RADIUS)
  • “Remember me” for Consumers with ISAM

Other candidate topics are Login password free via QR codes, Cloud Identity & integration with Microsoft, Governance from the cloud, Customer use cases and lessons learned and many more. 

A detailed agenda will follow closer to the event, but we can assure you it will be exciting and valuable. 

Feel free to forward to anyone you believe might find this invitation relevant! 

Register today!

[recaptcha]

Practical information

When: March 26th, 2019
Where: IBM Headquarters in Amsterdam
How late: 08.00 am – 16.00 pm


About SecurIT

Founded in 1999, SecurIT has over 18 years of extensive experience of designing, implementing, maintaining large Identity Management/Governance infrastructures. With more than 30 specialists permanently employed in the Netherlands SecurIT offers its customers high quality consultancy, implementation, management and support services (24*7).