Its proven that what may appear as complex can easily be simplified when looked at as a game. Don’t believe me? Ask that 7-year-old who learned multiplication table the fun way. Can Privileged access management be looked at as a game? Let's break a game down and see what its made of. A game is nothing but a structured form of play. A game has various components like a goal, challenges, tools or enablers, skills required to ace it and of course competition. If we establish that PAM has these components, then we can conclude with certainty that it can be looked at as a game. Goal Goals can be on two types, long term and short term. A typical game would have both and so does PAM. Long term goals Secure your organization from cyber attacks by securing all the systems within the network To be compliant to the norms of regulators and scaling up sustainably without additional costs. Short term goals Rotating password Password encryption Increase automation Reducing human dependency Challenges Challenges in any game, are very important components. It's true that they do keep you from going to the next level, but once you figure out how to beat these challenges then nothing stops you from moving ahead. If it's Roadrash that you’re playing, then the cops that start to tail you become the challenge that you have to deal with. Even PAM has some challenges that will require us to bring in our A game. User awareness becomes the key challenge. It is essential that the user knows about the devices that he/she has access to and also about the PAM solution. Poor hardware on devices also becomes a challenge at times. Attaining the level of customization expected and defining user groups correctly are some challenges that PAM companies are still struggling with. Although developing empathy towards the client and understanding the what and why of his business can effectively dodge these challenges. Tools Dangerous dave had a jet pack, NFS requires you to collect NOS so that your car can zoom past others and get ahead in the race. PAM has some tools as well that enable you to get ahead in the race. Reporting forms an essential part of the tool kit. Easy to understand dashboards let you have a birds-eye view of everything that goes on within your network. Risk analyzer pushes you to be ahead on the curve by warning you about anomalies on basis of risk scores allotted to every activity. Automated asset and account discovery is also a tool that can exponentially ease PAM functioning. Remote access and activity trail being others. Competition In the case of PAM, defining competition can be tricky. It’s a long list if we go around looking. Competition can be classified as internal and external. Internal competition An employee gone rogue External competition A hacker sitting in a distant country. Ignorance towards cyber risk and internal resistance to transform and adapt better methods become competition too because when they win, you lose. Skill Last but not least, developing the required skill because very important to win any game. In case of a computer game, it's mostly hand and eye coordination. When it comes to PAM, Its majorly about taking users from the low level of awareness to high. We could imagine the user awareness scale to range from 0 to 10 with three levels in it. 0-4 becomes level 1, 4-8 becomes level 2 and 8-10 becomes level 3. Level 1 Understanding PAM superficially without getting into the technicalities. Level 2 Understanding how PAM functions and the scope of it. It’s a stage where the user understands which business problem PAM solves. Level 3 Building a strong feedback loop with the users and customizing the PAM solution by keeping the user at the center. This loop requires users to participate actively resulting in the PAM solution to mature well. Coordination Just like a game that we play in teams, PAM requires high coordination among players/stakeholders. Now that we’ve established PAM can be looked at as a game, we have strong reasons to not do so. Unlike a game, PAM does not run in a simulated environment. Threats in PAM are not fictitious like in a game. It can be argued that games are unproductive in nature but PAM solutions unlike that has a very high ROI if we consider what’s at stake and are highly recommended by experts. You deserve this star if you think you understand PAM better now, just like the kid who now knows his multiplication. Thanks to games!
Sectona, the Privileged Access Management OEM, announced the version 2.0 release of its flagship product Spectra Privileged Access Management Solution a solution which provides organizations of any size with privileged session management, password automation, privileged task management and server privilege management. This release covers load balancing, high availability, log forwarding to SIEM Solution and network discovery. New Inclusions: Minimize CPU Consumption with Spectra’s Application Load Balancing In Spectra 2.0, when a replica for PAM is created to manage the load/traffic of users accessing Spectra application, few parameters like CPU Consumption are set. When that limit is approached, PAM application communicates with the load balancer to divert incoming traffic to the replica PAM application thereby keeping CPU consumption and concurrency in check. Leverage Built-In Replication & High Availability Like Application load balancing, a built-in replica of Spectra Vault is created in HA, which is in continuous sync with the Primary Vault. In failover scenario, control is switched to the failover Spectra Secondary Vault automatically and all the changes made during this duration are recorded and noted down by the vault. These changes are synced with Spectra Primary Vault at regular intervals. Such built-in replication is achieved due to Spectra’s Embedded Vault and helps minimize manual intervention and data loss. Introducing Maker Checker to review creation of new users, accounts and assets Through the maker checker feature in Spectra 2.0, you can now monitor and review creating, updating and deleting of any asset, account and users within Spectra. Integration with Splunk for SIEM & Log Forwarding A very common scenario we have observed is that the PAM syslogs are forwarded to SIEM placed on log server. This is done usually to store all the logs together on a separate server which is dedicated only to log storage. While Spectra 2.0 supports integration with other SIEM solutions, the latest addition to its exhaustive integration list is Splunk. Inventorize Network Devices within your Environment on to Spectra with SNMP Discovery Spectra readily supports discovery across OS, AD, VMWare, Hyper-V, AWS & Azure With Spectra 2.0, you can now schedule or manually trigger an SNMP Discovery scan as well to discover and automatically onboard network devices within your infrastructure Authenticate via ADFS for added security Along with AD Authentication, Spectra now supports ADFS Authentication as well using SAML Protocol. The benefit of using SAML Protocol is that it is more secure in terms of taking access with an additional layer of security added. What's Enhanced: Auto on-boarding privileged accounts along with their dependencies Earlier only privileged accounts were on boarded, from Spectra 2.0 on wards, the dependencies (if any) are also discovered and on boarded Account password verification and reconciliation Earlier only the passwords were rotated, from Spectra 2.0 on wards, the passwords are verified, reconciled and rotated again (if any missed). AWS console (Token based) access type Earlier only browser-based access to AWS console with username & credentials were allowed. Spectra 2.0 on wards, with deep API integrations, it is possible to allow AWS console token-based access through Spectra for better control and flexibility. To sum up, Spectra, with this release has made significant additions and improvements to its previous version solidifying its robustness and capabilities. Watch out this space for future releases and product updates.
What is trending now? Earlier this year, Deloitte released its annual edition of emerging trends in government technology ‘A Government Perspective: Tech Trends 2018’. It spoke about how automation, artificial intelligence & cognitive technologies are set to change the way work gets done. Another one of the trends highlighted was that of re-engineering technology where modernized IT infrastructure is being created to enhance efficiency and service delivery. Furthermore, it mentioned of the adoption of newer technologies & newer ways to manage interrelationships, storage and security of organizational data while dramatically improving both availability and security. Co-incidentally, I also happened to come across a strategic move implemented by the Singapore Government where they have set up a G-Cloud, a private cloud infrastructure that meets all the required security assurances the government has mandated. The benefit – all branches of Singapore’s government can scale, deploy & scale up applications much more quickly, efficiently & securely. The reason why they have implemented the G-Cloud is to transform the way the government delivers services by enabling new technology & by using a transformed IT department. Moreover, based on our interaction with enterprises across sectors, we observed a trend where co-existence of hybrid infrastructure seems to be taking shape. And with that there seems to be an overall refresh in the associated aspects including security tools. Synergy in above trends The above cases point to a similar direction – a transformation in IT. Transformation not just in terms of the IT infrastructure but also other parameters associated with it such as automation, new technologies, security & efficiency. Taking these trends to a broader setting, we can to a certain extent also assume that this is true not just in case of government enterprises but also other enterprises – small, medium & large. And while unsaid, with this transformation comes the challenge of IT security at all levels, especially with regards to IT infrastructure. Needless to mention, security around user access to critical IT infrastructure cannot be neglected and that should maintain top priority. Reason being that compromising this security aspect could lead to unlimited access & control of critical infrastructure accounts/privileged accounts & their passwords falling into the wrong hands. Time to re-evaluate your IT security solutions Evaluating a priority security solution tailored to protect IT assets such as a privileged access security solution could be a long-winded process. However, the ROI in terms of recurring cost, security, compliance & business reputation is worth the time & money invested. For instance, Apple devices have gained popularity not just for its features & sleek design but for the fact that they are protected from ransomware. Similarly, customers of any organization would look at the enterprises’ security measures in today’s time & age to build trust in that organization. More than strong revenue, profits & popularity, it is information security as an evaluation parameter that has taken dominance in customer decision making, come to think of it. One can argue that the only way customers would know of an organization’s security is until a security breach takes place. But why wait for that to happen? Prevention is better than cure, the age old saying. With that in mind, it has become important for security teams in enterprises to do a continuous assessment & monitoring of existing security solutions & evaluate the solutions’ capability to support & scale with modernized IT infrastructure. Having said that, prioritization is equally important. When it comes to security solutions, the first thing that you would think of securing is the core of your IT environment - the privileged accounts. And why wouldn't it be? A study by Ponemon Institute has pegged the average cost of insider threats for an organization at over $8 million, not to mention losses suffered due to a hit on the reputation . It is therefore time to re-evaluate your security with regards to privileged access. Re-evaluation of privileged access security is not cumbersome Times have changed. Every simple item we use today demands a re-evaluation, why not security solutions then. Privileged access security is not what it used to be before. Most enterprises might have implemented a privileged password vault some time ago but with such massive IT transformations happening at all levels, it is also important to re-assess your privileged access security programs. You may already have a robust privileged access solution in place but are they built to scale and suit the modernized IT infrastructure? If not, then having implemented such a solution could lead to spending more time and resources in maintaining the solution alone. Moreover, there is risk of sticking to a traditional solution that may have an architectural shortcoming considering the new age infrastructure changes. It, therefore, is best practice to re-evaluate existing security solutions in terms of their capability to support an agile and scalable IT environment without impacting productivity, compromising security & increasing costs. You have to take action before a potential security threat event could occur even with the existing solutions in place. Imagine the plight of security teams in the event of a potential mishap (breach) despite having an erstwhile compliant solution. It is worth the time & effort to look at transforming and reworking privileged access security program to ensure data security is abreast with your IT transformation. The current scenario demands a Privileged Access Security/Privileged Access Management (PAM) solution that is capable of adjusting and adapting to the dynamic IT infrastructure. And if there is a PAM solution that is engineered on a new age technology suited to adjust and adapt to the dynamically evolving IT setting, it may be worthwhile evaluating such a solution and considering a change, wouldn’t it? Reworking privileged access security program is not as tedious as you think it is. Alternatively, you may even want to consider keeping a backup PAM solution, if not replace it. Think about it. How can Sectona help? Sectona has engineered a Privileged Access Management to adapt to the dynamically changing IT infrastructure. The solution has been built with the intention to scale flexibly without compromising on security or increasing costs. Designed with a new process & approach, Spectra Privileged Access Management has been conceived & architected with the right amount of time and energy to realize the right ROI. Learn more about Spectra here and see it in action.
Enterprises are witnessing a significant change in their IT infrastructure. The contributing factors to these changes are qualitative – be it the constantly changing industry behavior and organizational economies vis-a-vis large infrastructure migration activities, IT procurement changes, mergers & acquisitions, migration to hybrid & cloud platforms, changing user and user access landscape. With these changes, the current scenario is such that users can access your infrastructure from any location. All users can be treated as remote users with millions of passwords and access to be managed and thousands of sessions & activities to be monitored independently on a daily basis leaving you with an increased attack surface. Security concerns around Privileged Account Management because of the evolving dynamics Naturally then the question arises as to how the rising privileged access needs will be catered to. The popular solution vendors have worked on innovative password vaults back in the day. Having said that, it is important to consider whether the architecture and approach of those solutions can cope with the dynamically changing nature of infrastructure needs (read: cloud + on-premise hybrid infrastructure). Are more resources in terms of manpower, effort and costs required? CIO’s are analyzing and evaluating tools with a primary objective in mind – Does my privileged account management (PAM) tool have the agility and scalability to manage and secure the increasing diversity of the infrastructure while still reducing costs and increasing productivity? The answer to this missing piece has led to the increasing transition of enterprises to consider a technology refresh and move to ‘as-a-service’ approach for their privileged account management tools. Management concerns with the current Privileged Account Management measures It is often observed that traditional Privileged Account Management (PAM) tools are able to provide core privileged access security features such as Password Management and Session Monitoring but now the focus has shifted to ‘do more with your PAM’. Just the core features do not seem to be cutting it because there is a lot of manual effort involved in managing the solution in its entirety. There are two problems associated with this – first the cost involved to deploy resources to manually manage the solution (for instance, to manually provision and de-provision devices and accounts) and second the productivity comes down with the mundane approach followed in managing the solution. Automation has therefore become the talk of the town and has become a critical requirement of a Privileged Account Management solution. It allows for as much as up to 50% reduction in costs. However, for existing PAM solutions to incorporate automation would mean disintegrating and then reintegrating the basic foundation of its architecture that could take significant amount of time before it comes to fruition. This leads to the management point of discussion – is maintaining my existing Privileged Account Management solution a costlier affair than replacing it? Not surprising, the answer to this will give you an insight into the need for a massive Privileged Account Management (PAM) refresh among enterprises. All this is believed to have led enterprises to prioritize privileged access security and consider a reduction in their PAM refresh tenure from the conventional 5 or 7 years down to 3 years. Are you ready for a PAM refresh? What do you need to tackle these PAM security concerns? Need of the hour is to have a privileged account management (PAM) solution that addresses the aforementioned pain areas by focusing on privileged user ACCESS to prevent misuse of privileges and manage access problems. At the same time, the PAM solution should be able to adapt to the evolving infrastructure needs without having the requirement for additional resources (in terms of manpower and hardware). Privileged Account Management (PAM) solution that is built on a cross-platform and integrated fashion making it cloud ready, agile and easily scalable is needed to achieve the levels of security and automation that the current scenario demands. With the rising user landscape both from within and outside the network, the risk has shifted from managing passwords to managing access. How Sectona can help? Sectona’s Spectra Privileged Account Management/Privileged Access Management is designed with a unique approach that steps away from conventional challenges and addresses the current and future needs of privileged password & access management. Furthermore, its collaboration based privileged access technology solves the issue of growing remote users. Most importantly, its use of automation for discovery, provisioning and privileged tasks, to name a few can help reduce costs and save time, effort and manpower dependence. Spectra PAM essentially has been conceived and developed to address the growing needs of privileged access & modernized IT infrastructure for future ready enterprises. The focus at Sectona is to educate enterprises on how to prioritize their privileged access from start (read: How to start your Privileged Account Security Program) to end. Learn more of how Spectra Privileged Account Management (PAM) is tailor made to address the current and future needs of privileged access management challenges with focus on automation along with time & cost reduction.
What are Privileged Accounts? Privileged Accounts, as the name suggests are only for privileged users, super-users and administrators who are entrusted with the responsibility of managing infrastructure or cloud critical systems. These super users are equipped with certain privileged access rights that are not equally enjoyed by other end users. Every system – be it OS, Databases, Network Devices or Applications - there are privileged accounts that are assigned on each of them to perform critical activities. Quite naturally, this means that there can be an abuse of the privileges, intentionally or accidentally, if not appropriately monitored and controlled. (Read how to plan against privilege abuse) Interestingly, there are different types of privileged accounts that can be assigned to a system. The simplest of privileged account that most know of and can relate to is the default ‘administrator’ account you have seen on your system. This account has been granted rights to have complete control of the system and do anything in the purview of the operations of the system. Types of Privileged Accounts Local Account: These accounts have the access for a single system that the user is using i.e. it is local to the user. The user id and password are stored locally on the hard drive of the system being used. Default administrator accounts are local accounts. The local account provides us with the account usability as what programs can be installed or removed, what type of files can be accessed which services can be run or blocked on the system etc. Domain Account: These accounts keep IT users’ id and password on the domain controller rather than the system in which it is logged in. As soon as the domain user logs in the system, the privileges of that user are being asked by the domain controller accordingly then the access is granted to that particular user. These types of accounts are used wherein workload is divided among many, so a centralized access for them has been provided by the domain within few computers. Service Account: This account is for the users to provide them with the security on the services which are running on their systems. The services can be configured using the task manager or windows PowerShell. There are basically three types of service accounts in an operating system: a) Standalone Managed Service Accounts b) Group Managed Service Accounts c) Virtual Accounts Application Account: These accounts vary from business related forms to database logins. They basically deal with all types of critical roles over the network, depending on peer to peer applications. These types of accounts have been designed to track one’s application by logging in to that particular account application. Default Accounts Our focus though will be the default administrator accounts & built in accounts. These accounts come into picture during the time of installation of devices and services. When the systems are installed for the first time, the operating system or database or the service installs with default user accounts. These account settings are known as default administrative rights because they have been pre-defined by the software developers of the system. There are various types of default accounts available in various operating systems such as administrator for windows, root for Linux, db2admin for IBMDb2, administrator for Microsoft Server 2012 etc. The security risks, however, come into play when there is a misuse of the access privileges granted to these accounts. This administrator can also create other accounts with equal administrator rights and sometimes this leads to creation of new privileged accounts that security teams may or may not know about. So the unaware security team will do the necessary checks to ensure that the access and credentials of the known default administrator accounts are protected. However, the abuse of these privileged accounts created will lie unnoticed that can expose a scathing attack surface. With security risks around privileged account management taking the driver’s seat, this has become the topic of discussion even among Board of Directors. Given the nature of cyber-attacks that have been happening in the recent past where privileged account misuse have been identified as the top attack vector, regulations have tightened with focus around these privileged accounts. These regulatory frameworks are constantly evolving and that poses ‘challenges’ to CIOs and CISOs making it imperative for them to adhere to those regulations to avoid business and reputational losses. A quick recap and gist of the compliance policies are highlighted below. Regulatory Challenges for Privileged Accounts NAME CLAUSE DESCRIPTION Payment Card Industry Data Security Standard(PCI DSS v3) Build and Maintain a Secure Network and Systems 1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters Health Insurance Portability and Accountability Act (HIPAA-April-2014) 164.308(a)(5) Password Management ISO-IEC-27001-2013 A.9.2.2 User Access Provisioning A.9.2.3 Management of privileged access rights A.9.2.4 Management of secret authentication information of users If you notice, the regulatory frameworks consistently talk about protecting privileged user credentials and securing their access mechanisms. Essentially for this, you need a deeply integrated and cross-platform Privileged Access Management approach. Where can Sectona help? While everyone is aware of the above regulations, no one completely knows or is aware of how to start their privileged security program. And the first step is to identify all the default accounts that are present in their on-premise or cloud infrastructure stack. So, as security consultants, we have stepped in and taken the ownership to ease out your work and educate you with a starting point to your Privileged Security Program by providing you with a comprehensive list of default accounts that can be found across infrastructure assets. You may download the template below. Also, we provide a collaborative, integrated and cross-platform approach based Privileged Access Management Spectra. Download the list Start now, exploit this knowledge, prioritize your privileged access security and stay compliant. Do keep a lookout for additional resources across network devices and SaaS applications in the coming weeks.