Best Practices in Privileged Identity Management. White Paper

Transcription

1 Best Practices in Privileged Identity Management White Paper

2 Challenges and Benefits of PIM Done Well Privileged identity is best summed up as the very powerful but required administrative accounts and rights built into every technology from the biggest server to the smallest set top box. Privileged identity is everywhere, which makes tackling it a challenge. Another challenge is people who need access to privilege are also everywhere. Your administrators, often your everyday users, contractors, and more need this elevated access to get things done. The spreading of privileged identity sometimes referred to as access sprawl makes it difficult to keep the bad guys out. In today s world, intruders are hopping over your firewalls and finding a treasure trove of privileged access waiting for them. Meanwhile, insiders with bad intentions are able to hold on to their administrative access and wreak havoc on your organization. Privileged Identity Management (PIM) is the art of securing privileged identities while also enabling business to be fluid. With PIM done well, you reduce risk, enhance efficiency, meet compliance needs, and build a strong cyber defense behind the firewall. Every unmanaged privileged identity is a risk not worth taking. PIM mitigates that risk by both managing the credential where it lives and controlling who can use the credential at all times. This management means people who need legitimate access can get it in a predictable, repeatable manner. PIM also makes sure you always know who has what power at any time, which both removes individual risk for your administrators and provides the audit trail every regulated organization needs. All this combined means you can defeat the bad guys before they get a chance to do real damage. Whether they slipped past your perimeter defense or were invited in as a contractor, they re now looking for unsecured privilege to raise their attacks to a higher level and PIM done well stops them in their tracks. What we will do here is spell out how you can do PIM well and reap these rewards. We ll start with a quick list of all the best practices we ve collected from decades of experience helping customers. Then we ll dive into each of these practices to give you practical insight on how you can put them into action. Quick List of PIM Best Practices We ve broken this list down into the required, the proactive, and the advanced. While your goal may be to do everything as best as you can, life usually dictates we go in stages. Required: Provide safe storage for privileged identities, a vault, that has check in and check out capabilities Rotate the privileged identity passwords on a schedule to mitigate insider risk and stop attackers before they escalate to cause real damage Manage service accounts to avoid stale credentials creating risk in the application layer Furnish reporting mechanisms to satisfy auditor requirements Proactive: Move beyond passwords to other forms of privilege (e.g. SSH keys or group memberships) Use a closed loop discovery process to ensure new privileged identities are brought under management quickly and efficiently Control and record sessions to see everything users do with privilege Tie PIM into your SIEM and other threat detection systems to be an automated response to suspicious activity Advanced: Scale up to take on managing privileges at every endpoint, up to IoT and cloud scale Manage embedded credentials in places like application configuration files, back up scripts, database connection strings, and other common places passwords appear in the clear or with little protection Deeply integrate PIM with IGA (Identity Governance and Administration) and IAM (Identity Access Management) to ensure proper lifecycle management of privileged identities related to governance and personnel events 2

3 What s Required for Starting Out with PIM Like everything else, Privileged Identity Management must start somewhere. How you start will often dictate how well you may do in the end. We ve identified the ways our most successful customers have started out and distilled this into a set of best practices for the start of your PIM journey. Provide safe storage for privileged identities, a vault, that has check in and check out capabilities It s easy to see why this is the first thing on the list. You want to get the privilege out of the hands of people and under the control of your systems. No one should need to be the god-like administrator account all day, every day. Last we checked, those powers were not needed to read or surf the web. No one needs to know that elevated account password every moment, either. Early solutions in PIM used the metaphor of a vault to describe where these privileged credentials were stored. Like the safes in the name, that approach tends to carry the stigma of being large, heavy and cumbersome now. There is a string of failed projects to justify that image. What you seek is something that stores the privileged identities securely, but focuses on being light and functional. It should have mobile friendly check out and check in, and also be able to automatically manage credentials when the user forgets to check passwords in on their own. The most important thing is to realize that this is a start not an end. Simply putting the privileged identities under management doesn t complete the PIM goal. Rotate the privileged identity passwords on a schedule to mitigate insider risk and stop attackers before they escalate to cause real damage Now that you have put the privileged identities in the hands of the system, it s time to leverage the full power of that system to make your infrastructure as secure as possible. The best way to do this is to rotate every one of these credentials as often as possible. The world of IT is littered with stories about spreadsheets shared by admins containing passwords that didn t change for years for fear of causing an outage. IT can hardly be blamed since they re measured on uptime, not security. With a competent PIM system in place, they can have their uptime cake and eat security, too. This randomizing of passwords keeps all the bad guys guessing. The attacker that s just landed on the laptop of the person silly enough to open his malware infected needs to grab privileged accounts to do real harm. He s going to sit there and collect as many keys to the kingdom as he can. The same thing goes for the insider who planned to log back in after they were fired with a password they knew was never changed. Once you start your best practice of rotating these passwords, both attackers and insider threats are out of luck. Rotation and randomization needs to be done as aggressively as possible. The right question to ask here is not how often should I rotate, but rather what s the shortest time I will be forced to leave anything in place? The goal is to rotate as much as you can as often as you can. Unless there is a very specific exception driven by business needs, there is nothing that should stop everything from rotating daily in most cases. The attacks being made on your infrastructure are highly automated and this is the attitude that establishes a defense that is also automated you fight automation with automation. This very aggressive attitude also allows you to find your weakest points those places privilege cannot be rotated as aggressively as possible and then mitigate those risks in other ways until process can be changed to allow proper rotation schedules. Even if you find your rotation schedule does not end up being as aggressive as you would like, simply having this conversation with all the stakeholders puts them in the right security frame of mind. That type of security awareness goes a long way to altering IT culture for the better. Manage service accounts to avoid stale credentials creating risk in the application layer One of the worst offenders in bad password policies are the accounts running the most critical applications. Service accounts, database accounts, and other credentials embedded in applications are often left untouched because of that habit of measuring IT primarily on uptime. Many think this practice is OK since in theory no human should know these passwords. But, as Einstein said, In theory, theory and practice are the same, but in practice they seldom 3

4 are. IT veterans know humans do get their hands on these passwords, and so they need just as much attention as any other privileged account. These special accounts also need a different approach. Simply changing these passwords without attention to the services in which they re embedded or the applications they run would be potentially disastrous. You need to demand a process that rotates the passwords without interfering with the operations of the applications. Security and uptime should not be an either or choice. The advice here is an extension of the advice above to rotate aggressively. The difference is that your approach must take the complex ways passwords get embedded into applications. You need to demand that services can use accounts that are being protected with rotation, that this rotation not interfere with the operations of the service, and that at no time does this mean the credentials are exposed. The approach must be able to handle all the dynamics of a service (e.g. a service on a specific machine being unavailable at rotation time due to maintenance or other clustered operations). It must also be able to deal with passwords, keys, and other credentials buried deep in configuration files or database schemas. Asking the applications to change is going to take too much time and the protection is required today. Furnish reporting mechanisms to satisfy auditor requirements The true goal of Privileged Identity Management is strong cyber defense behind the firewall. Good security will always be more than you need to be complaint, even though the reverse isn t often true. Of course, this good security will produce a lot of information the auditors will want, and it makes sense to make that information easily available for auditing. However, it s easy to allow the regulatory pressure run away with your PIM efforts. Demands for ever changing reports can soak up a project s whole time budget and make you lose sight of the real security goals. The recommendation is to make sure that your PIM system is going to have adequate outof-the-box reports, but also allow for extensive data mining of the information it contains. This strikes the right balance between audit and security needs for PIM. By giving you an open platform to query the data, auditors can apply whatever tool they use for reporting in a larger scope to get all the varied reports that they need. This also puts the burden of effort in the right place. You don t put the folks protecting you critical assets in the role of writing queries for this quarter s report. Making PIM a Proactive Defense You need to check off the required items on the list to really claim you have a Privileged Identity Management program in place. If you want real success with PIM, then you need to mature that program into being a proactive defense. PIM is one of the few areas in IT security where you can truly address the threats, external and internal, that are prevalent today. It s going beyond the idea of monitoring and analyzing threat to actually preventing and fighting back. These are the keys to making your PIM platform the keystone of your proactive cyber defense. Move beyond passwords to other forms of privilege (e.g. SSH keys or group memberships) Most conversation about controlling privilege quickly morphs into conversation about controlling passwords. Everyone understands passwords so this makes sense. But passwords are only part of the overall risk exposure. There are many things that are worse than passwords, and they, too, must be found, brought under management, and rotated aggressively. An exhaustive list of everything you need to address is beyond our scope here, but three immediate candidates are: SSH keys, which allow remote logins with no passwords at all for any accounts, including root and other privileged identities AD group memberships, which give out authority in Microsoft and other AD connected systems that is often the equivalent of rights held by administrative accounts Sudo, which allows regular accounts to use privileged entitlements or become privileged identities sometimes without requiring extra authentication 4

5 The idea that should drive you here is this: every way that people use to log in or use privilege should be a target for PIM. Even though passwords seem insurmountable at first, you ll find that 80% of them will be pretty easy once you define a good program. Addressing these other forms of privilege will stretch the capabilities of most software and also mean getting into the business of deeply understanding how your administrators behave. There will also be a lot of automation in the infrastructure that uses these alternate forms of privileged identity that will come into play. Use a closed loop discovery process to ensure new privileged identities are brought under management quickly and efficiently The only thing that stays the same is the fact that everything changes. If you have all your privileged identities under control today, there will be changes that mean you are partially out of control tomorrow. Trying to address this manually is a game of whack- a- mole where you can never keep up. What you need is to ensure you have a discovery process that is going to make sure that your systems do the keeping up for you. Of course, different systems will allow different modes and levels of discovery, which means one size will not fit all. You will want to be sure that your PIM platform can do discovery for the places where it s well supported by the platform, e.g. on Windows servers, Linux servers, and other systems connected to AD. For discovery in other areas, you will likely need to branch out and integrate with other IT systems like CMDB and management platforms. Discovery isn t the whole story, either. Once something is discovered, it must be brought into the system, analyzed, and made available for management. That s where the closed loop part comes in. Simply going out to scan and producing a report is not enough. Discovery needs to result in action within the platform. There should be a means to set up reactions to what s discovered. If a new system comes online, then it needs to get the same protection as all the other systems in its class right away. If you need to wait for it to be reviewed, configured, and have manual work done, then it s going to be exposed to danger too long in today s reality where we must assume we re breached at every moment. Control and record sessions to see everything users do with privilege Ultimately, you will need to expose yourself to some risk because humans will need to use privileges to do actual work. In many cases, though, you can drastically reduce this risk by making sure they never touch the privilege they wield and making sure they know they re being watched. For routine maintenance and everyday tasks, best practice is to simply give your administrators fully formed sessions which are recorded. This way they never know any passwords or other details, but they can get the work done just the same. If you can limit this to even just a single application (versus giving them access to an RDP session to Windows host for full remote control of the system), then that s even better. The less they have to touch, the less there is at risk. Having a recording to go back and look at things from a forensics standpoint is also very good, but the better part of recording is often the effect it has on the mindset of the person using the session. People behave much better on average when they feel they are being observed. Tie PIM into your SIEM and other threat detection systems to be an automated response to suspicious activity Generally, PIM is seen as a proactive control. You put PIM in place to prevent issues and have controls on things before they happen. However, it works just as well as a reactive control. When threats of any kind are making an alarm sound, you can be sure that 9.99 times out of 10 those threats are aiming to capture privileged credentials to do harm. You should be able to react to this by having your PIM system jump into action and rotate credentials as fast as possible. Changing that one critical password at the right moment could make the difference between your 5

6 being a headline or a hero. This means your system will need to support this type of integration. The system itself must be open and responsive. These alerts mean time is of the essence. The system must be able to receive these alerts, process them, and react very quickly. This also means your security team must change their thinking a bit, too. Right now, the state of the art is analytics and monitoring. There aren t many automated defense options being deployed. To ensure that you take full advantage of PIM, you will need to make sure SOC (Security Operations Center) planning takes the idea of an automated response into account. Advanced PIM Best Practice If rolling out a PIM program that meets your base needs and takes you into a proactive cyber defense mode was too easy, then it s time to move on to the advanced class. These are the practices that we have seen in the most mature programs that also have a huge impact on the overall security stance of any organization. Scale up to take on managing privileges at every endpoint, up to IoT and cloud scale This is likely the simplest advice you can get: take what works and do as much of it as you can. Regardless of if your largest scale is one building or a global network of millions of endpoints and systems, PIM applies to every corner of your infrastructure. So take it there. The goal should be full deployment. This has a few implications. Your system must be able to handle that scale, and you must design your deployment to suit the needs of that scale. These go hand in hand. A common error is to have the goal of full deployment from the start, but to test systems as if they will only be in one small layer of the network. When you test, test big. Unlike many security systems, PIM is something you should load test from the very start meaning before you even invest in a solution. In the world where bad guys attack fast and automated, PIM needs to react faster and be more automated. You won t know if it can unless you try it in your specific configurations. This also means you need to design PIM to touch everything it will ultimately affect right from the start. Many start off PIM with easy targets like Windows based user systems. But you should be testing and designing with everything from your largest Mainframes, oddest cloud based systems, and smallest network devices in mind from the start, too. If you get this stuff right in design and test, you will scale up without challenges later. Manage embedded credentials in places like application configuration files, back-up scripts, database connection strings, and other common places passwords appear in the clear or with little protection The reason this falls into the advanced practice is the difficulty in doing it thoroughly. The technical task of orchestrating this sort of password management is complex, but that s not the most complex part. Often the negotiations with the people who run these systems comprise most of the difficulty. They put those passwords in clear text in there for their own convenience. Offering a persuasive argument to make them change that will be a challenge without a heavy mandate from above. This is where you can often find that other factors will help you get traction. Pick a group with particularly high risk and high visibility that will likely be more receptive to the idea of proactive security. Perhaps align with a platform that is trying to displace another one internally in order to offer them a better security argument. If you can make this very comprehensive approach part of one group s success, then others will sign on, too. In order to get the best reception for this, make sure your platform has a lot of options to enable smooth transition. There should be ways to call for credentials securely from any kind of script, any sort of connection protocol, and via all the latest forms of integration (SOAP, JSON, etc.). It s also good to keep in mind that anything is better than a password in clear text. So if the application needs to have a slightly less secure method to communicate than the highest level of security your system can do, that s still an improvement. Progress should always be preferred to perfection especially in advanced security programs. 6

7 Deeply integrate PIM with IGA (Identity Governance and Administration) and IAM (Identity Access Management) to ensure proper lifecycle management of privileged identities related to governance and personnel events Ultimately, privileged identities are going to have a deep relationship with user identities. But they are not the same. User identities will always map to a single human (even if the Identity Access Management systems in place aren t sophisticated enough to make that resolution happen yet). Privileged identities are by their nature mapped to many people, devices, and other technological entities. That s why IAM and PIM are different. But the governance layer that IGA introduces holds a great deal of promise for combining the best of IAM and PIM to offer a very tightly integrated approach to the lifecycle of all identities which can be driven by business minded choices made from the top down. A policy that enforces how and when an authorized administrator has access to a privileged identity is the realm of PIM. How does that administrator become authorized? This is a business decision, and it s exactly the type of choice that IGA can put a system in place to manage and track. As people change roles and eventually leave the organization, governance allows the business to keep the security of the organization in tact at every lifecycle decision point. PIM and IAM integrated into these business driven choices made via IGA means those choices get enacted and enforced. The advice is simple: if you have IGA or will be adopting it, make sure you put integration of PIM into the picture. The result is a better secured infrastructure. Conclusion The only thing to do with good advice is to pass it on. It is never of any use to oneself. Oscar Wilde Wilde may have been trying to question the usefulness of advice, but we are not. These best practices are hard won notions brought to us by the success and failures of our large pool of customers. In a sense, they are most useful for us as something to pass on to all of you. If applying all of this to your organization seems daunting, be assured that no one we ve run into is doing all of this at once today. Some come close. And all the best aspire to all of it. What we take from all of it is advice on how we can continue to improve our solutions. Hopefully it will help you win a few battles in the cyber war we all find ourselves fighting. You should get good use out of it, and you can always pass it on as well. About Lieberman Software Lieberman Software proactively mitigates cyber-attacks that bypass conventional enterprise defenses and penetrate the network perimeter. By delivering an adaptive identity threat response in real-time, the company continuously secures your environment, countering malicious attacks from the outside, and within. Customers who use the Lieberman Software Adaptive Privilege Management Platform to continuously change privileged credentials and SSH keys are no longer exposed to unbounded business risk caused by sophisticated attacks. That s why the largest companies and governments across the globe trust Lieberman Software to secure their assets, protect their finances, and guard their reputation. About ERPM Enterprise Random Password Manager (ERPM) is an adaptive privilege management platform that protects organizations against malicious insiders, advanced persistent threats (APTs) and other sophisticated cyber attacks. It ensures that powerful privileged identities are only available to audited users on a temporary, delegated basis preventing unauthorized and anonymous access to systems with sensitive data. P (USA/Canada) [email protected] P (01) F (01) (Worldwide) 1900 Avenue of the Stars, Suite 425, Los Angeles, CA Lieberman Software Corporation. Trademarks are the property of their respective owners. Published: September 2015 Revised: September