Privileged Access Management: More Necessary Than Ever as Cloud-Shift Intensifies

Initial Publication Date: 23 July 2019

Abstract

Breaches, breaches, breaches – will they ever end? Not likely as protecting the enterprise is getting harder and harder. With our IT infrastructure becoming more complicated and porous as cloud-based applications and systems are being blended with legacy systems and emerging technologies the attack surface continues to expand.

Often, the ultimate targets for most hackers are the administrative accounts used by systems administrators of OS’s like Windows and Linux, network and security devices, cloud platforms, databases such as Oracle and SQL Server, and web servers – as well as those embedded within applications to perform various administrative functions in application-to-application communications. To rescue us from administrative account hijacking, solutions residing under the banner of Privileged Access Management (PAM) are available. Such solutions have been on the market for nearly two decades now and have gradually improved to the point where most enterprises will find them compelling. That said, the overall footprint for PAM deployments across many enterprises remains patchy.

This report starts by looking at what PAM is, then evaluates the various types of approaches currently being deployed, the challenges associated with deployment, and provides a review of our short-list of vendors and solutions you should consider. We then conclude with a set of pragmatic recommendations and an enterprise action plan for PAM deployment.

Authors:

Doug Simmons
Principal Consulting Analyst
[email protected]

Gary Rowe
CEO / Principal Consulting Analyst
[email protected]

Executive Summary

We’re all tired of hearing about security breaches and sensitive data theft. But the hackers and thieves are more sophisticated than ever – and it is hard to tell who’s the cat and who’s the mouse in this never-ending battle. The shifting of our IT infrastructures to Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) commences rapidly, and these cloud-level topologies we deploy create more security risks than many of us can contemplate.

In reviewing most of the high-profile breaches over the past decade or so, it is apparent that the ultimate targets for most hackers are the administrative accounts used by systems administrators and administration-centric applications. Systems administration accounts for Operating Systems like Windows and Linux, network and security devices, cloud platforms, databases such as Oracle and SQL Server, and web servers – as well as those embedded within applications to perform administrative functions in application-to-application communications are the top prize for hackers and thieves. These administrative accounts are privileged accounts, in that they enable the human or system to configure environments and access the data contained therein. Once a hacker has administrative access to a single server or device, the path often opens to move laterally within the infrastructure to hack deeper and deeper within the enterprise – or beyond.

And the risk associated with privileged access is even greater in that many administrative and service accounts are shared. As we gradually move toward Zero Trust principles (described in detail in our Zero Trust Networking report by Sorell Slaymaker) across the enterprise, the fact that privileged access and the resultant actions taken during this access cannot be traced to a specific individual or application service is alarming.

To rescue us from administrative account hijacking, solutions residing under the banner of Privileged Access Management (PAM) are available. Such solutions have been on the market for nearly two decades now and have gradually improved to the point where most enterprises will find them compelling. That said, the overall footprint for PAM deployments across many enterprises remains patchy.

PAM solutions typically address four primary types of privileged access activities:

System Administrator Privileged Management (SAPM), which is focused on system administration (SysAdmin), such as Windows Server or Azure Service administration, database administration, etc. The privileges associated with SAPM are usually restricted to administration and configuration services related only to the server, application, database, network device or platform to which the administrative account is associated. In other words, a Windows SysAdmin should only be able to run with administrative privileges on the associated Windows environment – he or she should not be able to use Windows SysAdmin credentials to configure other hosts or environments.
Privileged session management (PSM) involves establishing and monitoring sessions to multiple systems. Authenticating users (e.g., using two-factor authentication) and then providing the users access to shared accounts from which all actions will be monitored.
Application-to-Application Privileged Management (AAPM) is focused on what are often referred to as ‘service accounts’ associated with application identities and credentials used for system-to-system communications, such as a web application that interacts directly with a backend database. Service accounts typically have a username and password that is programmatically sent on the network when connecting to the target system (e.g., the backend database). The passwords associated with service accounts are often not managed in accordance with the Enterprise Password Policy that is focused on end users (i.e., people, including SysAdmins) and are all too often simple or factory default passwords, such as “password” that are not even rotated periodically in line with the Policy.
Super User Privileged Management (SUPM) is focused on “root” accounts (e.g., root is the superuser on Linux systems). Root / superuser accounts are most often used to make system configuration changes and can override user file protection. These are very powerful, often-human-associated privileged accounts that provide the basis for configuring almost everything deployed in the enterprise IT infrastructure, including in the cloud.

Privileged Access Management is sometimes viewed as a subset of the Identity and Access Management (IAM) market but is often deployed as a separate project or program from IAM-centric provisioning, access management, access governance and authentication services. As we discuss in more detail further in this report, the deployment of PAM in typical high-risk IT environments can and should be removed from the critical path of general IAM implementations. In other words, enterprises should not delay PAM deployments while waiting for user provisioning lifecycle processes to be designed/re-designed, codified and implemented. However, the deployment of PAM should not be done in a vacuum.

While PAM and IAM deployments may proceed in parallel, there needs to be an intersection at some point in the not-to-distant future in order to establish more comprehensive and auditable capabilities reflecting all identities and access rights – whether end users, system or application administrators or application entities. The key intersection should occur with Identity Governance and Administration (IGA). IGA and PAM are two inter-related technologies because together, they provide one of the most important risk reduction services and enterprise can have. Furthermore, as we begin re-architecting our enterprise environments to incorporate elements of Zero Trust (ZT) security, PAM becomes a critical piece of the ZT puzzle. Within ZT, the endpoint becomes the ‘perimeter’. When an endpoint, such as a systems administrator or application with administrative rights performs high-risk commands, it becomes imperative that these endpoints are managed and audited very carefully. This level of management and audit is what IGA enables, in that IGA policies and processes institute a keen level of awareness and monitoring of ‘who has access to what, for what purposes, for how long and under whose authority?’

So, while we dive deeper into the world of PAM – especially as the unparalleled levels of migration to cloud-based environments continue to escalate (i.e., cloud-shift: SaaS, PaaS, IaaS), we will retain some focus on approaches that engender tighter PAM/IGA integration. At the end of the day, this level of visibility (i.e., monitoring, auditing, etc.) will be necessary to ‘see’ what is happening and react accordingly in the ever-expanding cloud-universe.

Introduction

Simply put, most current-day PAM solutions take privileged account credentials, such as systems administrator and application service accounts, and put them inside a secure repository typically called a ‘vault’. Once inside the vault, system administrators and application service accounts need to go through the PAM system to access the credentials in the vault, at which point they may authenticate to the target system and their access is monitored and logged. When the credential is checked back into the vault, it is reset to ensure administrators must go through the PAM system next time they want to use a credential from the vault. This method of vaulting credentials (or ‘secrets’) and checking credentials in and out on a real-time, as-needed basis accounts for the majority of PAM approaches today. (There are more capabilities and approaches, and we’ll get to them later.)

Stepping back a bit, recognize that the first word in the term Privileged Access Management is the word ‘privileged’. A privileged account is one that has the ability to perform various types of configuration and operational activities – and these activities can vary quite a bit and can yield devastating consequences to enterprise systems, applications and networks if not tightly controlled. For instance, some privileged accounts, such as Windows Administrator, have more system rights than a ‘standard user’, as defined by Microsoft Windows. The Administrator type allows complete control, which means that the administrator can change settings globally, install applications, run elevated tasks, and do pretty much anything else on the server or workstation he or she is authenticated to.

On the other hand, the ‘standard user’ account type is more restrictive. Users with this type of account can work with applications, but they’re not allowed to install new applications. They can change settings, but only settings that won’t affect other accounts. If an application requires elevation of privileges, they’ll need administrative credentials to complete the task. This simple scenario highlights the ‘principle of least privilege’, which means “give the administrator or user only the capabilities needed to perform their job”. In the case of an end (standard) user as just described, the principle can be somewhat easy to apply – give them next to nothing in terms of admin privileges.

However, when looking at the multiple types of systems administrators – or, sysadmins, that an enterprise typically has, the granularity required to appropriately affect the principle of least privilege can be quite daunting. What typically occurs, unfortunately, is that sysadmins of all types are granted or acquire over time much more administrative capabilities than they need to perform their day-to-day administrative duties. Call it ‘privilege sprawl’, which, much like data sprawl can spiral out of control over the years and becomes increasingly difficult to properly rein in.

As a result, when it comes to effectively managing access to important resources and infrastructure, it is critically important to pay special attention to the accounts that have the most privileges, what can be done with those privileges, and who has access to those accounts.

A consistent set of well-thought out privileged access management (PAM) controls that are aligned to a comprehensive cybersecurity framework is an imperative, enabling the automation and enforcement of controls over privileged credentials in any system, platform, or environment. PAM also identifies all known exceptions that require special control implementation. This is particularly important considering the large number and dynamic nature of resources typically deployed in the cloud. Most of these cloud environments (e.g., AWS, Google, Azure) have powerful management consoles and APIs that can expand the available attack surface requiring protection and defense. Therefore, PAM solutions that provide comprehensive automated PAM capabilities are becoming an absolute necessity.

Functional Types of PAM

PAM isn’t one monolithic ‘thing’. It is a set of capabilities that are focused on the type of administrative functionality being acted upon. There are typically four functional types of PAM capabilities that constitute complete offerings. They are:

System Administrator Privileged Management
Privileged Session Management,
Application-to-Application Privileged Management
Super User Privileged Management.

Each functional category is briefly described below.

System Administrator Privileged Management

System Administrator Privileged Management (SAPM) is centered on managing and rotating passwords and access to them. This is the original PAM formula, which was established nearly two decades ago with CyberArk’s vault model. Many products also manage SSL/TLS keys, encryption keys, SSH keys, and/or other confidential data in their vaults. Some products also save password history to handle restoring from backups and continuously monitor the environment for password changes made outside the solution (reconciliation). Access to shared accounts often involves a request and approval workflow. An incontestable audit trail is typically kept of any access to passwords. Sometimes access may be configured to only be possible when there is an outstanding ticket in an IT Service Management (ITSM) system that explicitly requires access. Additional authentication may also be required before access is granted. Some highly critical systems may require an additional person to monitor the session. Break-glass or fire-call functionality may also be supported for emergency access.

Privileged Session Management

Privileged session management (PSM) involves establishing and monitoring sessions for multiple systems. It functions by authenticating users (e.g., using multi-factor authentication) and then providing user access to shared accounts. Shared accounts are potentially very dangerous and PSM attaches an individual user account, such as the user’s Active Directory account to a shared administrative account, monitors every action during the subsequent administrative session and removes the association between the user account and the shared account upon completion of the administrative task.

Application-to-Application Privileged Management

Application-to-Application Privileged management (AAPM) functionality refers to providing applications and scripts access to passwords stored in a password vault. This is basically used to eliminate hard-coded passwords stored in each application. Hard-coded passwords are generally very easy to guess due to minimal password complexity and the fact that they are likely never updated.

Super User Privileged Management

Super User Privileged Management (SUPM) is focused on “root” accounts (e.g., root is the superuser on Linux systems). Root / superuser accounts are most often used to make system configuration changes and can override user file protection. These are very powerful, often-human-associated privileged accounts that provide the basis for configuring almost everything deployed in the enterprise IT infrastructure, including in the cloud.

PAM from a Historical Perspective

Privileged access management tools became de rigueur in the early 2000’s, precipitated in large part by the advancement of regulations such as Sarbanes-Oxley (SOX), the Payment Card Industry Data Security Standard (PCI/DSS), the Health Information Portability and Accountability Act (HIPAA) and similar regulations in light of the ‘dawn of the information age’. Regulations such as these armed auditors with specific guidelines for protecting information from theft or misuse. To be sure, the regulatory environment has since exploded over the past several years, most recently with the General Data Protection Regulation (GDPR) and California’s Consumer Protection Act (CCPA). These regulations are necessary to protect businesses and consumers from significant cyber threats, and policies and tooling to assist enterprises in marshaling information and network access rights with the level of granularity necessary to succeed is of extreme importance.

A startup company (at the time) named CyberArk Software was one of the first vendors to develop and sell a commercially available PAM solution back in 2003. It may be worth mentioning here that many PAM vendors have come and gone since that time frame, but CyberArk is still in business and going strong. Note that both IBM and Computer Associates (CA) were quick to follow suit in the early 2000s, and they, too remain viable vendors for PAM solutions depending on the enterprise’s requirements. In fact, CyberArk’s PAM server/Enterprise Password Vault (EPV) ran on IBM WebSphere application servers in the early days.

In those ‘early days’, Lightweight Directory Access Protocol (LDAP) directories were seen as the logical place to ‘vault’ credentials. For example, at runtime, the privileged account management system would query the LDAP system to determine the existence of the system administrator, the administrator password and his or her LDAP group membership. The privileged account management system’s policy would then bind system administrators to privileged accounts byLDAP group membership. This was seen as beneficial because provisioning solutions could (and still can) provision accounts to an LDAP directory without requiring any explicit knowledge about the privileged account management system.

In this way, CyberArk’s EPV PAM solution would make authorization calls to the LDAP server for all system administrator activity. If the system administrator’s LDAP group membership changed during his or her employment, his access rights immediately changed. Similarly, if the system administrator’s user object is removed from the directory, the system administrator’s next attempt to access privileged systems would be denied.

But LDAP directories could only be secured to a point, and other forms of vaulting were desired. This led to the emergence of new technology vendors such as HashiCorp. In 2015, the company released its first version of HashiCorp Vault as a tool for securely accessing ‘secrets’, which it defined as anything that you want to tightly control access to, such as API keys, passwords, or certificates. The HashiCorp Vault provided a unified interface to any secret, while providing tight access control and recording a detailed audit log. In March of 2018, CyberArk acquired Vaultive, in an effort to bring their own vaulting technology into the cloud-first, DevOps mindset. In essence, LDAP directories are being replaced by more tightly coupled, highly secured ‘special-purpose’ database vaults.

It’s Getting Cloudy

This advancement of special-purpose, cloud-ready vault technology is better suited to enable automation and continuous integration/continuous development (CI/CD) use cases while enabling policy to codify, protect, and govern access to secrets. The vault can leverage many trusted identity providers, such as cloud IAM platforms, Active Directory, cloud automation platforms such as Kubernetes, and so forth to authenticate into the vault. Identity is abstracted and is scale independent, unlike IP addresses, which require complex firewall rules and frequent updates. Vaulting allows a service to request secrets for any system through a consistent, audited, and secured workflow.

Figure 1: HashiCorp’s Vault Solution

With this evolution of the vault model, HashiCorp Vault became the credential vaulting solution behind Amazon’s AWS/EC2 IaaS environment, as well as the chosen vaulting solution for emerging PAM vendors such as Saviynt.

Secondly, the early PAM solutions were focusing primarily on human administrators and left a lot of room for further development of application-to-application PAM. This began to change with CyberArk’s 2017 acquisition of Conjur, a solution developed to better secure DevOps environments. With Conjur, CyberArk’s PAM environment can reach deeper into the DevOps lifecycle to protect secrets and manage machine identities.

For instance, Conjur’s Kubernetes integration consists of TLS-connected ‘client and server’ plug-ins that adds Kubernetes authentication capabilities. Conjur (with this plugin installed) is on the server-side. The second piece of the integration is a sidecar container that is deployed alongside a user’s application. This sidecar container handles the authentication with Conjur on behalf of the application. This sidecar container is the client. Using this type of methodology for cloud service automation extends application-based PAM functionality across enterprise IaaS infrastructures, which is a major step forward to bringing ‘service account’-type authentication into the highly monitored world of PAM.

Future State of PAM

In determining where PAM is going, vendors are increasingly describing their offerings in terms of Just in Time (JIT) PAM. JIT PAM means that system administrators – whether human or application functions, can be assigned privileges in near real time using their existing, or creating temporary, end-user accounts. JIT PAM limits the duration for which an account possesses elevated privileges and access rights in that the creation and deletion of an appropriate privilegedaccount is assigned only to meet that specific period’s mission objectives. The goal is to eliminate the risk surface of having privileged accounts that are “always on”.

In order to make this work, users typically request the access they need via a workflow process – such as ServiceNow or via an existing IAM/IGA workflow process and are quickly granted access or an access privilege level to an application or system. Privileged access may be granted for just a few minutes or several months, depending on the sensitivity level of the application or the organization’s governance requirements. In some cases, like developers who compile code, JIT PAM may be available all the time but use other methods for privileged elevation in order to avoid the risks of always on accounts. In addition, special approvals and logic checks can be added when access to sensitive applications or systems is requested. When JIT PAM is combined with role-based or attribute-based access control policies (RBAC and ABAC, respectively), organizations can better ensure control and insight over every user’s systems access at any point in time. Coupling Multi-factor Authentication (MFA) with JIT PAM processes also adds a significant element of trust that the individuals requesting elevated privileged access are who they say they are, and with added contextual information such as device, geo-location, previous requests/approvals and so forth, an organization can provide better guard against multiple threat vectors.

Here’s how JIT PAM can work, as illustrated by BeyondTrust, one of the several vendors that is increasingly focused on this approach:

Figure 2: Example JIT PAM Process Diagram

In the JIT PAM process diagram illustrated above (courtesy of BeyondTrust), the journey begins with ‘triggers’ associated with workflow requests taken in context with other information including existing entitlements (e.g., RBAC, ABAC) associated with the user, MFA usage, etc. These triggers act as input to the programmatic ‘methods’ for assigning elevated privileges that include on-the-fly administrator account creation and deletion, assignment to privileged security groups, impersonation by means of attaching an existing user account to a privileged account and tokenization of the application to raise privileges on a local system. Policies are applied to the request and the actual session in order to monitor activity and ensure it falls within identified ranges. Once the privileged session is concluded, the entitlements are immediately removed. If administrative actions were attempted that fell outside the associated policies, session recording enables alerting and the escalation of remediation processes.

It bears mentioning that Microsoft is also heavily centered on JIT PAM, referring to it as Just Enough Administration (JEA). In on-premise and Azure-based (cloud) Microsoft environments, PAM is an instance of Privileged Identity Management (PIM) that is implemented using Microsoft Identity Manager (MIM). JEA is a Windows PowerShell toolkit that defines a set of commands for performing privileged activities. In JEA, an administrator decides that users with a certain privilege can perform a certain task. Every time an eligible user needs to perform that task, the administrator enables that permission via MIM workflow. The permissions are ephemeral (expire after a specified time period) so that a malicious user can’t steal the access. For example, a MIM policy can specify that if a specific user requests administrative privileges and is authenticated by MFA, the request is approved and a separate account for the user will be added to the privileged group in a bastion AD forest.

Assuming the request is approved, the MIM workflow communicates directly with the bastion forest Active Directory to put a user in a group. For example, when Joe requests to administer the HR database, the administrative account for Joe is added to the privileged group in the bastion AD forest within seconds. His administrative account’s membership in that group will expire after a time limit.

These examples show where vendors and the industry are moving. It is a significant departure from the password vault model in place for the past two decades and affords a more IAM and workflow-integrated approach that may make PAM much easier to deploy at an enterprise-wide level that is increasingly cloud-centric.

PAM Deployment Best Practices

With this general background of PAM’s evolution, current approaches and emerging trends, we’ll now focus on typical features that your enterprise should be considering as you embark on your PAM journey for the first time – or look to improve your current security posture by making some marked PAM improvements. These features are critical to the deployment of your PAM solutions and can also be factored into your PAM vendor evaluations. To this end, TechVision Research provides the following list of features and functions we feel are necessary for a successful PAM deployment.

Key Requirements for PAM Deployment

Tools to discover, map and visualize privileged accounts in multiple systems, applications and devices, whether on-premise or cloud-based SaaS or IaaS.
1. Auto-discovery of new hosts, VMs and apps in the enterprise cloud
Management of cloud-based administration accounts on:
1. Hypervisor/cloud management platform (CMP)/IaaS
2. Guest OSs
3. Cloud-resident applications
4. Restricting access to the hypervisor/CMP/IaaS management console
A secured, hardened and highly available vault for storing credentials and secrets. The vault should encompass tools that automatically randomize, rotate and manage credentials for system, administrative, service, database, device and application accounts – both on-prem and in the cloud.
AAPM integration tools that dynamically bind credentials to applications in order to eliminate static clear-text credentials in configuration files or scripts.
User interfaces and underlying workflows to manage the end-to-end process of requesting access and receiving privileged credentials.
Support for role-based administration, including centralized policy management for controlling access to credentials and privileged actions.
Command filtering to instantiate the policy of least privilege by restricting administrative functions to only those that are required for a specific task.
1. Restrict operations that allow the instantiation, deletion, starting, stopping and copying of VM images and other cloud-delivered services.
Capability to allow a privileged session to be automatically established using protocols like SSH, RDP or HTTPS without revealing credentials to the user.
Capability to fully record and review sessions and manage active sessions by allowing them to be monitored or terminated.
Analytics and reporting on privileged accounts and their use.
1. Session recording
2. Audit reports.
Multifactor authentication (MFA), including biometrics support

Discovering Privileged Accounts

As we have discussed, privileged accounts exist in four areas, principally:

System Administrator Privileged Management (SAPM)
Privileged session management (PSM)
Application-to-Application Privileged Management (AAPM)
Super User Privileged Management (SUPM)

With these types of privileged accounts often used across the entire enterprise IT ecosystem, it becomes exceedingly important to identify where these accounts exist, for what purposes they are used and to whom (or to what) each privileged account is assigned. An important facet of PAM deployment, therefore, is to first “discover” existing privileged accounts in use across the enterprise. This can be a daunting task, as privileged account proliferation over the many years of deployment can render a complete accounting of all service accounts – in all four categories, quite formidable.

A great place to start this process of privileged account identification is through Privileged Account Discovery tools. Discovery tools are intended to assist the PAM deployment team in locating privileged accounts across the enterprise by automating their discovery. A good discovery tool can eliminate – or greatly reduce, the time and effort needed to manually audit every system, device and application in the organization and then determine what rights each administrative account has, and what services and/or tasks the account is associated with. Automating the discovery of privileged accounts avoids digging through every system administrator’s personal spreadsheet or text file containing the usernames and passwords for his or her often multiple administrative accounts.

Using an automated tool that can scan the systems and directories on the enterprise network and identify all of the privileged accounts can provide substantial savings in time and effort – not to mention providing a much higher level of accuracy by eliminating the need to manually query individuals and rely on their historical documentation. Additionally, the discovery tool can and should become a mainstay in the PAM topology, to better ensure ongoing discovery and proper handling of new privileged accounts that may continue to crop up.

For example, a free automated discovery tool within Thycotic’s Secret Server PAM solution allows an administrator to funnel newly discovered accounts into workflows that will also automatically assign roles and permissions to the teams that should have access, as well as applying necessary policies and configuration requirements to these Windows and Unix administrative accounts (https://thycotic.com/solutions/free-it-tools/).

Similarly, CyberArk’s Discover and Audit download is a free assessment tool intended to help discover privileged accounts, privileged passwords, SSH keys and Pass-the-Hash vulnerabilities on the enterprise network (https://cyberark.wistia.com/medias/pvboagjjtp). Another leading vendor, BeyondTrust, provides a free scanning tool centered on Windows privileged accounts, such as AD accounts, local accounts and service accounts within an enterprise’s Windows environment (https://www.beyondtrust.com/tools/discovery).

Saviynt, a market leader in Identity Governance and Administration (IGA) has greatly expanded its focus on enterprises’ cloud environments – namely Amazon Web Services (AWS), Microsoft Azure and Google Cloud. The Saviynt Security Manager solution is a cloud-based SaaS solution itself (running on AWS) and provides discovery capabilities for both cloud-centric and on-premise privileged accounts as a foundation for its IGA functionality.

In addition to PAM discovery and IGA tools, enterprises can leverage information garnered from other security solutions that may already be in place, such as Data Loss Prevention (DLP). For instance, Symantec’s Cloud Detection Service provides the capability for enterprise security teams to discover instances of sensitive data on the cloud and on-premise. While not a PAM discovery in and of itself, this information can be used to triage information regarding owners of sensitive information in the cloud or on-prem with the administrative privileges required to manage this information. The more information an enterprise has about where its data ‘lives’ and who put it there/manages it, the more educated and refined the process of PAM deployment can become.

Don’t Skimp on Authentication

With the rapid adoption of more convenient mobile phone-based multi factor authentication (MFA) technologies that include biometrics, PAM solutions for human administrators (SAPM and SUPM) generally support (if not require) MFA out-of-the-box – a very good practice, to be sure.

Architectural Principles

Now that we’ve described PAM, key trends, major vendor directions and key requirements, we can focus on major architectural principles enterprises should be considering as the develop their PAM programs. Privileged account management (PAM) technologies help organizations protect critical assets and meet compliance requirements by securing, managing and monitoring privileged accounts and access. PAM tools offer one or more of these important features:

Providing secured, centralized and automated management of passwords for administrative, service and application accounts, as well as enforcement of password policies.
Abstracting actual service/system passwords using time-limited/one-time use and role-constrained tokens.
Controlling access to shared accounts.
Managing and monitoring privileged sessions, commands and actions in real-time through over-the-shoulder surveillance, recording them and allowing them to be audited.
Controlling and filtering commands or actions an administrator can execute.
Providing capabilities to govern and administrate administrative access.
Maintaining a comprehensive view of privileged accounts and their usage in the IT environment through dashboards and reporting.
Integrating with existing IT service management (ITSM) systems and change management workflows for tighter control of administrative access.

With these principles as a backdrop, let’s view the TechVision IAM Reference Architecture with our MFA glasses on. The TechVision Research Reference Architecture for IAM is this starting point; a master template, shown in Figure 3, below, identifies the IAM capabilities (rather than technologies) that can be improved or enabled, allowing business stakeholders and technical architects to achieve a common language for IAM functions, which can then be refined over time.

It is important that your PAM program fits within this overarching architectural context. This high-level template starts the journey:

Figure 3: IAM/MFA Master Template

The capabilities illustrated above are described at the highest level as:

Interact – how end-users and application developers interact with the IAM platform. In the case of PAM, this will involve a variety of diverse people and technology interactions.

Access – the rules that define the roles, rights, and obligations of any actor wishing to access enterprise or connected external assets.

Change – the capability to define and manage the relationships between the user/ application developer and the enterprise assets.

Manage – the capabilities required to manage and upgrade the IAM solution itself.

Measure – the capabilities required to audit and improve IAM activities.

Store – the capabilities required to share identity information and relationships between the components of the IAM solution.

The Reference Architecture’s second level is depicted in Figure 4, below.

Figure 4 – Second Level: What Capabilities Need to be in the IAM Portfolio?

As discussions progress into deeper levels of discovery, this master template organizes discussions beginning with the high-level interfaces associated with both end-user and application developer IAM service consumption. From either of these perspectives, organizations can navigate deeper into the runtime functionality requirements for:

Access (e.g., authentication, authorization, federation, privileged access, etc.). The authentication and authorization interfaces are where PAM interacts.
Identity lifecycle management (e.g., joiner/mover/leaver, change orchestration, and governance). PAM must be configured for various roles and functions within the organization through identity lifecycle management interfaces.
IAM infrastructure administration, including PAM configuration and administration.
IAM data management and reporting. PAM solutions provide various types of reports recounting admin user interaction, session recording, suspicious activity, performance and reliability statistics and so forth.

Once the required capabilities are identified, the next layer of the TechVision Research Reference Architecture for IAM allows us to explore each of the specific technology or process elements comprising each capability in the form of a combined portfolio architecture, as illustrated in Figure 5, below.

Figure 5 – Third Level: Elements of the Combined Portfolio Architecture

Time of Access Operations rely on Time of Change Operations, such as identity lifecycle management (identity registration, access provisioning, workflow approvals) and identity orchestration (identity correlation, synchronization, transformation) to provide contextual information about users and their current state, permissions, and entitlements. For example, an authorization system may implement the policy that an administrator user must authenticate via PAM to be granted administrative access to specific applications or services.

TechVision Privileged Access Management Pattern

Privileged Access Management is a Time of Access operation, and typically answers questions such as, “How critical is this operation? Do I need to watch you more closely because this is a sensitive operation?” The TechVision IAM Reference Architecture’s Privileged Access Management service pattern responsible for both answering these questions and providing the security foundation for these high-risk use cases is shown in Figure 6 below.

Figure 6 – SAPM, SUPM and PSM Privileged Access Management Service Pattern

There are several components involved in the PAM system access operation and the above figure gives you a perspective on how they fit together. The key components and a functional description of each capability are summarized below:

Password Vault
- This component is the persistent storage repository used to randomize and manage administrative passwords and credentials
Agent Based PAM
- Like many agent-based technology approaches, PAM agents are co-resident with protected servers and used to lockdown/harden the servers
- Agent-based approaches, favored by some vendors are considered to provide tighter control over server processes than –
Proxy Based PAM
- Typical of most proxy-based technology approaches, a PAM proxy or ‘jump-box server’ can be used to control access to privileged accounts by controlling the session
- Proxies or jump-boxes facilitate session isolation, session recording and command filtering
- Proxy-based PAM was the original approach to PAM and is still widely used today

The policies maintained in the PAM control server dynamically evaluate the risk of a given operation based on current environmental factors and filter access to operations if the risk level exceeds the accepted threshold. This is an area the leverages the increasing availability of both analytics and tools for using these analytics to support dynamic policies and real-time decisions.

PAM solutions often work hand in hand with the underlying directory to provide authentication and the required levels of identity assurance through multi-factor authentication mechanisms, such as Active Directory. Some PAM offerings may natively provide these authentication/MFA features, but it is important to recognize that this is a combination of the authentication pattern and the PAM pattern.

As we have been discussing, PAM is not restricted to use by human administrators, but in fact is very useful in protecting information assets from service accounts, as illustrated in Figure 7, below:

Figure 7 – Application to Application Privileged Management (AAPM) Service Pattern

This pattern supports the use case in which an application programmatically checks out the service account credentials from the PAM service, eliminating the need for setting up hard coded credentials for the service account and guaranteeing that the service account credentials are continuously recycled. This is the flexibility enterprises should aspire towards in architecting their future-state PAM and IAM solutions.

The overall PAM environment should be viewed as the gatekeeper to privileged operations. Enterprises need to determine the prioritization of what would be considered privileged operations that would require additional measures to protect, control and track over what would be considered less risky administrative operations where the additional measures are not warranted.

The PAM Access Management Service Patterns can be customized to represent the specific needs within every enterprise, but these service patterns can be a starting point as exemplified in Figure 8, below.

Figure 8 – PAM Service Protecting Privileged Access to Key Enterprise Infrastructure

For example, Figure 8 above illustrates the PAM service front-ending administrator access to key (typical) enterprise environments, such as HR (e.g., Workday), Customer data (e.g., SAP), Active Directory, Virtual Directory, Enterprise LDAP, federation services and so forth. The key for this pattern is to illustrate the applications and services that are to be protected by the PAM service. Note that these can be on-premise services, cloud-based services or hybrid environments.

Thus far we have discussed the nature of privileged access management, its various approaches and anticipated market trends. We’ll now take a look at how these patterns and approaches are being supporting today by the leading PAM vendors.

Leading PAM Solution Overview

As we have written, a great deal of investment and time has gone into developing many of the PAM solutions available on the market today. These investments reflect the increasing enterprise focus on protecting those environments that are of the greatest risk and can do the most damage if compromised. While technical approaches to PAM vary and vendors often focus certain approaches – like agent-based PAM, proxy-based solutions or the use of a special-purpose vaults, there are many viable PAM solutions. As usual, what might be an excellent fit for one customer environment may be overly risky or complex for another. With that background, TechVision feels that the following vendors are good candidates to put on your PAM short-list:

CyberArk
Saviynt
BeyondTrust
Thycotic
Microsoft
One Identity
Micro Focus
Centrify
Okta

Given the increased use of cloud platforms within the enterprise, we’ll also briefly discuss the limited, but expanding privileged management capabilities enabled by Google Cloud Platform and Amazon Web Services.

CyberArk

CyberArk is a publicly traded information security company offering Privileged Account Security. As of May 2019, CyberArk had over 4,600 customers, including more than 50 percent of the Fortune 500 and more than 30 percent of the Global 2000. CyberArk is headquartered in Israel, with U.S. headquarters located in Newton, Massachusetts. We provided some information about CyberArk earlier in this report given their history and traditional leadership position in this space. To recap, CyberArk was an early pioneer in the PAM market, with their Enterprise Password Vault (EPV) being first introduced in 2003. Since then, they have become the pre-eminent purveyor of PAM worldwide.

Their existing product suite is called the CyberArk Core Privileged Access Security Solution (try saying that ten times really fast) which can be deployed across on-premises, cloud, and hybrid infrastructure. The solution delivers risk-based credential protection and session management to detect and prevent attacks involving privileged access. It is the foundational layer upon which every privileged access program should be established, with multi-layered security built-in to mitigate the risk of advanced attacks. This is a well thought out and mature solution.

Figure 9 – CyberArk Core Privileged Access Security

Some key features of the CyberArk Core Privileged Access Security solution include:

Discovery – the solution can run continuous discovery for privileged accounts and credentials that are created across on-premises, cloud or hybrid environments. Once discovered, privileged accounts can be automatically on-boarded and credentials rotated.
Policy management – the CyberArk solution centrally manages privileged access and credentials based on administratively defined security policies. Automated credential (password and SSH key) rotation is fully supported.
Session management – the solution can isolate and record privileged sessions and store this information in the encrypted CyberArk vault. Credentials are never exposed to the end user or client.
Monitoring and reporting – Core Privileged Access Security can detect, alert, and respond to anomalous privileged activity by collecting data from multiple sources and applying a combination of statistical and deterministic algorithms to identify malicious privileged access activity.
Super User access management – the solution can control least privilege access for *NIX and Windows while allowing privileged users to run authorized administrative commands from their native Unix or Linux sessions and eliminating unneeded root privileges.
Protect Windows domain controllers. The solution enforces least privilege and application control on the domain controllers as well as provides in-progress and potential attack detection.

CyberArk’s Endpoint Privilege Manager (EPM) enforces granular least privilege policies for IT administrators and segregation of duties on Windows servers. The EPM solution also delivers application controls designed to manage and control which applications are permitted to run on endpoints and servers.

The CyberArk Application Access Manager is an AAPM tool that can be used to provide and manage the credentials that commercial off-the-shelf (COTS) and internally developed applications, tools and solutions. Application Access Manager manages the required AAPM credentials in the CyberArk Vault. (CyberArk offers a sizeable eco-system of validated COTS integrations for securing privileged access.)

The CyberArk AAPM solution also manages secrets and credentials used by DevOps and PaaS tools, and containers. The solution integrates with a wide range of DevOps tools such as Ansible, Jenkins, Puppet; PaaS/Container orchestration platforms such as Red Hat OpenShift, Pivotal Cloud Foundry, and Kubernetes, whether running on-premises, hybrid or on multiple cloud platforms. The solution also integrates with CyberArk’s Enterprise Password Vault to provide a single enterprise-wide platform for securing privileged access. As discussed earlier, CyberArk offers an open source version of Application Access Manager as Conjur Open Source (www.conjur.org). Application Access Manager also integrates with existing Active Directory, LDAP, and SIEM systems.

The CyberArk Privilege Cloud is an as-a-service solution that provides a path to securely store, rotate and isolate credentials and monitor sessions. CyberArk offers this solution with subscription-based pricing that can scale as needed.

Figure 10 – CyberArk Privilege Cloud Architecture

The Privilege Cloud solution is intended to protect, control, and monitor privileged access across on-premises, cloud, and hybrid infrastructures. The features associated with the Core PAM solution outlined above are deployed in a secure public cloud environment for feature parity. The offering is hosted on AWS and comes pre-configured to be consistent with ‘best practice security recommendations’ that are intended to help its customers reduce the time to deploy successfully.

Saviynt

Saviynt, based in El Segundo, CA has become a very strong player in the Identity Governance and Administration (IGA) space over the past several years. In fact, the company is a new, re-branded version of early IGA innovator Vaau, which was acquired by Sun Microsystems in 2007 – which was itself acquired by Oracle in 2009. The long-standing pedigree in the IGA space enabled Saviynt to gain leadership status in the IGA market, on par with SailPoint.

Regarding PAM, Saviynt has been embarking on a cloud-first strategy to offer effective privileged access management for cloud applications and services, whether SaaS or IaaS. Figure 11 below illustrates a summarization of their Cloud PAM solution.

Figure 11: Saviynt Cloud PAM

Though this report focuses on PAM, we’ll start by looking at Saviynt’s IGA platform which is a FedRAMP Authority-to-Operate (ATO) approved IGA service and uses intelligent analytics to provide peer-group based insights giving context for how users access data. PAM and IGA have a lot of synergy and Saviynt is looking to better integrate these offerings. The use of analytics can help with the challenge of account provisioning and deprovisioning by providing more granularity around access control, supporting multi-level workflow approvals, identifying potential segregation of duties violations – and triggering preventive actions. This level of granular inspection helps with both with continuous monitoring, especially for higher risk system and data administration – and with discovery and remediation of privileged access.

By extending Saviynt’s IGA platform with its nascent Cloud PAM solution – just announced in June 2019, its customers can better mitigate risks associated with privileged access in the cloud. Saviynt’s Cloud PAM solution works inside the customer’s internal cloud to attach rights and privileges to identities so that it can streamline their governance. Rather than creating additional user accounts for privileged access that need to be monitored, Saviynt’s Cloud PAM solution enables administrators to assign timebound permissions to identities and then provides alerts to help remediate risks.

Saviynt’s Cloud PAM solution is the first to converge traditional PAM with IGA for certain business-critical hybrid-cloud enterprise applications such as Enterprise Resource Planning (ERP) systems (e.g., SAP/HANA, Oracle, Workday, Cerner, Epic) and Customer Relationship Management (CRM) systems such as SalesForce, SAP Business Suite and Oracle eBusiness Suite. Saviynt provides approximately 300 risk and governance policies for SaaS / IaaS and enterprise applications out-of-the-box, which can be further augmented with native integration with SIEM / UEBA providers. TechVision views this level of integration between PAM and IGA as a significant capability in terms of providing enterprises with a much more comprehensive view of ‘who has access to what’ – and why.

Saviynt developed its credential vault on HashiCorp’s Vault, an open source and for fee commercial vault solution that controls access to secrets and encryption keys by authenticating against trusted sources of identity such as Active Directory, LDAP, Kubernetes, CloudFoundry, and cloud platforms. Integrated with Saviynt’s IGA and PAM solutions, Vault enables fine grained authorization of which users and applications are permitted access to secrets and keys.

BeyondTrust

BeyondTrust is a U.S.-based company that develops, markets, and supports a family of privileged identity management (PAM), privileged remote access, and vulnerability management products for UNIX, Linux, Windows and Mac OS operating systems.

BeyondTrust was founded in 2006 and provided Least Privilege Management software for the Microsoft Windows OS, before UNIX vendor Symark acquired the company in 2009. In 2018, the company was acquired by Bomgar, a developer of remote support and PAM software. In both cases, BeyondTrust was adopted/retained as the new company name. BeyondTrust claims over 20,000 customers of its PAM solutions. Given that the company has been providing these solutions for over 13 years, this level of adoption puts them on relatively stable customer footing.

BeyondTrusts PAM product line consists of three principal components:

Password Safe
Endpoint Privilege Management
Privileged Remote Access

Figure 12: BeyondTrust’s PAM Portfolio

BeyondTrust Password Safe unifies privileged password and privileged session management, providing secure discovery, management, auditing, and monitoring for any privileged credential. Password Safe:

Enables removal of hard-coded passwords from applications and scripts
Provides an extensible REST interface that supports many languages, including C/C++, Perl .NET, and Java
Ensures that passwords can be automatically reset upon release
Enforces e controls to lock down access to only authorized applications
Enables the dynamic assignment of just-in-time privileges via the Advanced Workflow Control engine.
Supports SSH key management:
- Stores private keys like any other privileged credential
- Automatically rotates SSH keys according to a defined schedule
- Allows designated ‘secondary’ accounts and SSH keys to be grouped to a ‘primary’ account to manage rotation interval, complexity and duration of SSH keys
- Enforces granular access control and workflow
- Alerts when a key is released
- Automatically logs users onto Unix or Linux systems through the proxy with no user exposure
- Records every privileged session with full playback and key usage auditing
- Offers failover to a managed password for complete redundancy
- Allows SSH sessions to be easily established via existing desktop tools without having to initiate with a web interface
Leverages a distributed network discovery engine to scan, identify and profile all assets, including web, cloud, mobile or virtual. Dynamic categorization of all assets and accounts can enable auto-onboarding, and the ability for access policies to self-adjust according to environmental changes.
Supports privileged session management using standard desktop tools such as PuTTY and Microsoft Terminal Services Client. Administrators can:
- Request RDP/SSH access to authorized systems only
- Start sessions instantly, or via workflow
- View any active privileged session, and if required, pause or terminate the session
- Use keystroke indexing and full text search to pinpoint data, and then log an acknowledgement of the review for audit purposes
- Avoid Java – Password Safe is a client-less solution with no agents required on the server
- Fully integrate with native tools (MSTSC, PuTTY, MobaXterm etc.)
- Gain full video recording with 100% accountability
Supports threat analytics through audit and reporting, enabling customers to:
- Aggregate user and asset data to baseline and track behavior
- Correlate asset, user and threat activity to reveal critical risks
- Identify potential malware threats buried in asset activity data
- Generate reports to inform and align security decisions

BeyondTrust Endpoint Privilege Management enforces least privilege and eliminates local administrative rights on Windows, Mac, Unix, Linux, and network devices.

BeyondTrust Privileged Remote Access provides visibility and control over third-party vendor access, as well as internal remote access, enabling organizations to extend access to important assets to vendors who typically provide systems support – but without compromising security. Privileged Remote Access provides a platform for enterprises to secure, manage, and audit vendor and internal remote privileged access without a VPN.

Thycotic

Washington, DC-based Thycotic has gained a solid reputation for itself over the past several years. It’s flagship product, Secret Server, provides a web-based, encrypted repository for IT administrators to store sensitive system level passwords and actively enforce password security policies. Users can auto-generate complex passwords for privileged and shared accounts, as well as automatically rotate passwords over time. Discovery, service account management and session recording capabilities provide requisite accountability.

Organizations use Secret Server to securely store, distribute and manage privileged access data such as server passwords, router passwords and service accounts in a central, web-based password vault. In addition to Secret Server, the company also offers Password Reset Server, an end-user password reset tool, and Group Management Server, a self-service Active Directory (AD) management tool that enables IT administrators to delegate AD group membership to appropriate employees. Thycotic’s PAM architecture is illustrated below.

Figure 13: Thycotic’s PAM Architecture Overview

The centerpiece is the Thycotic Secret Server, which can run on-premise and in an IaaS cloud platform and has the following key features and functions:

Vault – Sets granular permissions, users, and structure to map to your organization.
Discovery – Identify all service, application, administrator, and root accounts to curb privilege sprawl.
Secrets management – Provision, deprovision, ensure password complexity, and rotate credentials.
Access delegation – Implement role-based access control, workflow for access requests, and approvals for third parties.
Session management – Implement session launching, proxies, monitoring, and recording capabilities.
DevOps security – Remove hardcoded passwords and secure privileged accounts within your software development lifecycle.
Unix support – Implement Unix command whitelisting and SSH Key Management.

The Thycotic Privilege Manager component enforces least privilege and application control designed to scale to thousands of endpoints. Key Privilege Manager functions:

Agent deployment – Agents continuously discover endpoints, applications, and processes tied to privileges on domain and non-domain accounts.
Implement Least Privilege Policy – Removes excess privileges and permanently controls which accounts are members of local groups, including administrators, and controls credentials of accounts in these groups.
Define Policies – Create granular application control policies for whitelisting, blacklisting, and grey-listing applications based on advanced threat intelligence.
Elevate Applications – Approve applications that require admin privileges to execute with policy-driven controls that consider endpoint, location, user, and process requested.

The Privileged Behavior Analytics component can generate automated alerts and enforce controls that discover and contain a privileged account breach. With Privileged Behavior Analytics, customer can better understand typical behavior patterns for privileged accounts in order to quickly detect anomalies. Privileged account actions can be viewed and monitored in custom dashboards, which can identify and confirm suspicious activity and alert incident response teams.

Thycotic’s Secret Server SDK for DevOps provides added PAM security in application development. Customers can protect code by removing hardcoded passwords and provide unique accounts and credentials to containers and services. The SDK is intended to help customers avoid using insecure repositories where secrets can be hijacked and exploited.

One Identity

In 2012, Dell Inc. bought Quest Software as part of its plan for fleshing out a software division for the hardware giant. However, this strategy changed following the bold move of acquiring EMC for $67 billion. Dell then sold the Quest and Sonicwall divisions to equity firms Francisco Partners and Elliot Management in 2016. In late 2016, the newly reformed Quest formed One Identity as a wholly owned subsidiary of Quest. Similar to Saviynt, One Identity has a rather strong background in IGA and IAM that helps enable a more well-rounded approach to identity governance and PAM. An illustration of One Identity’s PAM solution set is illustrated below.

Figure 14: One Identity’s PAM Solution Overview

Key features of One Identity’s PAM solution include:

Automates and controls the process of granting privileged credentials with full session recording. Privileged access is granted based on established policies with appropriate approvals.
Session data is captured, indexed, and stored in tamper-proof audit trails that can be viewed like a video and searched like a database.
Safeguard for Privileged Analytics (an add-on) tracks and graphically represents user activity in real-time for a view of what is happening in the IT environment. This solution removes the need for pre-defined correlation rules, as it works with existing session data. Safeguard for Privileged Analytics creates a baseline of ‘normal’ behavior via data collected from your IT environment.
Supports a least-privilege security approach with granular delegation of administrative access on UNIX and Windows servers and desktops.
Removes the stand-alone authentication and authorization requirement of native UNIX in favor of a potentially more secure single-identity/point-of-management functionality available through AD for Microsoft Windows systems. Using the One Identity AD bridge solution (another add-on), enterprises can extend the unified authentication and authorization of Microsoft Active Directory (AD) to UNIX, Linux and Mac systems.
Extends the governance capabilities of unified policy, automated and business-driven attestation, enterprise provisioning, and access request and fulfillment to privileged accounts and administrator access. This can simplify privileged governance by enabling organizations to define roles and associated policies, access approval workflows and perform periodic attestation of privileged access.
Integrates two-factor authentication for an added layer of security. One Identity offers both on-premises and SaaS-based two-factor authentication solutions.

Micro Focus

U.K.-based Micro Focus provides a core IAM suite with several optional add-ons, such as IGA and PAM. These solutions largely resulted from the Micro Focus acquisition of Attachmate/NetIQ in 2014 which is based on an offering initially developed by Novell but being updated at an accelerated pace. Micro Focus’ NetIQ Privileged Account Manager delegates administrative access using centralized policies. Key features for their PAM solution follow:

Password checkout for cloud services: secure and share administrative credentials for cloud service providers such as AWS and OpenStack.
X11 Protocol support – records and monitors sessions carried out within an X Session.
Secured password vaulting – the solution includes an Enterprise Credential Vault, or an encrypted password “vault,” that provides secure storage of system, application and database passwords.
Database encryption – the credential vault is a secure embedded database with two levels of encryption. The passwords are encrypted with AES 256-bit keys, and the database is encrypted with a separate AES 256-bit key.
LDAP Credential Vault – leverage existing LDAP directories, including Active Directory, as a secure credential vault.
Advanced authentication for privileged accounts – enterprises can create a more layered defense for sensitive assets and resources with multi-factor authentication, step-up authentication, and smartcard support.
Database privileged account monitoring.
Securely delegate privileged account authority across database, application and cloud environments.
Single sign-on to Linux and UNIX servers – authorized users can access servers without entering additional credentials or complex commands.
Secure remote desktop proxy (RDP) – the solution creates a secure Remote Desktop Proxy (RDP) tunnel to the target Windows host, without exposing the administrative password to the user.
AD and LDAP authentication – supports authentication against both Active Directory and LDAP identity stores—including NetIQ/Novell eDirectory—for accessing Windows servers.
Secure remote privileged command execution – allows administrators to execute privileged commands on a UNIX host from a Windows desktop, without requiring users to start an SSH session from the Windows desktop.
Single configurable port – all agent traffic is encrypted and directed through a single port for easy product configuration and deployment in multi-firewall environments.
Auto discovery of privileged accounts – helps identify privileged accounts across Windows, Unix, Linux, and Active Directory.
Simplified agent deployment and management – leverages third party software deployment solutions to deploy and manage agents where required.
Web-based console – the solution is managed via a web-based console which can be accessed via intranet and extranet zones. The interface includes a command control console that enables the configuration of all privileged user management policies.
Task-based wizards and drag-and-drop interface – the solution stores Windows administrative passwords in a credential vault that resides within Command Control.
Windows group and policy enforcement – includes a GUI-based, drag-and-drop user interface to help simplify the rule-creation process and virtually eliminates the need for complex, manual scripting.
Reusable script and command libraries – the solution includes sample libraries of policy objects that can be simply dragged and dropped to build security rules.
Hierarchical rule structure – rules can be visually constructed without scripting then dragged and dropped to create rule hierarchies that determine the processing order.
Failover and load balancing – host agents can be visually configured in hierarchical domain structures that automatically determine load-balancing and failover between components.
Risk-based privileged session control – risk-analysis tools record and play back user activity—down to the keystroke level. Through the tool enterprises can define high-risk activity controls and enforce them with automatic session termination or access revocation.
Privileged analytics – risk analysis engine examines user activity in real time and applies color-coded security risk ratings to help detect and address threats faster.
Real-time keystroke logging – keystroke logs are updated in real time throughout the duration of a user’s session on any UNIX, Linux or Windows host.
UNIX, Linux and Windows session playback – playback recorded user-session keystrokes in an intuitive interface that is indexed and highly searchable.
Windows auditing service – the Windows audit service enables administrators to view real-time and historical user activity performed on local or remote Windows hosts. Audited activity includes all actions performed during a privileged session.
Automatic data filtering for continuous compliance – enterprises can create pre-defined rules to pull events from audit log files using comprehensive filters and schedules.
Automatic notifications – users can be automatically emailed a daily summary of events awaiting approval.
Indelible audit record – all auditor activity is indelibly recorded on the event record, including the viewing of keystroke log activity, status changes and any notes recorded during the analysis.
Workflows – for events that require further analysis, a workflow process escalates events to the appropriate reviewers—either by sending an email notification or flagging the event in the compliance auditor console.
FTP auditing – enterprises can add an additional layer of security to FTP transactions by using the replacement daemon for fully audited and authenticated FTP transactions.
Drop in UNIX/Linux shell replacement – privileged commands can be executed on-demand with a ‘usrun’ statement or the user shell replaced to provide command authentication and/or total session auditing.
ACL restrictions – helps to determine which records individual auditors are allowed to view and prevent users from authorizing their own activity.

Centrify

Santa Clara, CA-based Centrify was founded in 2004. At the time, the company was the first to integrate UNIX and Linux into Active Directory, which was a major step forward in AD security supporting these two important platforms. In 2018, Centrify spun off its IDaaS business as a standalone company named Idaptive. Centrify is redefining the legacy approach to Privileged Access Management by delivering what it calls “cloud ready” Zero Trust Privilege. Centrify Zero Trust Privilege focuses on granting least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment. Centrify’s migration from legacy PAM to Cloud Ready Zero Trust Privilege is illustrated below.

Figure 15: Centrify’s Cloud-Ready Zero Trust Privilege

Key features of Centrify’s solution include:

Discovery tools to automatically discover systems and service accounts for subsequent management.
Enables enforcement of centralized control over who can access credentials and audit administrator activity — including securing third-party access.
Automation tools to support shared account password management for super user and service accounts.
Single location for emergency access to super user passwords for all on-premises and cloud-based systems and network infrastructure.
Step-up authentication and secure access to infrastructure without knowing privileged account passwords.
Secure storage of encrypted privileged account credentials in Centrify Privileged Access Service or a key management appliance on-premises (or in the cloud).
Password vaulting to enable authorized IT administrators, whether internal or outsourced, and third-party vendors to check out passwords for shared accounts, including service, application and database accounts for a limited duration. Password rotation is also supported.
Authorized users can access resources using shared accounts without knowing the passwords and Centrify will not expose the passwords. IT admins can use shared accounts without encountering the risk of password sharing or unauthorized access.
Users can initiate RDP and SSH sessions directly from their local Windows systems for privileged access that maintains the same level of security and control for privileged sessions with monitoring, session termination and multi-factor authentication (MFA).
Anomalous behavior can be detected by enforcing risk-aware policies for users who are initiating a privileged session or checking out a password. Centrify combines information risk-level with role-based access controls (RBAC), user context and multi-factor authentication (MFA) to determine whether to grant privileged access or block it. Dynamically enforced access policies grant the user access, prompt for a second factor of authentication or block access completely.
Emergency access to privileged account passwords may be obtained from mobile devices enrolled in the Centrify Zero Trust Privilege Services. Secured password checkout requires a PIN or fingerprint validation. Checkout automatically times out based on per-resource policy.

Okta

Founded in 2009 by a team of former Salesforce executives, Okta is a cloud-based identity and access management platform built on Amazon AWS. Okta was one of the first IAM solutions built ‘in the cloud’ from the ground up, rather than a cloud-instantiated on-premise solution suite. Their solution has gained a good deal of traction with enterprise customers over the past five years, as more and more companies look to migrate much of their IT infrastructure – including IAM, to the cloud. Okta’s Active Directory synchronization tool provides the primary mechanism for integrating on-premise identity information with Okta’s Universal Directory (cloud directory). The integration between customers’ AD infrastructure and Okta provides SSO to the enterprise applications ‘front-ended’ by Okta, including a broad range of SaaS applications like Workday, SalesForce, etc.

In April of 2019, Okta announced the launching of the Okta Advanced Server Access, which provides access management to secure cloud infrastructure. Via the Okta Identity Cloud, its customers can manage privileged access to on-premises Windows and Linux servers as well as IaaS vendors including Amazon Web Services, Google Cloud Platform, and Microsoft Azure. This solution enables the centralization of privileged access controls to better mitigate the risk of credential theft, reuse, sprawl, and abandoned administrative accounts. Advanced Server Access utilizes an ephemeral client certificate architecture that replaces static keys.

Figure 16: Okta’s Advanced Server Access

As show in Figure 16 above, Okta’s Advanced Server Access is geared toward administrator (human user) and service account (service user) integration. Advanced Server Access supports SSH and RDP integration with Windows and Linux servers – whether on-premise or in the cloud. The solution further offers:

Okta as the single source of truth for local server user and group accounts.
Automated provisioning & deprovisioning of local accounts.
Single-Sign On for SSH & RDP workflows.
Command filtering through the ability to inject contextual access controls in line with server authorization.
Monitoring and auditing of all privileged logins, providing a record of who accessed what server from which device and when – exposed via Dashboard or exported to a SIEM.

Advanced Server Access uses a lightweight approach to PAM integration, with a Servers Agent that is installed on enterprise servers via bash or powershell commands integrated into the enterprise’s automation tool, such as Ansible, Chef, Puppet and Terraform.

Okta enables lifecycle management of local server group accounts via its Universal Directory, as shown below.

Figure 17: Okta Universal Directory Group Management

Using the Okta Universal Directory, Groups that assigned to Advanced Server Access are provisioned to the downstream application via SCIM (System for Cross-Domain Identity Management). Group membership is then reflected on the downstream applications, and local users are created when assigned to an Okta Project. Any change in groups or group membership is picked up automatically and reflected on the servers immediately.

Okta’s supported operating systems for Advanced Server Access are currently:

Windows 2012 and 2012r2
Windows 2016
Ubuntu >= 12.04
Amazon Linux
RedHat >= 6
CentOS >= 6
Debian Stable
FreeBSD

Microsoft

Microsoft has not been a vendor in the PAM market in the past. In fact, the company doesn’t really call it PAM, but Privileged Identity Management (PIM) coupled with Just Enough Access (JEA). Azure Active Directory (Azure AD) PIM is a service that lets Windows-centric organizations manage, control, and monitor access to resources, such as Azure AD, Azure resources, and other Microsoft Online Services like Office 365 or Microsoft Intune. Some of the key features of PIM include:

Provides just-in-time privileged access to Azure AD and Azure resources
Assigns time-bound access to resources using start and end dates
Requires approval to activate privileged roles
Enforces multi-factor authentication to activate any role
Uses justification to understand why users activate
Gets notifications when privileged roles are activated
Conducts access reviews to ensure users still need roles
Downloads audit history for internal or external audit
Supports Just-in-Time VM Access, which enables organizations to deny persistent access while providing controlled access to Azure VMs when needed

For just-in-time access across Azure and Microsoft Online Services such as Azure AD and Office 365, PIM is implemented in the cloud service Azure AD PIM. For just-in-time access to resources in on-premises environments, PIM is implemented using Microsoft Identity Manager (MIM) and Active Directory. JEA can be used for finer-grained authorization for Windows and Windows Server applications.

JEA is a Windows PowerShell toolkit that defines a set of commands for performing privileged activities. In JEA, an administrator decides that users with a certain privilege can perform a certain task. Every time an eligible user needs to perform that task, the administrator enables that permission via MIM workflow. The permissions expire after a specified time period, so that a malicious user can’t steal the access. For example, a MIM policy can specify that if a specific user requests administrative privileges and is authenticated by MFA, the request is approved and a separate account for the user will be added to the privileged group in a bastion AD forest.

For organizations that are mostly – if not completely deployed on Microsoft on-premise and Azure infrastructure, TechVision recommends consideration for PIM and JEA deployment. The mantra stays the same whether you are “all Microsoft” or the more common “mixed bag” – protect your information assets better by thoughtfully deploying PAM. For more complex or multi-cloud platform enterprise infrastructures, we recommend deployment of a leading PAM solution to not only augment PIM/JEA functionality if/where needed, but to extend PAM security across the entire cloud-based ecosystem.

Google

Google’s Cloud Platform (GCP) offers a solution called Cloud Identity & Access Management (Cloud IAM) that lets administrators authorize who can take action on specific GCP resources in order to maintain control and visibility of Google cloud resources centrally. Cloud IAM supports access to cloud resources at fine-grained levels, beyond project-level access. GCP Administrators can create more granular access control policies to resources based on attributes like device security status, IP address, resource type, and date/time. A full audit trail history of permissions authorization, removal, and delegation is captured and retained automatically.

While not a PAM solution by any stretch, Google Cloud IAM is the environment where administrators and end users of GCP resources are provisioned and granted access privileges. This is key to PAM deployments within enterprises that are GCP IaaS customers – PAM connectors and agents should integrate with GCP Cloud IAM so that GCP administrator functions can be securely managed whether using the SAPM, SUPM or AAPM methods.

Amazon

Amazon Web Services (AWS) promotes a “Shared Responsibility Model” for cloud security that AWS secures cloud access to the cloud from their multitenant customers, but the customer is responsible for securing access within AWS. Amazon introduced Lambda as its automation tool four years ago to facilitate logically centralized administration of AWS/EC2 resources. In AWS, Lambda runs customers’ code on a high-availability compute infrastructure and performs all of the administration of the compute resources, including server and operating system maintenance, capacity provisioning and automatic scaling, code monitoring and logging. Amazon’s Shared Responsibility Model is illustrated below.

Figure 18: Amazon AWS Shared Responsibility Model

Amazon states that when using AWS Lambda, you (the customer) are responsible only for your code. AWS Lambda manages the compute fleet that offers a balance of memory, CPU, network, and other resources. This is in exchange for flexibility, which means customer administrators cannot log in to compute instances or customize the operating system or language runtime. These constraints enable AWS Lambda to perform operational and administrative activities on the customer’s behalf, including provisioning capacity, monitoring fleet health, applying security patches, deploying code, and monitoring and logging Lambda functions.

AWS Lambda creates a unique access risk since services, not people, trigger its cloud activities. However, organizations often use Lambda to run administrative and operational processes, such as patch updates, that require privileged access to systems and networks. Lambda’s automation creates new privileged access management (PAM) risks as it connects to applications and infrastructures without human governance. That said, AWS is much like Google Cloud Platform – YOU are responsible for privileged access management. Most of the leading vendors in the PAM marketplace are cognizant of this and are focusing on continued extension and expansion of their PAM solutions to better secure infrastructures deployed on IaaS and SaaS cloud platforms.

Recommendations

This report covered a number of topics centered on Privileged Access Management. We looked at business drivers (why you need it), solution evolution, common approaches and architectural patterns. We summarize our findings with the following key recommendations for PAM deployment consideration:

Establish Governance for Privileged Accounts. For most of our customers, TechVision recommends an aggressive program to manage privileged accounts. Many of our customers have PAM programs underway and at various rates of efficacy, and we often recommend these existing programs continue to expand. In some scenarios (many actually), only SAPM has been deployed and only to a smaller number of higher risk systems – which is good, of course. But for a program to be effective, the risk lens needs to continue to expand – always in search of the ‘weakest link’. This means AAPM should rise in priority for many organizations, as service accounts tend to be widely unmanaged – and in many cases, unknown entities.

Each of these categories encompass the range of environments where privileged accounts exist – in on-premises software packages, virtual appliances, configuration and administration of hardware, cloud-based infrastructure, and cloud-based services.

Deploy and Integrate with IGA. IGA tools are critical for governing, monitoring and auditing ‘who has access to what’. This question is of particular importance when focusing on key, high-risk systems or environments. A good IGA tool has the ability to help identify and isolate privileged accounts in all four categories (SAPM, SUPM, PSM, AAPM) and just as importantly – continuously monitor these accounts and privileges. Linking PAM with IGA is the best method for increasing your visibility and remediation ability across the wide spectrum of on-prem and in the cloud environments.
Secure Cloud Environments. Enterprises should continue to develop clear policy and standards of good practice requiring controls on the granting and use administrative privilege for all in-house and cloud-based IT systems and applications. The policy guidelines should address IT privilege assignment, revocation, change, login credential management, session management by setting minimum requirements by low, medium or high-risk levels. These practices will require some degree of collaboration with outsourced service providers, particularly those responsible for managing the enterprise’s core IT infrastructure.
It is generally recommended that all PAM-related policies be approved by the IAM governance body, the CISO, and the CIO to ensure top down buy-in. Compliance with these policies should also be phased in globally, as appropriate, but never at the expense of significant risk exposure. As such, the planning process for phasing PAM in must be closely aligned with the affected IT systems or application road map and architecture strategy. Standard, policy-compliant operating procedures for PAM must be tightly aligned with the relevant IT and application administration operational teams, including strategic outsourced service providers.
Raise Awareness. A critical success factor for the adoption of PAM will be centered on the vigilance of the PAM Program Manager with strong people skills and experience with complex project management. Be advised that the Program Manager role may need to be augmented by a subject matter expert with specific expertise in the selected solution(s). Enterprises should acknowledge that “marketing” PAM can be a challenge in the most collaborative environments; the necessary operational changes may cause some push back with outsourced service providers. Adequate training and awareness will be necessary to achieve the needed buy-in from administrators and stakeholders.
Reduce the number of users with (permanent, full) superuser privileges to the minimum that is consistent with operational and business needs. Minimize the use of shared privileged accounts, too.
Limit the scope across the infrastructure of any system administrator’s superuser privileges to what is consistent with business and operational needs.
Restrict and time-limit the privileges for each privileged account. Set up discrete privileged and unprivileged accounts for each system administrator. If administrators’ accounts have permanent superuser privileges, it is recommended that they have alternate accounts for day-to-day use, while their superuser accounts should have severely restricted Internet access.
Use risk-appropriate authentication methods, such as MFA for privileged accounts. Superuser privileges that are assigned to personal accounts (e.g., JIT PAM) should be protected with risk-appropriate authentication methods such as MFA, as well.
Stop using shared passwords. Sharing passwords, even among approved users, severely limits the possibility of personal accountability that is a security best practice and demanded by regulatory compliance.
Enable default administrator, root and similar accounts only in exception circumstances. The account should always be available when needed, but if it’s in use all the time, it’s not guaranteed that the password will be known or available to anyone who needs to use it in an emergency. Use a SUPM tool to manage this reliably and securely.
Set up custom “fire call” or “break glass” accounts for emergency purposes.
Monitor and reconcile all privileged account activity. As in other areas of IAM and information security, logging, monitoring, reporting and analysis of privileged account activity are essential detective and corrective controls.

It is worth noting that more than one PAM tool may be required for different aspects of the IT infrastructure. Generally, the leading PAM solutions tend to be relatively equal with respect to functionality for Windows and *NIX operating systems. However, fit-for-purpose solutions augmented by manual practices may be required for networking infrastructure, security infrastructure, and any other special-purpose components within the enterprise IT landscape. While a single PAM solution is ideal, enterprises should not hesitate to select multiple products should requirements, constraints, or dependencies dictate – especially when considering multiple-cloud environment integration.

We hope you have found this report useful. TechVision Research feels that PAM is one of the more critical elements of an enterprise security posture. Hackers and thieves want your privileged account access rights because that is the way to your data – whether in your data center or in the cloud. No matter how far along you are (or aren’t) in PAM deployment, don’t delay moving the needle forward. If you’re a ways’ behind, don’t boil the ocean – start with the highest risk environments. If you’re pretty far along, keep it up by adding the right features that will improve your cloud security, DevOps and automation capabilities. There are very good tools on the market. There is no excuse for doing nothing.

About TechVision

World-class research requires world-class consulting analysts and our team is just that. Gaining value from research also means having access to research. All TechVision Research licenses are enterprise licenses; this means everyone that needs access to content can have access to content. We know major technology initiatives involve many different skillsets across an organization and limiting content to a few can compromise the effectiveness of the team and the success of the initiative. Our research leverages our team’s in-depth knowledge as well as their real-world consulting experience. We combine great analyst skills with real world client experiences to provide a deep and balanced perspective.

TechVision Consulting builds off our research with specific projects to help organizations better understand, architect, select, build, and deploy infrastructure technologies. Our well-rounded experience and strong analytical skills help us separate the “hype” from the reality. This provides organizations with a deeper understanding of the full scope of vendor capabilities, product life cycles, and a basis for making more informed decisions. We also support vendors in areas such as product and strategy reviews and assessments, requirement analysis, target market assessment, technology trend analysis, go-to-market plan assessment, and gap analysis.

TechVision Updates will provide regular updates on the latest developments with respect to the issues addressed in this report.

About the Authors

Doug Simmons brings more than 25 years of experience in IT security, risk management and identity and access management (IAM). He focuses on IT security, risk management and IAM. Doug holds a double major in Computer Science and Business Administration.

While leading consulting at Burton Group for 10 years and security, and identity management consulting at Gartner for 5 years, Doug has performed hundreds of engagements for large enterprise clients in multiple vertical industries including financial services, health care, higher education, federal and state government, manufacturing, aerospace, energy, utilities and critical infrastructure.

Gary Rowe is a seasoned technology analyst, consultant, advisor, executive and entrepreneur. Mr. Rowe helped architect, build and sell two companies and has been on the forefront the standardization and business application of core infrastructure technologies over the past 35 years. Core areas of focus include identity and access management, blockchain, Internet of Things, cloud computing, security/risk management, privacy, innovation, AI, new IT/business models and organizational strategies.

He was President of Burton Group from 1999 to 2010, the leading technology infrastructure research and consulting firm. Mr. Rowe grew Burton to over $30+ million in revenue on a self-funded basis, sold Burton to Gartner in 2010 and supported the acquisition as Burton President at Gartner.

Tags: