What, Why and How PAM (Privilege Access Management) ?

-

PAM - Privilege Access Management

  1. What is PAM?
  2. Why is PAM Important?
  3. How does PAM works?
  4. Benefits of PAM?
  5. How is IAM different from PAM?

1. What is PAM?
  • It refers to system that securely manages the accounts of user who have elevated permissions to critical, corporate resources. These may be human administrators, devices, application and other types of users.
  • Privileged user accounts are high value targets for cyber criminals, That's because thy have elevated permission in system, allowing them to access highly confidential information's and make administrative level changes to mission critical applications and systems.
  • PAM is also sometime referred as Privileged account management or Privileged session management (PSM)
  • PSM is actually a components of good PAM system

2. Why is PAM Important?
  • Privilege accounts exist everywhere. There are many types of privileged accounts and thy can exists on-premised and in the cloud
  • They differ from other accounts in that thy have elevated levels of permission, such as the ability to change settings for large groups of users. Also, often multiple people may have access to specific privileged account, at lease on a temporary basis
  • For example, root account on Unix machine is a form of privileged account. An account owner for AWS is another form of privileged account. A corporate account for the official company Twitter profile is yet another form.
  • Privileged accounts present a serious risk. Cyber criminals are more interested  in stealing credentials for privileged accounts than any other type of account. Thus. they present a challenge for IT departments.

3. How do PAM systems works?
  • A PAM administrators uses the PAM portal to define methods to access the privileged account across various applications and enterprises resources.
  • The credentials of privileged accounts (such as their passwords) are stored in a special purpose and highly secure password vault.
  • The PAM administrator also uses the PAM portal to define the policies of who can assume access to these privileged accounts and under what conditions.
  • Privileged users log in through PAM and request or immediately assume access to the privileged user account. This access is logged and remain temporary for the exclusive performance of specific tasks
  •  To ensure security, the PAM user is usually asked to provide a business justification for using the account. Sometime manager approval is required as well.
  • Often, the user is not granted access to the actual passwords used to log into the applications but instead is provided access via the PAM
  • Additionally, the PAM ensures that passwords are frequently changed, often automatically, either at regular intervals or after each use.
  • The PAM administrator can monitor user activities through the PAM portal and even manage live sessions in real time, if needed.
  • Modern PAMs also use machine learning to identify anomalies and use risk scoring to alert the PAM administrators in real time of risky operations

4. Benefits of PAM?
  • Increased security is the obvious benefits of implementing a PAM system. Additionally as below.
  • Protect against cyber criminals (Outside/Inside)
  • Manage, monitor and control privilege users/accesses/accounts
  • Improve the visibility and control
  • Preventive internal frauds
  • Improve governance and risk compliance

Security Risks:
1) Most common cloud misconfigurations - Over-permissioned Accounts and Roles
2) Lack of consistency across cloud environments - Unified approach to IAM across public and private cloud infrastructure or On-premises environment
3) 


Important Cloud Security Considerations:
1) Inventory all the identities - Check and keep updated user identity details. Can have gatekeeper feeds from various system and application which can be reviewed by application owner
2) Understand all the entitlements
3) Role Based Access Control (RBAC) 


High level PAM system design:




Overview of PAM:
Within any organizations having below datacenter components and set of devices:
1. Servers
2. Network elements
3. DB servers
4. Applications
5. Storage devices
6. Cloud infrastructure

There are admin who mange above assets in customer enterprise environment & access through from different location.
Method of access could be RDP, SSH, Browser and thick clients like (TOAD, SQL developer, Checkpoints or any other tool on windows)

Typical challenges in this type of environments:
1. Where are the passwords stored? 
We have to give them the root and admin credential to login to these systems.
  • Generally Admin have the password which is easy to guess 
  • They are mostly same across systems and devices.
  • They are not rotated frequently 
  • They are known to specific admin and can be misused 
2. Where are the logs of the systems?
If admin have access with root them logs can be altered/deleted. So its difficult to trace the same.

3. Audit issues?
If auditor ask basic questions, Where are password and How are you storing, How are you rotating, Frequency? How are you vaulting them? . 

4. Regulatory compliance issues?
If no proper answers  from above then it leads to compliance issue like PCI, ISO 27001 or any other standard worldwide. 

5. Visibility and control
What kind of visibility and control you have in this environment.? Who is doing what, who is login, For what purpose?

6. Internal fraud
Mostly fraud happened from insider and quite often thy compromised the password or shared purposefully

7. Cloud infrastructure and Security 
You want to figure out what type of activity being performed on cloud. It should be time based access control

8. Vendor management
How your managing external resources or teams who have access to your infrastructure

9. GRC (Governance and Risk Compliance)
How your managing the GRC in your organization. There are dedicated risk managers in enterprises they focus only mitigating the risk.


Cloud Entitlement Manager: 
It collects data and applies artificial intelligence to assign an exposure level score for each connected cloud environment. Cloud Entitlements Manager enables organizations to continuously assess the exposure level of their permissions and identifies recommendations for reducing risks.


Building blocks of any PAM product:
  1. Secret Password Management (SPM)
  2. Managing user access
  3. Audit and reporting
  4. Session Management like recordings feature
  5. Workflow automation settings
  6. Governance and risk compliance methods
  7. Integration with IAM or IGA system


Comments

Post a Comment

Popular posts from this blog

PUTTY - The server's host key is not cached in the registry cache

-
Error: "The server's host key is not cached in the registry. You have no guarantee that the server is the computer you think it is. The server's rsa2 key fingerprint is: [SSH KEY FINGERPRINT] If you trust this host, enter "y" to add the key to PuTTY's cache and carry on connecting. If you want to carry on connecting just once, without adding the key to the cache, enter "n". If you do not trust this host, press Return to abandon the connection. Store key in cache? (y/n) y" Answer: Simply run this command in your windows preferred terminal (cmd.exe etc) and agree to accept the host and store the cache: C:\Program Files (x86)\PuTTY\plink.exe -ssh [SSH USERNAME]@[SSH HOST] -P [SSH PORT] echo y | pscp -i /path/to/key/file user@remote:/tmp/file  . echo y | plink -i /path/to/key/file scripts.sh Usually you would hit “y” here, assuming the host key is correct, in order to store it in future connection.  The storage of this goes into the Registry under ...
Read more

OIM-12c Installation - FMW - SOA - IDM

-
Image
Oracle Identity Manager (OIM) 12c Installation Prerequisites: The Oracle Identity Manager software includes the following: 1] Oracle's Java Development Kit (JDK) 1.8 (jdk-8u311-linux-x64.tar.gz) 2]  Fusion Middleware 12.2.1.4.0 3]  SOA Suite 12.2.1.4.0 4] Oracle Identity and Access Management  12.2.1.4.0 What Do You Need? For completing Oracle IDM Setup you will need, Environment as below: Oracle Enterprise Linux 6 or similar, with access to the Internet At least 8GB RAM (16GB recommended) An Oracle Database Enterprise Edition 12 or superior installed and running. Note: Installing a Database for Identity and Access Management (IDM) Suite provides instructions on how to install an Oracle Database that is suitable for Oracle Identity and Access Management Suite. oracle and root user credentials SYS database user credentials Basic understanding of Linux An Oracle Technology Network (OTN) account OIM-11g PS3 Installation Steps: Just for reference https://www.oracle.com/webfol...
Read more

Apache Kafka - Zookeeper

-
Apache Kafka - Zookeeper Tutorial Topics covered in this article as below: Need of Messaging System What is Kafka? Kafka Features Kafka Components Kafka Architecture Installing Kafka Working with Single Node Broker Cluster 1. Need of Messaging System Data pipelines - Communication is required between different systems in the real-time scenario, which is done by using data pipelines Chat Server -----------Data Pipeline---------------> Database server Many services are communicating with various internal systems like front-end, back-end Api, database server, security system, real-time monitoring, chat server etc. Messaging systems helps managing complexity of above pipelines. so Kafka helps here to decouples data pipelines Key entity involved in Kafka Producer (Publisher) Consumer (Subscriber) 2. What is Kafka? (High throughput distributed messaging system) Apache Kafka is a distributed publish-subscribe messaging system It was originally developed at Linked-In and later became part ...
Read more