Are your privileged accounts under control? – Part Three: Who’s watching the watchers?

In previous blogs under the theme “Are your privileged accounts under control?”, the discussion focused on establishing foundational services to address privileged access and creating a prioritized and strategic two-year roadmap. But what about year three? Once you’ve got your foundational services in place and humming, next you can start looking at the advanced capabilities of privileged access management, and focus on “who is watching the watchers?” Who is keeping an eye on the keepers of high-risk accounts such as administrators?

In this final instalment, we will consider advanced features gained by the move from Privileged Access Management (PAM) to Privileged Access Intelligence (PAI). We’ll also look at Edward Snowden’s real-world breach of the NSA and discuss how advanced features of PAI and PAS may have been useful in mitigating or avoiding the leak.

In 2013, former CIA employee and US government contractor Edward Snowden breached the NSA and leaked 1.7 million classified documents to the world. According to Jeff Hudson’s blog (CEO of Venafi), Snowden executed the following tasks as part of this massive internal breach:

• He fabricated digital certificates to breach NSA systems and leveraged the intrinsic trust of encryption to transport the documents through the external firewalls.
• He obtained usernames and passwords from several colleagues.
• Then, he accessed their SSH keys and other digital certificates to gain access to additional documents he was not authorized to view.
• Finally, he had more privileges than needed to access his targeted documents, a syndrome called privilege creep.
  • Privilege creep can be explained by the following example: Let’s say Snowden needed 10 privileges to access his targeted documents, but ended up with 100 by using the above tactics. Now he has access to more privileged information than initially intended or authorized.

What would be the safeguards against the intentional actions of privileged administrators with ulterior motives such as Snowden?

• For digital certificates, next generation firewalls can act as a client to the server and mimic a "Man in the Middle" attack to review if the certificate was signed by a Certificate Authority (CA) that is not on the list, and issue a warning. 
• Furthermore, access to sensitive assets such as the CA servers should be safeguarded with recording events as provided by a PAM and SIEM solution.
• Access events should be logged and uploaded to a SIEM system that is integrated with a PAM solution to provide Privileged Access Intelligence.
• As introduced in Part One of this blog, if the usernames and passwords he obtained were permanent privileged accounts, they should be eliminated in favour of temporary accounts with one-time passwords.
• In addition, as a leading practice, all permanent privileged accounts require two-factor authentication.
• For SSH keys, certain PAM solutions can centrally manage and control which keys are used for which servers, creating access policies for critical assets defined by your data classification model.
• Moreover, the sessions should be logged and events captured by your SIEM system which should correlate events and alert anomalous activities.
• The privilege creep issue can be solved by other advanced features of PAM that are integrated with an Access Governance tool configured to detect outliers dynamically. Outliers are defined as users with additional or abnormal entitlements over their peers in same group or role. 
• Another leading practice is to remove all access and provide new access based on new job function only.

Most organizations lack the awareness and visibility into the various privileged access controls of the keys and certificates used to build trust. The examples above represent a few cases of the advanced features of privileged access intelligence as well as privileged access security that are now becoming an intrinsic layer of network security to “watch the watchers.” Depending on your use cases, these types of features should be considered to fulfil your priorities for year three of your roadmap. When setting out to develop your roadmap, it’s always important to work with experienced security consultants who can assess your organization and create a fully customized roadmap.

In summary, PAM implementations are complex in nature and should not be implemented simply as a tactical move. Just like identity management, it is a journey that needs to be planned properly. Your PAM strategy should be contained in a living document that is kept updated as business and technology continue to evolve at breakneck speed.

Organizations need to allow themselves the opportunity to step back and define their journey with a strategy and prioritized roadmap. They also need to lobby for the support of a sound governance model to improve their chance of success and perform a bakeoff of use cases based on priorities of the strategic roadmap.

To continue the conversation about PAM strategies and leading practices, feel free to send me a message or leave a comment below.

To learn more about Online Business Systems’ Risk, Security and Privacy practice click here.