Capability Framework for Privileged Access Management

The average total cost of a data breach is about US $4 million, whereas the average cost for a stolen record increased slightly from US $154 in 2015 to US $158 in 2016. 1 Why are these data lost? About 48 percent of all breaches are caused by malicious attacks. 2 Passwords are often the entrance door for attackers: 63 percent of all passwords were either weak, got hijacked or had not been changed from their default value. 3

Attacks from insiders are another key challenge to consider; these are the most difficult attacks to detect and are often not detected at all. 4 The reason for this lack of detection is that perimeter defense is ineffective against a potential intruder who is already behind the firewalls and defense systems. Data are exposed to such actors. Hence, sophisticated attackers will strive to get the highest privileges, as this allows them to access the most valuable information by circumventing IT controls. 5

This article focuses on electronic access and will not discuss physical access or privileged access gained via social engineering. With this restriction in mind, the model shown in figure 1 illustrates types of access to information assets. It consists of four elements:

This model distinguishes the three types of access channels:

This article focuses on PACs that are of high interest for attackers. Examples include domain administrators, root accounts and emergency users.

Due to their importance, PACs are the subject of standards, norms, frameworks and laws. For instance, the SANS Institute requires multifactor authentication (CSC 12-12) for privileged accounts, frequent reviews of the use of these accounts (CSC 16-1) and analysis of anomalous behavior (CSC 12-1). 6 Banks in the European Union are required to recertify critical privileged accounts every six months. International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC)’s ISO/IEC 27001:2013 requires restriction and control of the allocation and use of privileged access.

A 2016 study conducted by Thycotic and Cybersecurity Ventures found that 80 percent of the more than 500 chief information security officers (CISOs) surveyed consider privileged access management (PAM) a significant topic, and a number of them have already implemented specific PAM solutions. 7 Typical objectives of such solutions are:

What makes a PAM solution successful? The following framework will introduce the four building blocks of any PAM solution:

  1. Governance
  2. Privileged access channel inventory management
  3. Privileged users management
  4. Control and monitoring

Each building block contains several components to consider in an assessment or audit. Indicators are provided per component to enable practitioners to ask the right questions and finally strengthen PAM at the organization.

Governance

Without governance, security efforts tend to be random, and the benefits from one-off investments erode quickly. Governance is critical since measures to limit and control PACs are often regarded as a sign of mistrust by IT administrators. To gain their support but also to control the implementation of PAM measures is, therefore, a crucial component of governance.

Figure 2 shows important indicators concerning the integration of PAM into IT governance. Any IT security strategy not addressing these indicators must be considered incomplete and as exposing the company to significant risk. The types of indicators include:

Inventory

The PAC inventory is the basis for the management of PACs. It identifies PACs and shows their risk, owner and users and whether actions regarding a PAC are required. Figure 3 shows the core indicators for PAC inventory management:

Privileged Users

Having identified the existing privileged rights on a system level, it is now necessary to control who has the right to use PACs. Figure 4 provides an overview of the indicators:

Control and Monitoring

Having defined the governance structure and implemented the means to identify PACs and assign them to users, it is now necessary to take care of the usage of such channels. PAM solutions strive to accomplish several objectives: trace back privileged abilities to users, audit privileged actions, evaluate privileged rights usage in real time, terminate suspicious actions, and block specific rights or make them subject to additional approvals. Figure 5 shows indicators concerning the ability of a company to attain these targets:

Conclusion

New PACs are constantly created in today’s fast-changing IT organizations. These channels are the most desirable target for attackers, and any diligent IT organization must strive to protect these channels. An important enabler in this effort is technology, which allows these channels to be detected. Another important enabler is appropriate processes to manage and protect channels. Governance, in turn, focuses and sustains this technological and organizational effort. But only if governance succeeds in creating a strong security culture can privileged access management truly succeed. Thus, PAM must not be regarded as a tool but as an integral part of an ongoing organizational effort to increase the security of the organization.

Endnotes

1 Ponemon Institute, 2016 Cost of Data Breach Study, Ponemon Institute, 2016, www-03.ibm.com/security/data-breach/
2 Ibid.
3 Ibid.
4 Ibid.
5 Wenzler, N.; “Managing Privileged Access is Crucial to Preventing Data Breaches,” Security Magazine, 28 June 2016, www.securitymagazine.com/articles/87241-managing-privileged-access-is-crucial-to-preventing-data-breaches
6 SANS Institute, CIS Critical Security Controls—Version 6.0, Center for Internet Security, https://www.cisecurity.org/critical-controls/
7 Thycotic and Cybersecurity Ventures, The State of PAM Security, 2016, p. 3

Richard Hoesl, CISSP, SCF
Is responsible for identity and access management (IAM) consulting services with Accenture’s security practice in Germany, Austria and Switzerland. He is a seasoned expert on identity and access management and enterprise application security with a focus on financial services, helping organizations to resolve information security and compliance challenges in a digital world.

Martin Metz, CISA
Is a manager with Accenture’s security practice, author and expert on IAM. During his career, Metz designed and implemented SAP GRC systems, SAP role concepts and overarching IAM frameworks. He has led large-scale privileged access management (PAM) implementations. He conducted information security audits at clients across a wide variety of markets in Europe and the United States.

Joachim Dold
Is an IT strategy principal working for Accenture with 19 years of experience in the telecommunications, banking and insurance industry. He has worked in security transformation programs, software development and infrastructure projects and has held executive responsibility as the country manager of an offshore unit during the unit’s ramp-up phase.

Stefan Hartung
Is an IT security consultant with Accenture’s security practice. During his career, he has designed large-scale PAM implementations, researched in the areas of botnet detection and policy enforcement for bring-your-own-device setups, and developed security-related Android applications. Hartung is an expert for IAM, focused on privileged accounts.