By Alex Heijdenrijk. Hackers and other cyber criminals are always on the move. They are continuously improving their methods and techniques to breach security perimeters, giving them access to highly sensitive and lucrative information. Every year we see an increase in security incidents, involving stolen credentials. More than ever, cybercriminals are trying to gain credentials using malware, social engineering, phishing, and a host of other tactics.
To protect mission-critical systems and applications, many organizations choose to implement Privileged Access Management (PAM) and Identity Governance and Administration (IGA) systems. Much of this already happens separately and in isolation. However, it is a missed opportunity if both systems remain isolated from each other.
What is IAM?
Identity and Access Management (IAM) encompasses the following disciplines:
- Access management
- Privileged Access Management
- Privileged Identity Management
- Identity Management
- Identity Governance and Administration.
As defined by analyst firm Gartner, IAM is: “The security discipline that enables the right people to access the right resources at the right time for the right reasons.” With IAM solutions, you can create and manage identities for your organization’s users and manage the access they need to your organization’s systems and data.
Role of access management
AM focuses on (remote) access to information systems for customers, employees, and systems. Users have to authenticate themselves in different ways. Usually this is done through a username and a password, but today strong authentication/multi-factor authentication (MFA) is on the rise. This requires the user to do an extra verification via for example a SMS, a hardware token (RSA SecurID) or a software token/app (Microsoft Authenticator ). For regular accounts, such as email or Office 365, organizations often use an AM solution. For the more critical accounts, there’s PAM. With PAM you simplify the management of privileged access to IT systems, applications, and infrastructure.
What is PAM?
Privileged Access Management is an access control system for special accounts with elevated privileges, so-called privileged accounts. This PAM solution will manage the passwords and keys of various types of privileged accounts and stores these credentials securely in a digital vault. Examples of types of privileged accounts are root/administrator accounts, system accounts, service accounts and application management accounts.
In particular, management of non-personal privileged accounts, including service accounts and built-in Administrator accounts are easily forgotten. A breach of this type of privileged account can go undetected for an extended period of time, with serious consequences if PAM is not implemented.
PAM ensures that credentials of these privileged accounts are replaced on a regular basis so that the risk of abuse of privileged accounts and thus ransomware, potential data breaches or other cybercrime is minimized.
In addition, PAM facilitates the establishment of a secure management connection (privileged session) to target systems through a proxy server, also called steppingstone or jump server. Some tasks of this proxy server are:
- Isolating the privileged session between the user and the target system
- Requesting the necessary credential from the digital safe for injection
- Monitoring the privileged session
All usage of privileged accounts is determined by PAM, so that later it can be shown which user at which time has had privileged access. In addition, privileged sessions are secured, monitored and (optionally) recorded.
With PAM, the security risks surrounding the use of administrative accounts are minimized. An organization can prove it meets (inter) national laws and regulations (Wbni, GDPR, SOX, EBA) based on existing European or internationally accepted norms, standards and / or guidelines for the protection of network and information systems (e.g., ISO/IEC 27002, NIST SP 800-53r4, CIS Controls).
A common misconception is that PAM issues/revokes (elevate) privileges and thus can enforce least privileges. However, this is a task of IGA.
What is IGA ?
Identity Governance and Administration adds additional monitoring and reporting capabilities to Identity Management (IdM) to demonstrate compliance. IGA provides more insight into the identities and access rights of users, so that it can be checked who has which access rights to which systems. IGA automates the account lifecycle management and the management of roles and rights of individual users.
With IGA, organizations can onboard new employees faster and provide them with the right accounts with the right access rights that correspond to their role within the organization. If an employee in the organization gets another role or position, IGA automatically controls the addition of new accounts (provisioning) and/or modifies access rights. Without IGA, unnecessary access rights will in many cases not be withdrawn. If an employee leaves the organization, IGA removes all accounts from systems and applications.
A common misconception is that IdM/IGA tools provide insight in who has had access to certain information and resources at what tome. This insight can be provided by (P)AM solutions.
Combining IGA and PAM
As mentioned, many organizations use PAM and IGA separately. But by combining them, more benefits from both solutions can be reaped. With an integrated approach you are much more in control of authorizations. A comprehensive approach enables to manage a request for a privileged account easily within the parameters of established IGA policies. All access requests and approvals are part of one single approval chain. This saves a lot of manual work and also makes audits easier.
Advantages of combining IGA and PAM :
- One central point for granting and revoking access rights within the organization.
- Certainty which privileged access is carried out in accordance with the applicable policy.
- Easier detection of access authorization inconsistencies, including
- incorrect separation of duties (Separation of Duties);
- not compliant with role-based access restrictions.
- Streamlined process of onboarding, move and off-boarding of all users, both internal and external.
- PAM can protect and secure management access of the IGA tool.
- IGA can take care of the automatic on/off boarding of accounts in PAM.
If you want to know more about this topic or if you have any questions, Traxion is there for you to help!
Alex Heijdenrijk is senior information security consultant at Traxion, a provider of Identity Centric Security Services in the Netherlands and Belgium with over 130 highly qualified professionals. Traxion is part of Swiss IT Security Group.
This article has also been published on www.techzine.nl/blogs/security/461844/pam-en-iga-een-solide-duo-om-je-data-te-beveiligen/