When considering cybersecurity, it is a universal truth that unfettered privileged access to systems will result in data breaches and ransomware attacks. Traditional approaches of building bigger and bigger defences by adding yet more tools into the tech stack will always be behind the curve and, worse, could be providing more opportunities for attack. That's a bold assertion, but it's built on the reality that every one of those tools - antivirus, firewalls, email scanners, and more - have their own administrator accounts. If those admin accounts aren't protected, then you're essentially waiting until some attacker acquires the admin credentials or an over-enthusiastic amateur gets access they shouldn't.
At Osirium, we believe that Privileged Access Security is a critical capability for every organisation and it needs a holistic view of managing privileged credentials and how they're used. It needs a combination of three fundamental functions that use three foundation technologies:
- Enterprise-Class Credential Lifecycle Management
- Credential Injection and Process Elevation
- Credential Vaults
This technology stack protects access at the administration and configuration interfaces, allows for a privileged process to be delegated to non-privileged staff and protects the user workstation estate from unauthorised changes.
Separating the User from …
Unlike other vendors, we strive to keep our users away from vaults and passwords for normal business and administration operations. In fact, we’d prefer that you automate the processes and tasks so that users don’t need privileged access in the first place.
Humans are very poor at choosing passwords, and that gets even worse when they are under time pressure – which is typically when a system will ask them to update a password. SSH keys are mostly set and then forgotten. Our view is that the only credentials a human needs to remember are those related to identity. All the other credentials should be under automatic management. This provides real system security and has the advantage of a significant reduction in human cognitive load.
It's more than "Identity Access Management (IAM)" which is often thought of as a solution to the password-management issue. IAM can help enforcing some standards and is not a bad idea, but just providing a vault for passwords does nothing to manage what users do with those credentials, especially those highly powerful and valuable admin credentials.
Windows users can have a poor experience if they have not got access to Local Admin Rights, for example to install a critical while travelling. However, we’ve already established users are not good with privileges. This is where elevating only the approved process will help. Users can get products installed and change configurations but without running their entire sessions as local admin. It’s worth remembering that ransomware generally needs local admin rights to embed itself in the critical sections of the operating system.
We know that phishing and malware account for just over 95% of all stolen credentials. That’s why we don’t allow privileged credentials to get to the user’s workstations and laptops. We inject the credentials in secure proxies well away from the reaches of keyloggers, RAM scraping and the ever-present phish attempts.
Who can do what on which systems and when? Organisations need to be able to answer these questions in an instant. They need to be able to look at all aspects of access. For example, they should be able to query against a system to see who can assume what roles on it, or be able to query a user to see what systems they can access, when and at what level. Often this approach is known as "Principle of Least Privilege (POLP)" a great foundation for PAM strategy.
We can’t operate without third parties these days. Vendors, suppliers, contractors, consultants and outsourcers all need access at some point. With Privileged Access Security, you do not need to expose your systems to other people's questionable digital hygiene. We have both timed and just-in-time access profiles that help organisations welcome the right help on the right systems at the right time. Our session set-up and credential injection technology mean that third parties cannot move laterally across your network, they are directed to just the systems defined in the profiles.
From the Endpoint (user’s workstations) we can see who can elevate which processes, the hash and the author of these, this means we can deprecate legacy applications and deploy new versions without over-privileged users in the user base. This helps with the unauthorised or unlicensed application issues – where users cannot install applications against the policy. For the Auditor, the policy defines what can be run, has been run and everything else is blocked.
Session Recording – the investigator’s go-to tool
When a system is in a non-optimal state, it is often useful to know what happened to get it there. An accurate record of which commands were issues is always better than a possibly fallible human account, especially in the case of syntax and parameter errors. For Privileged Access Management, we deliver a video of what happened, and for Privileged Process Automation, we have an HTML rendered account of each question and response. Our Privileged Endpoint Management product delivers an event stream of which users elevated which processes.
PAS has to be usable
A little like the outdated notion that more and more security tools is the only way to increase security, the concept that security tools have a primary priority to be secure regardless of how hard the tool is to use is wide of the mark. Certainly, locking a key to your house (or user name and password) in a steel box in the basement with a sign that says "beware of the tiger" might give the impression that the keys are secure, but the reality is that anyone that wants access to your house will just break a window (or use one that's been left open).
Humans are very creative at bypassing controls if they get in the way. The best kind of security is security that actually gets used. For Osirium, that means we want to make it easier for users to get their work done. That ranges from wrapping up work into pre-built automated tasks that can help them get their work done faster than they could dream of, through to a beautiful client that doesn't need any software installed locally and gives fast access to the devices and services they need to manage.
PAS for Business Success
So, end user friendliness is critical for security, but the business also needs to see benefits. Certainly cybersecurity tools are a form of insurance policy or safety net what might be hard to quantifiably value, but that's not good enough in the modern business world.
Typical business benefits from Osirium Privileged Access Security include:
- Accelerating access to IT systems: Admins spend less time trying to find the system they need to work on or the credentials for those systems
- Completing tasks in minutes not hours: Processes that can take weeks, days or hours can be completed in minutes with automation
- Secure support for users working remotely: Remove risky local admin rights without increasing the load on the help desk.
- Delegate tasks to help desk or users: Reduce the load on experienced admins by safely delegating tasks (for example account recertification) to users or help desk engineers)
Usable Privileged Access Security
This article has emphasized the security nature of Privileged Access Security. But it's not just an academic interest. We are reminded daily of the need to do business at near the speed of light. We use all our own products internally, not only to get them battle-hardened but to improve our business flows. We wake up every morning thinking about how security can be more user-friendly, how it can disappear until needed and how it can help to:
- Get users to the right system at the right time
- Let users quickly find the task or process they need to run
- Catch users common input errors
- Allow for easy escalation and return workflows
- Let users request access to the applications they need
- Handle multiple-segmented network architectures
- Deliver no-fear break glass schemes
- Handle devices that fail or are restored from backup
- Deliver accurate, meaningful and easy to scan error messages for common issues and resource limitations
We love users and usability.
There you are, we consider access at the administration, configuration, process, task and endpoint. We feel this gives a 360-degree coverage of any privileged operations organisations undertake. If you’d like to know more about our products and capabilities, please get in touch.