Every system, service, application, and device in your organization has powerful administrator accounts. Those “admin” accounts have huge power.
They can make substantial changes to those systems, access valuable corporate IP, or reveal personally identifiable information (PII). It’s no surprise that these accounts are prized targets for cyber attackers as they are so powerful.
Controlling access to those powerful accounts is a foundational need for the organization. When those accounts are not managed, all the IT and cybersecurity systems the business depends on are at risk.
The ultimate goal is to ensure that any person accessing a system has the least level of elevated rights needed, on only use they systems they need, and for the shorted period of time to get their work done.
Good PAM is not optional. Every organization is subject to regulation, such as GDPR, PCI DSS or Sarbanes-Oxley, or wants to implement best practices such as Cyber Essentials or ISO 27001 to improve customer service and reduce risk.
Every one of those standards has a requirement to manage privileged access. Osirium has several whitepapers to show how PAM is relevant to ISO270001, Cyber Essentials and Digital Security and Protection in the NHS.
For all these reasons, PAM is not an optional purchase. The decision for the company is how to acquire and implement the best PAM for their organization in the most cost-effective and business-enhancing manner possible.
If you would like more information, please get in touch.
Privileged accounts such as Admin or Superuser are the most powerful and dangerous in your organization. The best way to start protecting them is to make sure users can't actually get access to them.
That's where Privileged Access Management (PAM) is key.
Once a user has gained access to a system using privieged access credentials, you need to know what they're doing. That's especially true if it's a remote worker or third-party supplier where you don't have so much control over who is using the access.
That's where Session Management and Recording is so important.
In some cases, IT experts need full access to a system or devices and need to use "root" level connections. In most cases that's more access than is really needed, so best practice is to only let the user access just the applications they need to do their work.
With Osirium PAM, the MAP Server ensures the user can only use the applications they need.
The best, and most proactive, protection of privileged access is to ensure it can only be used to perform the work that it should. By wrapping applications, services and devices with Automation can't do anything they shouldn't and a full audit trail is tracked.
See how Osirium's unique Automation is the ultimate privileged access protection.
Every IT infrastructure is managed by privileged users. Users such as SysAdmins are granted elevated control through accessing privileged accounts to ensure that the uptime, performance, resources and security of the computers meet the needs of the business. Privileged account abuse presents one of today’s most critical security challenges and is increasingly the hacker’s favoured way of breaching your defences so privileged account management becomes a critical priority for IT security teams.
The Osirium PAM solution addresses both security and compliance requirements by defining who gets access to what and when. Find out below about the rich breadth of PAM capabilities that allow Osirium customers ranging from mid-market organisations to divisions of global enterprises to protect their businesses.
Or more accurately, ‘Separating SysAdmins from Credentials’. Osirium PAM is designed with the assumption that endpoints are compromised, and people are phishable. Therefore, from the outset, we decided that credentials should never pass through end points or be revealed to humans (except in breakglass).
You can think of this as a 'credential-injecting proxy'. This means that credentials only travel between Osirium PAM and the end device.
Osirium PAM also takes on management of the admin credentials and passwords, ensuring they comply with corporate policies, are rotated regularly and retired when no longer needed.
People have identities, accounts on systems have roles. That's the difference between an "identity management tool (IAM)" which confirms that a person is who they say they are compared to a "privileged account management" tool that controls what that person can do by assigning that person a "role."
It's important to know which identity used which role, on which system, and when. Osirium PAM implements privileged account management policies through Profiles, which map Identities through tools and tasks to roles on systems.
Osirium PAM is, in essence, an Identity IN - Role OUT system. Therefore the quality of identity proof is crucial for highly secure operations. Multi-factor Authentication (or MFA) adds an extra level of verification to incoming identities and may be provided by an identity and access management system.
MFA generally works based on something you know, something you've got, or something about you. Authentication services can either be handed off to Active Directory or defined as a series relationship. For example, a user can be identified either locally or by Active Directory and then through an additional MFA stage such as Google Authenticator.
The best security is to not let anyone have access to systems and devices, but clearly, that's not realistic. The next best option is to not grant access until it's actually needed and then only for the minimum time access is required. Osirium PAM provides "just-in-time" access by allocating time windows during which privileged access is allowed and by the user requesting access just when they need it.
Often it is vital to know exactly what has been done to a system from where and by whom. Unusual behaviour or audit purposes are perfect reasons for this.
Osirium PAM's Privileged Session Management (PSM) enables security managers to record, store and playback any activities that take place across their entire hybrid-cloud infrastructures. As a result, Privileged Session Management not only ensures full user access accountability but also acts as a unique deterrent against SysAdmin malpractice. In conclusion, this provides irrefutable evidence of their privileged activities.
All sessions can be recorded. A visual capture allows a video playback of each session along with a thumbnail layout to evaluate sessions at a glance. Because all sessions have to pass through Osirium PAM there is no way to bypass recording. Users never get access to the Privileged Credentials therefore they cannot make a session outside Osirium PAM's control.
Every session with Osirium PAM can be shadowed in real-time. This allows all admin sessions, including 3rd party service providers to be monitored as they happen. Session termination means that any session can be terminated immediately. This happens in Osirium PAM, and since the users have no alternate means of access, terminated stays terminated. If a session is deemed malicious there’s the one touch terminate and disable user button
In addition to recording a video of a session, all keystrokes are also captured. Therefore, a SuperAdmin can search by all types of meta-information, including fuzzy keystrokes patterns.
Key insight can be gained from session recordings as to why and when a device misconfiguration takes place. Consequently, this allows for the careful examination of changes and provides a quicker return to a stable and working environment. Good session recordings can be made into mini training videos.
Legacy applications refer to software older than the current ‘official’ release. In any IT environment, there are legacy applications that cannot be replaced. To combat this, companies use legacy management tools or ‘thick clients’, but this can cause a number of issues…
What is MAP Server?
Legacy applications all have dependencies, be it their own Dynamic Link Library (DLL)’s, or versions of .NET and Java. Furthermore, it can be tricky or even impossible to have multiple versions of some management tools concurrently installed.
SysAdmins are forced to work across different versions of management tools, or install specific versions on jump boxes and access those. Resource intensive and a security risk, jump boxes are only accessible via a dedicated desktop, often shared by team members.
Applications are presented on the user's desktop alongside their other applications.
Secure environment for running legacy applications.
No need to ensure the user's desktop has all the necessary supporting libraries for each legacy application.
Credentials are injected in the mapped application and never revealed to the user.
IT has control over who has access to which applications and the credentials that are used.
Multiple versions of management applications can be available to SysAdmin or DevOps desktop without any dependencies at the workstation.
Moving beyond protecting privileged accounts is to protect privileged activities - what users are doing with those accounts. Osirium PAM now includes free Osirium Automation licenses. Osirium Automation, available standalone and as part of Osirium PAM is a flexible, secure framework to automate tasks that normally need expert administrators. Automation uses the admin credentials from Osirium PAM which are never exposed to the user.
Osirium Automation is built on the Privileged Process Automation (PPA) framework to automate processes on IT services, devices and applications via API, REST or web services.
Automated playbooks are built using a low-code task development environment and pre-built example playbooks and plug-ins are available in the PPA Resource Hub.
As privileged credentials are alway protected, users can't do anything they shouldn't and there's a full end-to-end audit trail, it is safe to delegate tasks to the help desk or even to end-users.
Osirium Automation can be used to automate any task that might normally need IT help. That can range from resetting account passwords to provisioning accounts for a new starter or setting firewall configurations. The list is endless.
Any account that has more power, or permissions, than a regular user can be considered a “privileged account.” Often, they’re called “administrator,” “supervisor,” or “system” accounts. These accounts have the power to, for example, create/update/remove other user accounts, change system settings, install software, access sensitive databases, … the list is endless.
PAM or Privileged Access Management system is used to manage the powerful admin accounts. This management covers the actual account credentials (i.e. usernames and passwords), who has access to those accounts, and how those accounts can be used.
An important factor with Osirium PAM is that no user will ever have direct access to those privileged account credentials. If a user can’t see the username & password, they cannot reveal those details to an attacker.
A modern PAM solution, like that from Osirium, goes further and monitors users while they use privileged connections. If necessary, the session can be interrupted to prevent malicious changes from being made. The sessions can also be recorded for later investigation if a security incident occurs.
The threat of privileged access abuse can come from different areas, not all may be obvious.
The most obvious source of risk is that of an external party trying to gain access to IT systems. Whether that’s through hacking firewalls to get inside, spearfishing staff to acquire their login credentials or planting malware to open backdoors or exfiltrate data.
Insiders, or staff, can be a risk in several ways. The most obvious might be the disgruntled employee trying to do damage or steal customer information before leaving. The less obvious risk is the “over-enthusiastic amateur” – someone who has managed to get admin credentials then tries to make changes they’re not fully trained for. It’s too easy for them to make a catastrophic change such as shutdown all internet traffic through the firewall or delete customer records (something seen recently at the Home Office in the UK).
With the increasing adoption of “shadow IT” and prevalence of cloud-based services being purchased by business units without involving IT, there are more users with admin rights across the business than ever.
Every organization depends on close relationships with suppliers, partners and outsourced staff. To do their work, they typically need access to corporate IT systems. For example, you may outsource management of your e-commerce web server or a supplier needs access to manage your heating and ventilation systems (the source of the famous breach at Target).
It’s hard to ensure that all these vendors have the same level of security hygiene as is used internally. It’s also hard to ensure that the people who have been granted access don’t share their credentials.
Identity Access Management (IAM) or Identity Governance and Administration (IGA) are solutions for managing user’s credentials – usernames and passwords. They may include tools for generating passwords or support multi-factor authentication (MFA) to aid logging into IT services.
So IAM is essentially about proving “who you are” but it doesn’t provide any help in controlling what users can do once they’ve retrieved credentials and logged in. However, Privileged Access Management (PAM) controls “what you can do” and “how you do it.” Admin users are only allowed the access the systems they need, with the least amount of privileged needed, for the shortest period of time needed.
The combination is very powerful, IAM tools authenticate the person then Osirium PAM manages the system access for that user.
PAM is a crucial addition and complement to existing IAM to protect the most valuable accounts.
"Principle of Least Privilege" is an important model to consider when making cybersecurity plans. The fundamental principle is that users should only have the amount of privilege they need (which may be none) on only the systems they need and only for the time they need it. This is where PAM is a vital asset - when all privileged access to systems is via PAM, you have a point of control to ensure only the right people have access to the right systems. Osirium PAM also allows users to request access when they need it, so no need for dangerous "standing" or persistent access rights. Finally, with this centralised control, you can easily perform routine audits to ensure privileged access is removed when no longer needed.
A "privileged session" is a connection being made by a user to a device, service or system using credentials that have elevated privileges such as those used by an administrator. As these sessions are very powerful, they should only be allowed by users that have a need and the experience to use them safely (see "Principle of Least Privilege" above). The best Privileged Access Management systems include tools to monitor privileged sessions in real time, close the sessions if risky behaviour is shown and to record the sessions for later investigation or audit.
Privileged Identity Management (PIM) is feature often provided in IAM tools. It goes some way towards improving management of the powerful admin accounts or other privileged accounts in that they can report that these accounts exist and how/when they are being used. However, that is not a replacement for Privileged Access Management which is more active protection of those privileged account credentials and management of privileged sessions.
Privileged User Management (PUM) is pretty much the same as "Privileged Identity Management (PIM) with the same limitations in how admin and privileged account credentials are used.
Privileged Process Automation, known as PPA, is a powerful tool for IT infrastructure and operations teams to automate complex repetitive tasks. Robotic Process Automation (RPA) has had some success in automating relatively simple but highly repetitive business processes. However, they aren’t appropriate for more complex tasks as seen in IT teams or where an element of human review, decision-making and confirmation are needed. When all admins are overworked, the opportunity to automate and safely delegate repetitive tasks is better for end-users and lets admins get on with more interesting work. For more information, see https://www.osirium.com/ppa.
PEM, also known as Privileged Endpoint Management, is Osirium’s solution for removing local administrator accounts from Windows computers without slowing down end-users while also reducing the load on IT help desks.
Privileged Endpoint Management (PEM) allows approved applications to be run with elevated privileges, what would typically be by using the “Run as Administrator” option on an applications context menu. Importantly, the privileges of the application are elevated without exposing valuable administrator credentials or having to call the IT help desk. Find out more at https://osirium.com/pem.
Privileged Access Security, or PAS, is Osirium’s solution that takes a holistic view of managing privileged accounts and automation. It includes PAM to protect shared devices and services, PPA for secure IT operations automation and PEM for managing privileged application execution on endpoints.
These acronyms, and others, are all variations of the capabilities of a modern PAM solution like Osirium PAM. They stand for a variety of features including Privileged Access Session Management, Privileged Elevation and Delegation Management, Superuser Privileged Management, Shared Account Password Management.