In our last installment in our series on Privileged Access Management (PAM), I'll address the key points related to governance. Tola and Brandon previously covered planning (part 1) and implementation(part 2). We pick up with Step #9.
9. Audit, Audit, Audit
Access controls are only as good as the oversight you have to ensure they’re working properly. Periodic reviews or audits are an essential part of any organization’s security governance; because proper access management is crucial to safeguarding data, it should be an integral part of your audit program. The scope of audits should include the following at a minimum:
- Review a random sample of access authorizations: To ensure users’ access is being properly reviewed and approved, pull the access request forms/tickets that were submitted to gain access. Improperly authorized users can present a serious risk if they’re given access beyond what’s required for their job duties.
- Review all access to critical infrastructure: It can be an arduous task, but it’s crucial that key servers and network devices get a full access review to ensure all users still have a valid access need and that they’ve got appropriate permissions.
- For large environments using groups can help to cut down the administrative and audit burden (e.g. creating a “Windows Production Support” group would allow you to review the users in the group just once, and then review that group’s permissions on various servers). Truly complex environments with a heterogeneous infrastructure could benefit from an automated access management tool capable of generating audit reports or even possibly performing automated checks such as identifying users whose accounts are deactivated but still have access provisioned.
- Review a sample of privileged access to non-critical infrastructure: Given limited resources, auditing every server or network device could be an impossible task. Prepare a representative sample to review and look for any trends that could be extrapolated back to your infrastructure as a whole.
10. Integrating PAM Into Other Parts of Enterprise Operations
PAM is vital in combating insider threat as well as reducing the impact of intrusive malware, system infiltration, and account compromise. Looking at the big picture of an organization’s cyber security program there are many areas where Privileged Access Management should be integrated or at least considered:
- Configuration Management: The goal of configuration management is to reduce known vulnerabilities in an information system by implementing a standard set of controls, ensuring security patches are implemented, and ensuring all changes to hardware and software conform to these standards. By monitoring compliance and conducting vulnerability testing, this process results in a relatively accurate picture of the vulnerabilities present in a given information system
- Incident Response: It is vital to any forensic endeavor that access at any level to logs, monitoring software, and forensic software resides solely with authorized personnel. Any administrator having access to these logs and software could partially or completely hamper an incident response or investigation, so privileged access to log files or logging functions should receive extra scrutiny.
- Awareness and Training: As mentioned before, training and awareness on the topic of PAM can be vital. A developer who is aware of the driving policies behind their organization’s Privileged Access Management program can engineer applications or software to comply with the program’s mandates. Managers and information owners should be aware of their responsibilities with regards to authorizing different levels of access.
- Risk Assessment: The PAM program needs to address the subset of risks related to access controls, but it should also be aware of other risks to the organization as they are all interconnected. Business impacts of greater or lesser levels of access control should be evaluated as part of the overall assessment. An internet-based retailer has a greater need for rapid response to production application issues, and therefore requires a larger administrative team, than does a consulting company with an internal collaboration platform with highly confidential client data.