In a digital world, we continue to face ever increasing threats and consistently more sophisticated attack methods as cyber criminals seek to take advantage of businesses. As has been said many times, identity is the new security perimeter – and some identities or users present greater risks than others, namely your privileged accounts.
Estimates from Forrester, that 80% of data breaches are connected to compromised privileged credentials, further illustrate how critical it is for organisations to have an effective strategy in place to minimise their risk.
What is Privileged Access Management (PAM) and why is it important in dealing with cyber threats?
In IT, the term privilege applies to users with elevated access to important resources on the corporate network, that standard users cannot access. While it is an essential part of your IT infrastructure to have these privileged accounts, they do represent a high value target to cyber attackers, and so it is absolutely critical that they are closely monitored.
This is where Privileged Access Management (PAM) becomes an essential cornerstone of your security strategy. PAM is a security best practice which aims to better secure your business by monitoring and restricting who can access what and when.
It helps you ensure that any access to high-value assets – the Crown Jewels – and administrative tasks is managed in a secure and controlled manner to mitigate the risk of improper use by both internal and external threats. This means that every attempt to access a high-value asset, or activity that requires an elevated set of permissions, should involve a workflow to challenge, audit and approve that access.
What do the Crown Jewels look like? Typically speaking these will be assets or data that presents a negative business impact if they become unavailable or are compromised by a bad actor. They can include:
- Active Directory Domain Controllers - Domain Controllers
- Administrative Identities
- Certificate Servers
- Cloud Management consoles including Azure Active Directory, Azure Management, Office 365 Administration and other security consoles such as Defender for M365 and Defender for Azure.
In order to gain access to these critical resources, a user will require elevated (or privileged) permissions. The issue is that today many businesses will grant these required permissions on a permanent basis to that user, which increases the risk of exposure if those credentials are compromised. You have to ask yourself, does this user really need that level of access at all times?
How can Privileged Access Management help you minimise the risk of compromising high-value assets?
One of the principles that underpins sound Privileged Access Management is that of least privilege, whereby users are granted the access needed to perform a necessary task, but only for the minimum amount of time that it is need before then revoking that access. In theory this allows employees to perform their duties without major disruption, while minimises the risk of misuse or potential for that account to be compromised.
To help implement this principle, security teams can look to Just In Time and Just Enough Access as part of their access management approach. But what do they mean?
- Just in Time (JIT) access is an approach that ensures users are given access to resources based on an approved time frame (for example three hours). Once the allocated time has expired so does the access, in line with the principle of least privilege outlined above.
- Just Enough Access (JEA) on the other hand, relates to the level of access rather than just the length of time a user has it. It ensures that the permissions given to a user to perform an administrative task match only what they need at that moment in time. For example, if a member of the helpdesk team needs to reset a user's password, the helpdesk team member can request User Administrator Permission for the period of time when the task will be performed.
Gone are the days – or so we hope – when standing Global Administrator access was given to users who only needed to perform a subset of administrative tasks. By limiting the number of users with full administrative access within your organisation, you are also limiting the number of high value targets for cyber criminals which could be compromised to negative effect.
To find out more about the types of permissions you can grant, see this see Administrator role permissions in Azure Active Directory for a full list.
How will implementing JIT/JEA impact day-to-day administrative tasks in your business?
One of the main objections we hear from customers is that incorporating JIT and JEA could introduce further management overhead and impact the flow of performing administrative tasks. In this instance we suggest using Azure AD Privileged Identity Management, to help make the integration of JIT and JEA practices seamless.
Here’s how:
- Step 1: Identify the Administrator role permissions in Azure Active Directory, and decide which role assignments should be protected by Privileged Identity Management.
- Step 2: Determine which users should be eligible to request the elevated permissions for each role (typically members of your IT Administration, Security or Helpdesk Team).
- Step 3: Determine if the role that users are requesting requires approval from a manager or an administrator to activate. Once access is requested, an approver will be asked to grant access for the role and timeframe requested. Alternatively, roles that do not require an approver will automatically grant the user the permissions for the allocated time frame, which is then audited and tracked.
- Step 4: Review and remove permanent permissions and monitor admin activities.
What about controlling access to server resources?
In addition to the ability to manage user access to Azure AD roles, Privileged Identity Management can also integrate with Azure Defender (formerly known as Azure Security Center) to provide JIT access to Virtual Machines and server resources.
You can find out more about this be review the following resources from Microsoft:
Conclusion
To summarise, Just In time and Just Enough access are controls available that will help mitigate the risk of excessive and permanent permissions if – or more likely when – an administrative account is compromised.
Adopting a principle of least privileged and introducing a Privileged Access Management process that will give your users the exact permissions for the time they need it, will help to minimise the risk of an attack in the case that any of your administrator credentials are compromised.
To find out more about how to implement PAM or identity security best practices for your Microsoft 365 environment, talk to Threatscape today.