As we move into 2021, we can take a sigh of relief that 2020 is safely behind us and hope that the new year brings us closer to normalcy. But one thing that has not changed in the past year is the importance of Privileged Access Management (PAM). As we witnessed in the Solar Winds attack, hackers will go to extraordinary lengths to gain access to privileged credentials and accounts because they hold the “keys to the kingdom.”
Without proper security for access controls, one compromised privileged account can cause widespread and irreparable damage to your infrastructure, intellectual property, and brand equity. To reduce this risk, all privileged credentials and access, needs to be effectively identified and managed across the enterprise.
This was the topic of conversation recently between Paul Fisher, Senior Analyst at KuppingerCole, and Jim Taylor, Head of Product Management, Symantec Identity Management Security as a division of Broadcom. Their discussion centered on:
- Privileged credentials and access and their role in preventing a Solar Winds type attack
- How PAM fits into a Zero Trust Model
- The role of PAM in DevOps
The following includes highlights of this conversation:
Preventing & Mitigating a Solar Winds Type Attack
Question: Top of mind for many is the recent Solar Winds attack. Organizations are anxious about falling victim to a similar type of attack. How could a PAM technology have helped to prevent or mitigate this type of attack so CISO’s can sleep better at night?
Answer: This attack shocked many of us and I am not sure that many of us will sleep well for a while, but there are two primary use cases where our Symantec PAM solution could have helped to prevent and mitigate an attack similar to what happened with Solar Winds.
First, let us consider the vendor side of the equation. Software is everywhere; it’s critical to running our businesses, and no matter how much we vet our development teams, a malicious insider, or in the case of Solar Winds, an external hacker can still gain access. For enterprises looking to protect their source code, Symantec PAM can enforce granular access controls to system resources - including files, folders, processes, registries, etc. This file integrity monitoring feature will send alerts if it detects any changes to the source code file and block the tampering programs. These preventing controls improve the underlying security of any server resource and should be considered wherever source code is being written, tested, and stored. This is something that every organization writing software should consider for protecting not only source code, but also other sensitive information, which brings up the other side of the equation.
For enterprises looking to protect their source code, Symantec PAM can enforce granular access controls to system resources - including files, folders, processes, registries, etc.
Second, for the organizations implementing, unbeknownst to them, software that has been compromised, they must remember the third tenet of Zero Trust, which is, assume breach. They need to build their defensive strategy and approach with the assumption that someone, somewhere is going to break in. In the case of the Solar Winds attack, it was through a backdoor included within the source code, but that really does not matter. What matters is this – if someone gets in, what controls are in place that will minimize the impact of this breach.
The same fine-grained access controls that we just talked about that can protect source code at the vendor can also be implemented to help prevent and mitigate the damage caused by any APT attack. After hackers gain administrative privileges, they usually install backdoor “rootkits” and begin to export sensitive data. With Symantec PAM server control agents deployed, proper access controls can be enforced such that even with root level privileges, the hacker can be prevented from:
- accessing sensitive files
- executing malicious commands
- installing programs
- stopping or starting services
- initiating new inbound or outbound communications
- changing log files
We have seen many customers who have deployed our PAM appliance to leverage its credential vault and session recording capabilities, now starting to look at adding agents to protect their mission critical servers because they recognize the risk if, or when, they are breached.
The Role of PAM in a Zero Trust Model
Question: You mentioned Zero Trust. This is another topic that our customers routinely ask us about, but for many, Zero Trust is more about securing the disappearing perimeter. How do you position your PAM solution into a Zero Trust architecture and model?
Answer: Zero Trust has been around for a long time, but has risen in mindshare with the migration to cloud, adoption of DevOps, and more recently the huge shift to working from home – but, the principals of Zero Trust have been driving customers to implement PAM technologies for years.
Consider the Three Core Tenets of Zero Trust:
#1: The first tenet of Zero Trust is to identify every user and device requesting access. Historically, privileged accounts and passwords were often shared by multiple internal and sometimes external individuals, which made auditing who actually accessed the account and performed activities with it nearly impossible. Over 20 years ago, auditors recognized this risk and encouraged organizations to implement stronger controls over these accounts. This led to the creation of the first PAM tools, which addressed this challenge by vaulting the credentials used to access these accounts, and then required users to authenticate themselves to the PAM solution, often with a two-factor credential, before they could gain access to the credential.
#2: The second tenet of Zero Trust is to enforce least privileged access. Privileged accounts commonly provide unlimited access and permissions that, if compromised, would enable a malicious user to do more damage or steal more data. PAM technologies address this issue by enforcing granular access controls over these accounts, such that organizations can limit which actions different users can perform when using the same account. In this way, organizations can define and enforce separation of duties policies over accounts, such as root. This makes it more difficult for the hacker, as they may need to compromise many accounts in order to gain the privileges they need to carry out an attack.
#3: Finally, there is the third tenet of Zero Trust, which is to assume breach. Despite all the defenses you create to keep bad actors out, you must assume that someone will find a way in, and we have already discussed the ways that Symantec PAM can help to mitigate the damage when this occurs.
The Role of PAM in DevOps
Question: We have spoken a lot about users, but what about non-humans. How do you view this use case? Are you seeing your customers deploying your PAM solution into DevOps environments? Is this a big driver for new deals?
Answer: Yes. Many of our customers are using Symantec PAM to protect non-human access. In fact, we conducted a recent survey of our customers, and nearly 50 percent of our customers are leveraging our application to application password management (AAPM) capabilities to secure communications between applications. AAPM is primarily used to removed passwords or other credentials that are embedded in apps, scripts, or configuration files, where they could be easily stolen. Instead, apps are required to authenticate themselves to Symantec PAM and request a privileged credential, exactly as a human user would do.
People are still the weakest link in many security strategies, and getting those privileged credentials and accounts that are being accessed by human actors is still the top priority for many organizations.
This AAPM feature is exactly what is used to secure privileged credentials used in the DevOps environment to automate CI/CD processes. The only difference is that these tools may use credentials other than passwords, and therefore, this is more commonly referred to as Secrets Management. Symantec PAM supports both AAPM and Secrets Management natively, and we will be enhancing these capabilities in the next 12-18 months so we can accommodate more types of credentials. This will be a big investment area for us.
In terms of new business, we are seeing capacity growth from existing customers that are expanding from the vault into AAPM and Secrets Management use cases; however, we are not seeing this a primary driver for new deals. We are still, most commonly, seeing organizations begin with vaulting credentials and implementing session management and recording. People are still the weakest link in many security strategies, and getting those privileged credentials and accounts that are being accessed by human actors is still the top priority for many organizations.
We encourage you to share your thoughts on your favorite social platform.