Remote Security: an overview of popular PAM Solutions

The trend of leaving for remote work did not start today. The current global business lockout related to the pandemic did not spawn it but merely served as a catalyst. Many companies that have moved away from the concept of office work will not come back to it when the quarantine limitations will be over. The withdrawal of workers beyond the perimeter of the office and the enterprise is a favourable trend for both employees and employers. While taking full advantage of the “telecommuting”, do not sacrifice security — pay attention to the management of privileged accounts.

Indeed, remote access makes it possible to easily seize valuable corporate information or disable the enterprise information system. At the same time, it can be difficult to detect unauthorized actions of privileged users without special tools, and attacks by privileged users may go unnoticed for a long time.

To reduce the risks associated with the use of privileged accounts and privileged access, specialized solutions are required. They provide automated account management and constant monitoring of remote employee's actions. PAM solutions (Privileged Access Management) help to get rid of the problems indicated in the figure below:



Fig. Problems that organizations face when using privileged accounts. Source: Ponemon Institute’s report “The Insecurity of Privileged Users”. The horizontal scale of the chart shows the percentages of organizations reporting a problem

PAM Solutions Features

Among the necessary PAM functions, four directions can be distinguished:

• Action monitoring

PAM systems allow you to monitor every step and record the actions of administrators, top managers, contractors. They detect suspicious actions, such as downloading data or access from unusual locations (for example, from an Internet cafe).

• Access control

Storing privileged account data in a special zone, as well as clear rights management helps to prevent unauthorized entry or use of outdated credentials by intruders.

• Recording and Archiving

All sessions are recorded and stored in a special repository. Some PAM-systems have a function of recording video from user screens. Such an asset provides an additional tool for analyzing dangerous or malicious acts. And it is archival records that often become the main evidence in disciplinary and judicial proceedings.

• Analytics and Reporting

The most advanced PAM systems allow you to access detailed information about the actions of system administrators. IS officers can study detailed information, namely, which user and when logged in, how much time was spent in the system and what actions were performed. Reporting systems help identify early security policy violations and prevent potential information leaks.

What does the PAM-solutions market offers?

The market for PAM-solutions is actively developing now. Access to confidential information of the organization becomes especially vulnerable when employees are transferring to a remote mode. We have identified the best PAM solutions for controlling privileged accounts, compared their features and advantages.

ARCON Privileged Access Management Platform

ARCON controls the privileged users while offering many other advanced features. This includes preventing unauthorized access to systems, defining insider, or advanced cyber threats. The product provides real-time alerts, analytics, and monitoring of privileged users. ARCON provides a robust security structure, which increases operational efficiency.

Advantages:

• prevents insider and advanced cyber threats

• prevents unauthorized access to systems

• real-time alerts

• provides analytics and monitoring

• provides a reliable safety structure, increasing work efficiency

Price: there is a free trial; the cost of the paid version must be checked with the manufacturer.

BEYONDTRUST Privileged Access Management Platform

BEYONDTRUST is a set of convenient tools for managing and controlling privileged access with a wide range of capabilities and easy deployment. It reduces administration costs and associated risks.

Solutions Privileged Access Management tools are divided into 3 groups. The concept of Universal Privilege Management allows you to flexibly and modularly combine BeyondTrust solutions on a single Beyond Insight platform so that their combined functionality meets the current needs of the company in managing various types of privileges, privileged and remote access sessions, threat analysis and reporting.



The Password Safe account management center is designed to manage passwords and sessions.

Advantages:

• Automatic discovery of accounts with extended rights and their inclusion in a controlled circuit.

• Securely manages SSH keys and protect confidential information from being compromised.

• Adaptive API for authorization in third-party applications, which prevents the use of built-in or saved passwords.

• Real-time monitoring of privileged sessions with advanced analytics on the main characteristics of user behavior.

Price: £25 per license; educational organizations receive a discount.

Centrify Privileged Access Management Solution

The product is distributed according to the SaaS model and provides secure access to any objects of the enterprise’s computer infrastructure, including cloud storage, DevOps environments, and Big Data arrays.

The Centrify platform consists of five components:

• Privileged Access Service: provides a single space for storing user credentials, as well as processing requests for access to resources. Password storage supports multi-factor authentication and remote access to objects of the common area (DMZ) through the installation server (Jump Box).

• The Authentication Service: is responsible for the security authorization process of privileged users at the individual device or network level. The service provides Active Directory replication and supports group policies.

• Privilege Elevation Service: is designed for flexible management of assigned rights with the ability to delegate privileges and temporary access to local and network resources.

• The Audit & Monitoring Service: provides extensive session logging capabilities at the host, gateway, and device-specific levels.

• The Privilege Threat Analytics Service: interacts with four other subsystems to analyze user behaviour and detect abnormal activity.

Advantages:

• Centralised identity and access management

• Multi Factor Authentication (MFA) for access and privilege elevation

• Risk-aware access

• Consolidate identities and Minimise Break Glass

• Mitigate VPN risk

• Grant just enough privilege (least privilege access)

• Grant just in time privilege (require access approvals)

• Machine Identity & Credential Management

• Group Policy Management

• Local Account and Group Management

Price: 30 days fully-featured free trial or Express version with limited functionality, optionally supported with Pre-Sales Support; £3333 per licence per year.

CyberArk Privileged Account Security Solution

CyberArk Privileged Account Security Solution is the comprehensive specialized solution that provides user control with wide authority in automatic mode. In the process, the modules protect and control access, monitor and control actions of any systems. Solution analyzes the behaviour and, if necessary, notifies administrators of potentially dangerous actions. Manages privileges and applications on Windows devices.

The functionality of CyberArk Privileged Account Security Solution complements the tools for working with accounts, allowing you to implement PAM without additional software agents. A plus is a modular platform, which allows you to build an integrated solution, managing both individual components and the entire system.

Advantages:

• Formation of own rules and access control policies covering all privileged users, isolation, and additional protection of accounts with an expanded set of rights.

• Real-time monitoring of privileged accounts with the ability to create a text log or video based on the actions taken.

• Automatic determination of abnormal user activity based on data from several sources and a complex combination of statistical and deterministic algorithms.

• Disabling unnecessary root privileges when running administrative commands from Unix and Linux sessions.

• A single service for managing SSH keys, which provides secure storage of hash sequences, access control and synchronization with public signatures.

• Windows domain controller protection that allows you to manage user and application rights when using key network resources. The solution can detect attacks on the Active Directory server and key distribution centre, including incidents like Golden Ticket and Overpass-the-Hash, manipulation of the PAC certificate.

Price: there is a free trial; £680 per licence per year.

More solutions you will find on our website.

Conclusions

Data leaks annually cause companies significant financial and reputation damage. Privileged user accounts are of particular interest to cybercriminals, as far from every organization monitors the work of administrators. According to a survey of the Help Net Security global portal, it turned out that 31% of companies control the actions of privileged users exclusively by hand, and 75% are sure that administrators and IT specialists periodically share accounts with extended access rights with other people, leaving loopholes for network penetration. In such circumstances, companies face growing risks of hacking, data theft, and other malicious activity precisely through the accounts of administrators, contractors, and top managers.

Solving the problems of unlimited access is extremely difficult without automated PAM tools, especially when it comes to organizations where the number of privileged users is calculated not by units, but by tens and hundreds, including internal employees and external contractors — in this case, IS employees simply do not have enough time manually to control the work of each of them. Timely implemented PAM-system allows you to protect the company from possible insider actions by administrators and senior management, as well as control the activities of outsourcing companies and ensure compliance with numerous laws and standards for various industries, including PCI, ISO 27002, EU GDPR, Cyber ​Essentials, NIST Framework.

When choosing PAM solutions, consider the following aspects:

1. Key PAM features

• Manage passwords for shared and privileged accounts.

• Analysis and filtering of input commands and actions.

• Audit privileged user actions.

• Access control of privileged KMs, upon request, with access time limitation.

• Isolation of target servers and resources.

2. Performed PAM tasks. The system for managing access to privileged accounts should:

• implement the workflow of personified access to privileged accounts to specific systems, with a clear justification for the need and the required number of approvals;

• “out of the box” control the common protocols that are used to manage information systems and equipment, and provide a record of all the actions of administrators using them;

• securely store information about privileged accounts in a specialized repository with the provision of the impossibility of unauthorized access to it, distortion and deletion;

• provide secure, personalized work with privileged accounts for administrators and applications working on behalf of the superuser (root) or administrator;

• in real-time control privileged sessions with the possibility of interruption if necessary;

• provide an audit of the actions of administrators in a convenient format so that the auditor can quickly find the events of interest to him and monitor what was happening at that moment, for example, as if he was standing behind the administrator and looking at the monitor;

• Use powerful search tools when analyzing records of privileged sessions in the investigation process;

• isolate (proxy) privileged connections from real servers (exclude the possibility of a direct connection);

• provide availability and fault tolerance.

The PAM solution should not only record the actions of administrators but also have mechanisms to restrict access to the most sensitive target systems (servers, network equipment, web pages, etc.):

• multi-factor authentication

• prohibition of entering invalid commands,

• restriction on protocol parameters (for example, the prohibition of copying data to the clipboard) and so on.