I’m writing this to help newbies get into Privileged Access Management (PAM). This is sort of the freebie to course that I'll eventually finish. I’ll be using CyberArk as a reference for different functionality.
Why should you care?
Primarily because we need more Identity and access management (IAM) and Privileged Access Management (PAM) analysts, engineers, and architects in IT Security. Identity is the new battlefront and IAM and PAM are critical to any company’s security plans. It’s a great place to start out in IT Security as well to learn the ropes of everything else!
CyberArk? What is that?
CyberArk is a leading Privileged Access Management application that primarily focuses on securing, controlling access, providing audit trails, and rotating privileged accounts in your environment. The functionality is largely the same across other PAM applications like BeyondTrust or HashiCorp so it should help you understand those as well and help you land a PAM job.
Introduction to Identity and Access Management (IAM)
- Identity — First, let’s talk about identities. Identities generally refer to user accounts, which have a required level of access to perform business functions for their job function and role. For example, Jamal is a new hire for the marketing team and needs access to various reports, and documentation portal for various promos, but not really any privileged access to change underlying systems. This may include multiple other accounts for Jamal across various business systems that provide him with access to those systems only.
- Access Management — Provisioning, providing required access, and deprovisioning of accounts are the main items in managing these identities for normal users. Managing identity and their related access generally falls under an Identity and Access Management team whereby they have access to provide permissions required after approval by the user’s manager, and performing access audits from time to time related to job switches, and/or removing access and disabling their account when Jamal leaves the company.
Introduction to Privileged Access Management (PAM)
- Privilege — In this context, it’s the ability to perform actions standard accounts can’t. For example, installing software, remote access to servers running the company website, and changing system configurations including workstations or servers. There are various types of accounts like personal accounts, shared accounts, and service accounts that can have privilege.
- Privileged Access Management — The core intent of implementing privileged access management (PAM) is to manage and monitor privileged access to accounts and applications. Privileged accounts can be a wide range of account types such as local admin, root, service accounts, SSH keys, Domain Admin accounts, Azure Admin accounts, AWS admin accounts, etc.
Ok, great, why PAM?
- Compliance teams will love you. For example, PCI compliance, IT SOX controls, etc.
- Limit lateral movement — moving around your network with one account and password that is the same everywhere in your environment
- Reduce password re-use; a HUGE issue for IT Security
- Audit trail related to privileged accounts
- Control remote access for privileged accounts
- Rotate passwords after use
- Rotate service account passwords that otherwise would NEVER be changed (yes, I’ve seen ones that haven’t been changed in 15+ years)
- Reduce account password exposure to users
- Environment isolation
- Encrypted accounts within Vault
Authorization vs Authentication
- Authentication is where say Jamal has his login ID and password, and is able to log into his laptop. He’s then able to use that account to use the laptop for business. For example, Active Directory authenticates the correctly provided login and password.
- Authorization is where Jamal’s account has access to various items he needs to work. So he would be authorized for an email account, a domain user which allows him to log into the laptop in the first place, SharePoint access to share documents, etc. He is not authorized, however, to log directly into servers, install software, or the ability to provide other accounts with access.
CIA
- No, not that CIA. In IT Security this refers to Confidentiality, Integrity, and Availability. Also known as the CIA triad. These are core items that IT security programs circle around.
- Read — Confidentially is where only authorized users are allowed to read or see data.
- Write — Integrity is where only authorized users are allowed to update or write data.
- Up — Availability is ensuring systems are up and running for use by the business.
CyberArk Components:
Enterprise Password Vault (EPV) is the secure repository of all sensitive information, and it is responsible for securing this information, managing and controlling all access to this information, and maintaining and providing tamper-proof audit records. Translated, this means your sensitive passwords, secrets, SSH keys, etc., will be secured within an encrypted digital vault.
Password Vault Web Access (PVWA) is the friendly UI that allows users and vault admins to access secured privileged accounts within the Vault. In most deployments, logins are configured to leverage a Multi-factor authentication system, such as Azure MFA, RADIUS, DUO, etc.
Central Policy Manager (CPM) is the component that changes passwords on target systems, such as against Active Directory Domains, servers, appliances, databases, etc. This supports managing the password for a variety of accounts.
Privileged Session Manager (PSM) allows for secure connections between the Proxy server and the target server (or application). It creates separation from your local system to the target server to prevent malicious activity from reaching your systems. Also it provides an audit trail, and video recording of actions taken by the Admin using the privileged account(s) they have access to.
Privileged Threat Analytics (PTA) monitors privileged vault and active directory syslog activity. It alerts on, and can also terminate PSM sessions based on scoring you can customize.
Application Access Manager (AAM, aka CCP, aka AIM, aka CP, aka ASCP, yes; they won’t stop changing the name) is designed to provide comprehensive privileged access, credential, and secrets management for widely used application types and non-human identities. Translated, this means you can perform API calls with CyberArk’s Vault to securely pull credentials. This is one offering of CyberArk’s which allows you to remove hard-coded passwords within config files, or scripts. These are also mostly utilized for other application integrations where they point to AAM to retrieve and utilize securely stored passwords within the Vault.
Conclusion
Hopefully this helps you understand various pieces of IAM, PAM, CyberArk’s tools, and eventually lands you an IT Security and/or PAM job.
Reminder: Don’t hand out admin rights like free candy to everyone in your company.