Protecting the Endpoint with Privileged Identity Management

Mike Campbell, IAM Consultant, SecureITsource, Inc. Your company may already be managing employee access to sensitive systems with a privileged access tool like CyberArk or thinking about it. This is a crucial step in building out a secure computer network as most attacks on a network involve the use of privileged accounts. While network and system administrators often need elevated access to systems to perform their job, providing permissions to all resources on a system is usually unnecessary for an employee to complete their job. On the other hand, privileges are always going to be necessary to perform certain tasks. Why not enable only those trusted actions on an employee’s user account so that they don’t have to worry about using a local administrator account for some tasks? Why don’t we get rid of local administrator accounts all together?

That would be nice, but we can’t. While local administrator accounts are a large attack surface for network penetration attacks, full administrative privileges are necessary to provide maintenance to systems.

Instead, what is necessary is providing users with access to specific resources as needed. It is known that anti-virus and intrusion prevention systems are not perfect at detecting threats and that a layered approach is necessary in defending against attacks. Lately, ransomware has shown us the multitude of attack vectors there are in an organization, with possibly the simplest one (phishing) being the most common. We can’t rely on backups for ransomware remediation because it is unlikely that 100% of your network is automatically backed up. Insider threats are becoming more and more of a concern. And compliance may legally require least privilege access to system and network resources.

This is why we harden endpoints. There are two CyberArk components, the Endpoint Privilege Manager (EPM) and the On-Demand Privileges Manager (OPM), that provide granular access control to resources on endpoints. The EPM controls the Administrator “Run as” option on Windows applications while the OPM controls “sudo” access to privileged accounts on UNIX platforms.

These tools differ slightly in their approach but they both allow you to control privileged access to resources on a system. Applications, in the case of EPM, and commands, in the case of OPM, can be whitelisted or blacklisted from being allowed to run with elevated privileges. The Endpoint Privilege Manager will allow you to run trusted applications with Administrator privileges and will prevent an unknown application from accessing the Internet or reading/writing to the disk but otherwise with Administrator privileges. The application can then be reviewed to be trusted or blocked enterprise-wide. Greylisting is a good method for preventing common malware attacks on desktops in environments where users can still download and install commonly trusted software.

The On-Demand Privileges Manager provides sudo-like functionality to users who need to execute privileged commands on UNIX systems. Accountability is important on UNIX servers as there are often less user accounts and more shared service accounts. The OPM includes an Active Directory (AD) bridge that can be used to provision local accounts on UNIX systems based on the employees AD credentials. Default privileged commands can be provided or restricted based on AD group membership. This means employees can use local user accounts to perform daily functions on a UNIX system and request to switch to privileged accounts to run more privileged commands. If the user has access to the account in CyberArk, they can run the privileged command while remaining logged into their individual account. This is all while limiting access to the actual root account and not needing to manage the sudoers file.

Both tools provide auditable logging and session recording. After an incident, the Endpoint Privilege Manager reports on where, when and from what accounts suspicious applications entered the network. Many regulations that companies must comply with require privilege management and granular control over network resources. PCI-DSS, SOX and HIPAA all require some form of these controls. While there are tools in the marketplace that focus their effort on each of individual components discussed above, CyberArk integrates the components into its suite of privileged access tools providing a more complete view of who has access to what in the organization.

SecureITsource is an authorized reseller and professional services partner with the industry’s leading Identity & Access Management solution providers. Our team of consultants help our clients to reach their IAM goals by providing strategy, design, and engineering expertise.

www.secureitsource.com