UTM – Unified Threat Management is a halo term for many. UTM came at a time (more than a decade ago) when pieces of the security software stack were becoming disjoint and many enterprises were struggling with building a cohesive security enabled perimeter. UTM was one easy and effective way to get all the security offerings in one box, spool it up and get going with your daily business. The upside to this layered approach of building in more value with different security offerings like IDS/IPS, Firewalls and more is reduction in complexity of deployment and operation. The downside, often times performance. We are going to discuss in this article why the UTM approach of security makes sense for Privileged Access Management (PAM).
What is PAM
PAM stands for Privileged Access Management (Access is often interchanged with Account). The area is also identified as PUM or PIM (User or Identity). There are various acronyms that have been published over the years by various research firms like Gartner and in this article we will go about explaining what they all mean. I would strongly suggest reading Gartner’s Market Guide for Privileged Access Management for 2015 by Felix and Anmol. Its a very well written, researched and clear guide on what to look for when you decide to bring on a PAM solution.
The role of PAM
PAM is tasked with making sure that access and operational rights to any IT or system resource is tightly controlled. Traditionally, PAM has been used to make sure scenarios where bad actors get access to your systems cannot easily take place. PAM contains various facets: credentials vaulting, auditing, checkouts and more. All these are designed to reduce the risk exposure to having credentials lying around and fall into the wrong hands.
PAM is a set of tools, possibly rolled up under one control panel. These tools help IT and security teams not only manage and control the keys to the kingdom but also put in processes that keep their lives sane. Consider the fact when users want to install bittorrent on the laptop and can do so without any advice from IT, security groups. Taking away admin rights cuts off this possibility but in turn also creates a lot of tickets for the IT teams. PAM can be used to reach a happy medium. Have your cake and eat it too.
Quoting from the Gartner Report, interest in PAM technology is driven by several factors:
- The risk of insider threats
- The existence of malware that specifically targets privileged accounts
- Operational efficiency for administrator access
- Regulation and failed audits, because auditors are paying closer attention to privileged accounts, and regulations are forcing organisations to create an irrefutable trail of evidence for privileged access
- Access to privileged accounts by third parties: vendors, contractors and service providers
Various categories for PAM
According to Gartner’s report there are various groups of products that a PAM solution needs to have. We will discuss these products, the acronyms and talk about the implication and benefit from them. Several high-profile breaches and insider attacks have been known to exploit privileged accounts, and this has increased the interest in tools to tighten controls on privileged activity, as well as interest in two-factor authentication for privileged access.
SAPM – Shared Account Password Management
SAPM helps you manage how account access is being shared. In most companies there will be SaaS and server accounts that are being used by multiple individuals. It is imperative to control this process and be able to audit access rights. Here is an example.
PSM – Privileged Session Management
PSM helps you maintain a single source of truth for credential storage for privileged accounts. One place that can manage passwords, tokens and whatever else. A vault is a prime example. The user should not have to worry about credentials, they should simply get access. The system should figure out the identity and the access rights as transparently as possible. Here is an example.
SUPM – Super User Privilege Management
SUPM is a critical part of the PAM landscape. You want to be able to audit, replay and monitor all privileged sessions to your resources. case in point, if you are running linux servers on AWS for production you absolutely need to have session recording turned on for compliance purposes (SOX, SOC 2, HIPAA, Privacy-shield). Here is an example.
AAPM – Application to Application Password Management
This is a relatively newer area in the PAM landscape. This has gained importance in the last couple of years as DevOps organisations have become ever more prominent and machine to machine communications have to now traverse public Internet infrastructure. This specific area deals with validating the identities and rights of machine to machine communication. Here is an example.
The new kid on the block – SaaS PAM
Applications and servers are moving to the cloud. This is a well known trend that has gained serious momentum over the last few years. This means that fewer and fewer applications and servers are going to be housed in colos and data centers and are moving into a different, 3rd party vendor infrastructure. The move to SaaS is inevitable. The thing to watch out for is that when you do move to SaaS services you need a way to manage fine grained privileges on SaaS apps. Here is a typical example: You migrate App X to the cloud. Your on premise version had support to handle various user groups like marketing level 1, sales level 2, with different privileges. How are you making sure that the SaaS app understands and responds to your needs to have fine grained control? Here is an example .
Why does a UTM model make sense
A UTM Model makes sense for PAM because of the various types of point products that vendors are currently selling to enterprises. Case in point, to do PAM right you need a couple of things. PAM is not a one shot solution – you can’t install one single piece of software that magically takes care of everything. Instead in the current market vendors are selling password vaults, session monitoring, session management, secrets management and more – all as separate pieces, in an appliance format.
Breaking up pieces like this leads to making sub optimal decisions. As an example, most enterprises find PAM products to be extremely expensive because of this a la carte model. A more cohesive, economies of scale type of offering that brings cost efficiency and lowers price points so customers don’t have to make the trade off between features and budget is what is required. Enterprises need PAM, not 25% of PAM. Cost should not be the barrier to adoption.
Furthermore, going the UTM way also simplifies the deployment experience. This improves time to show ROI. For most legacy vendors supplying PAM solutions it takes months to install their products and get up top speed. It can even take up to a year when you have professional services organisations involved. Simplicity and efficiency are the key mantras to live by. Enterprises should be able to show deployed solutions, happy users and security controls live and good to go in weeks not months. A UTM model plays well to this perspective.
PAM is certainly going the UTM way. More companies are going to prefer the SaaS based UTM model to deploy and use PAM. In case you need assistance to craft your Privileged Access Management strategy, please feel free to get in touch with us at Onion ID.