PAM Automation Scripts: Don’t Forget to Secure Admin Credentials

-

While IT executives understand the essential role privileged access management (PAM) solutions play in their organization’s overall security strategy, they’ve also continued to ask their PAM administrators to do more with less resources. To meet these additional asks, PAM admins have automated routine PAM tasks using scripts. PAM automation scripts can significantly lessen the burden on PAM admins and enable organizations to scale PAM usage across their entire enterprise.

1- Why Are PAM Automation Scripts So Powerful?

A PAM admin’s daily responsibilities typically revolve around the lifecycles of privileged users in their organization and require high levels of privilege. For example, when a privileged user joins the organization, the PAM admin has to add them to the right safes and grant them the necessary permissions they need to perform their privileged tasks. If a user leaves an organization, all that access has to be revoked to ensure the organization remains secure.

These processes typically involve multiple steps, all of which take time for the admin. Consider just one example of a new employee joining the organization. Of course, there are various approaches, but in this example, the PAM admin must:

  • - Map that employee to an Active Directory (AD) group, giving them access to the software tools that they need for their job.
  • - Map the employee to a group that grants them the right level of access to all of the safes that have the credentials necessary to work in those software tools. (Another approach is to map the employee to each individual safe they need access to, but you can see how that could quickly get overwhelming.)

This gets even more complex when you consider named accounts. For a named account, a personal safe is created for that new employee. Then the admin has to assign the proper permissions and add that new employee’s account to that personal safe, then put proper rotation policies around that.

And this is just the basics. As organizations scale, their PAM usage grows with them. They may have to onboard or offboard a large number of users at one time, particularly in the following situations:

  • - Mergers and acquisitions, when employees are added by the hundreds (and sometimes thousands).
  • - Large joiner/leaver events, including large-scale layoffs, which create a significant overhead from a compliance perspective.
  • - Implementation of a PAM solution, including expanding users from just domain and local admins to groups like networking and cloud.

Admins need very high levels of privilege to complete these tasks. But do admins really want to do these repetitive tasks manually? And what’s the potential for errors with all of these manual steps? At some point, the growth reaches a point where automation isn’t just a nice-to-have – it’s essential for security teams who don’t have the resources to dedicate to all the mundane, day-to-day tasks required. You especially need this type of efficiency as you move beyond securing the human element and bring in all the machine identities that need to be secured – including virtual machines (VMs), service accounts in the cloud and robotic process automation (RPA) bots.

2- Best Practices for Securing PAM Automation

Here are some steps you can take to ensure that your PAM automation processes are secure:

  • Secure credentials used in scripts. No matter how inconsequential a script might seem, the value to the attacker is in the power of the embedded privileged credential(s). The script can be used as a jumping-off point for attackers if the right credential is embedded inside. Ensure that the credentials used in your automation scripts are vaulted and delivered at the time they are needed, not hard coded into the script.
  • Regularly rotate credentials. Establish policies to regularly rotate credentials. That way, even if there are hard-coded credentials in automation scripts, they quickly become invalid.
  • Automate credential management. Reduce the risk of human error by moving to an automated, on-demand process. Instead of having to manually manage credentials and add/remove users, you can have event-driven activities that are tied to your joiner/mover/leaver processes, including automated requests for approval.
  • Gain visibility. Ensure that you have oversight into what these automation scripts are doing – what resources they have access to, when they’re accessing and what they’re doing once they access the PAM solution. This is especially important for automation scripts that perform highly privileged activities like creating a new safe. Knowing exactly what these scripts are doing across your organization (and who is running them) can help you flag any risky activity and revoke access if needed.
  • Enforce least privilege. Don’t let these scripts have more access than they need. Follow the principle of least privilege so that these scripts have only the necessary privileges to perform their tasks, nothing more.
  • Practice defense in depth. Use the principles of Zero Trust and enact multiple layers of defense. Something like forced human approval with multi-factor authentication (MFA) can provide another hurdle for attackers who may have gained access to one of your automation scripts.

IZ

Comments

Post a Comment

Popular posts from this blog

CISA and ENISA enhance their Cooperation

-
Image
  The European Union Agency for Cybersecurity (ENISA) has signed a Working Arrangement with the Cybersecurity and Infrastructure Security Agency (CISA) of the US, in the areas of capacity-building, best practices exchange and boosting situational awareness. Geopolitics have shaped the cyber threat landscape, bringing like-minded partners closer together in the wake of common cyber challenges and advances in digital technologies. Today at the EU-US Cyber Dialogue, ENISA and CISA announced the signing of their Working Arrangement as an important milestone in the overall cooperation between the United States and the European Union in the field of cybersecurity, also following the Joint Statement of European Commissioner Thierry Breton and U.S. Secretary for Homeland Security Alejandro Mayorkas of January 2023. ENISA’s International Strategy directs the Agency to be selective in engaging with international partners and to limit its overall approach in international cooperation to those are
Read more

The Imperva Content Delivery Network (CDN) to Improve website experience globally

-
Image
Today’s website visitors expect a fast and efficient user experience with no delays or site performance issues. However, high traffic volumes and global reaching websites mean website managers are faced with the challenge of added latency and slow page load times, which can result in lost business. According to WebSiteBuilderExpert.com, 1 in 4 site visitors would abandon a website that takes more than 4 seconds to load. And 46% of site visitors do not revisit poorly performing websites, according to Unbounce.com. A strong Content Delivery Network   (CDN) is critical for website managers and businesses that rely on their websites for success, and here are ten reasons why. Improve your engagement Faster site speed times and more responsive websites bring results in more conversions. As little as a  one-second delay  in page load time can reduce customer satisfaction by 16%. Slow page load times According to  Unbounce , ‘Nearly 70% of consumers admit that page speed influences their likel
Read more

SmartScreen Vulnerability: CVE-2024-21412 Facts and Fixes

-
Image
On Feb. 13, 2024, Microsoft issued a  patch  for CVE-2024-21412, a  Microsoft Defender SmartScreen  vulnerability revolving around internet shortcuts. Previously, we discovered that an advanced persistent threat (APT) group we track under the name Water Hydra has been exploiting CVE-2024-21412 in a sophisticated campaign targeting financial market traders, allowing the group to bypass Microsoft Defender SmartScreen and infect its victims with the DarkMe remote access trojan (RAT). Threat actors are constantly finding new ways of identifying and exploiting gaps to bypass security measures. We found that the bypass of CVE-2023-36025 (a previously patched SmartScreen vulnerability) led to the discovery and exploitation of CVE-2024-21412. This highlights how threat actors can circumvent patches by identifying new vectors of attack around a patched software component. It is important that organizations are able to identify and mitigate vulnerabilities, especially zero-days, in a timely mann
Read more