Kowatek Solar LTD
HVR Solar signs MoU for 1.2GW TOPCon cell manufacturing plant
17:54
HVR Solar signs MoU for 1.2GW TOPCon cell manufacturing plant
Largest wind farm in the United States slated to begin commercial operations
17:53
Largest wind farm in the United States slated to begin commercial operations
RETC PV Module Index highlights panel reliability concerns
14:31
RETC PV Module Index highlights panel reliability concerns
SEIA: AI is fueling a massive US energy storage boom
07:36
SEIA: AI is fueling a massive US energy storage boom
Intermodal Shifts and Retail Consolidation De-Carbonize Logistics Freight — Environmental Protection
17:55
Intermodal Shifts and Retail Consolidation De-Carbonize Logistics Freight — Environmental Protection
France VAT compliance
17:59
France VAT compliance
Battery Power Online | Peak Energy, General Motors Partner on Sodium-Ion Cells for Grid Applications
17:54
Battery Power Online | Peak Energy, General Motors Partner on Sodium-Ion Cells for Grid Applications
Why Britain is saying no to hydrogen boilers
17:53
Why Britain is saying no to hydrogen boilers
Who are the companies commercialising large-scale thermal energy storage technologies today
04:32
Who are the companies commercialising large-scale thermal energy storage technologies today
16 Utah Cities Choose to Opt-in to Groundbreaking Clean Energy Program to Bring 100% Clean Energy to Grid
17:51
16 Utah Cities Choose to Opt-in to Groundbreaking Clean Energy Program to Bring 100% Clean Energy to Grid

Why Do PAM Deployments Take (almost) Forever To Complete

Privileged Access Management (PAM)

Privileged Access Management (PAM) solutions are considered a popular way to prevent identity threats to administrator accounts. In theory, the PAM concept makes perfect sense. Vault administrator credentials, rotate passwords, and closely monitor sessions. But the harsh reality is that most PAM projects are multi-year projects or even stop altogether, failing to deliver the promised security value.

In this article Service accounts are the main obstacle to PAM onboardingLearn why vaulting service accounts and rotating passwords is an almost impossible task and exposes you to security breaches as a result. Finally, we conclude by showing how Silverfort is helping her identity team overcome these challenges for the first time by auto-discovering, monitoring and securing service accounts, streamlining the PAM onboarding process in just a few weeks. increase.

The Promise of PAM: Protecting All Administrative Users

The concept of PAM is very simple. Attackers are looking to compromise administrator credentials and use them for malicious access, so it’s only natural to set a hurdle in their attempt to succeed in this compromise. PAM provides close monitoring of administrator connections through session recording and, more importantly, active layers of prevention in the form of vaulting administrator credentials and subjecting them to periodic password rotation. Provides an additional layer of security that includes both. This greatly reduces the risk of a successful attack. Because even if an attacker compromises administrator credentials, password rotation will invalidate them by the time they attempt to use them to access targeted resources.

So, in theory, everything is fine.

Creating easily implemented MFA policies for all privileged accounts is the only way to prevent compromise. With no customizations or network segmentation dependencies, you’ll have Silverfort up and running in minutes. Discover how to protect privileged accounts Now, quickly and seamlessly protect against breaches with adaptive access policies that apply MFA protection to all on-premises and cloud resources.

The Reality of PAM: A Long and Complex Onboarding Process That Takes Years to Complete

However, what identity and security teams actually encounter is Deploying a PAM solution is one of the most resource intensive processes. In practice, very few PAM projects go to great lengths to achieve the goal of securing all administrative accounts in their environment. Instead, challenges usually arise sooner or later, with no easy solutions. These challenges at best slow down the onboarding process, which can last for months or even years. Worst case, the whole project stops. Either way, the impact is severe. In addition to the significant investment of time and effort, PAM’s primary purpose is not achieved, and administrator accounts do not receive the protection they need.

PAM deployments present difficulties for a variety of reasons, the most prominent of which concerns the protection of service accounts..

Service Account Summary: Privileged Accounts for Machine-to-Machine Connections

A service account is a user account created for communication between machines. These are mainly created by him in two ways. The first is her IT people who create them to automate repetitive monitoring, hygiene, and maintenance tasks rather than doing them manually. The second method is as part of deploying software products in an enterprise environment. For example, deploying an Outlook Exchange server requires creating various accounts to perform scanning, software updates, and other tasks related to connecting the Exchange server to other machines in the environment.

that way or otherwise, A common service account must have high privileges so that it can establish connections between the machines on which it was created.This means that it is no different than a human administrator account in terms of the necessary protections. Unfortunately, onboarding service accounts to a PAM solution is a nearly impossible task.is the biggest hurdle to successful PAM deployment.

Visibility Gap: No Easy Way to Discover Service Accounts or Map Their Activities

As it happens, there is no easy way to visualize your service account inventory. In fact, in most environments, it is not possible to know the full number of service accounts unless rigorous monitoring and documentation of service account creation, assignment, and deletion has taken place over many years. This means that full discovery of all service accounts in your environment requires significant manual discovery work that is beyond the reach of most identity teams.

Moreover, even if the discovery challenge is solved, there is still The deeper, unresolved challenge of mapping the purpose of each account and its resulting dependencies, that is, a process or application that this account supports and manages. This turned out to be the primary PAM blocker. Let’s understand why.

PAM Meaning: Rotating a service account’s password without visibility into that activity can break the processes it manages

A common way for a service account to connect to various machines and perform tasks is a script containing the name of the machine to connect to, the actual command to run on those machines, and most importantly the username and password of the service account. is to use Authenticate to these machines. A conflict with PAM onboarding is that while PAM rotates passwords for service accounts in the vault, it automatically updates hard-coded passwords in scripts to replace new passwords generated by PAM. because there is no way to match So the first time the script runs after rotation, the service account will try to authenticate with the old password, which is no longer valid. Authentication fails, the task that the service account was supposed to perform will not run, and any other processes or applications that depend on this task will be destroyed. The domino effect and potential damage is clear.

PAM Service Account Pitfalls: Stuck Between Operational and Security Concerns

In fact, most identity teams consider this risk and avoid storing service accounts entirely. And that’s exactly the impasse – Vaulting service accounts poses operational risks, but not vaulting poses security risks as wellUnfortunately, there has never been an easy answer to this dilemma. This is why the service account is a blocker for her PAM onboarding. The only way to meet both security and operational requirements is to start the painstaking manual process of discovering all service accounts, the scripts that use them, and the tasks and applications they run. This is a huge mission and the main reason why the PAM onboarding process takes months and sometimes years.

Overcome Challenges with Automated Service Account Discovery and Activity Mapping

The root of the problem is that there has never been a utility that could easily filter out all service accounts and generate output for their activity. This is the problem Silverfort tries to simplify and solve.

Silverfort pioneered the first unified identity protection platform that natively integrates with Active Directory to monitor, analyze and enforce active access policies for all user accounts and resources within your AD environment. With this integration, AD forwards all incoming access attempts to Silverfort for risk analysis and awaits a decision to grant or deny access.

Leveraging this visibility and analysis of all authentications, Silverfort can easily detect any account characterized by the repetitive, deterministic behavior characteristic of service accounts. Silverfort creates a detailed list of all service accounts in your environment including permission level, sources, destinations and activity volume.

Once that information is available, the identity team can easily identify dependencies and applications for each service account, find the scripts to run it, make informed decisions about service accounts, and: You can choose either.

  • Place in vault and rotate passwords: In that case, the new visibility makes it easier to make the necessary adjustments in each script so that the passwords they contain are updated according to the vault’s password rotation.
  • Vaulted without rotation and protected with Silverfort policies: Service account usage can make it difficult to maintain continuous updates. In that case, password rotation is bypassed. Identity teams instead use Silverfort’s auto-generated policies to protect service accounts and alert or block their access when deviations from normal behavior are detected.

In this way, Silverfort shortens the PAM onboarding process to just a few weeks, making it an achievable task even in environments with hundreds of service accounts.

Struggling to get your PAM project off the ground? Find out how Silverfort can help accelerate your PAM project here.

Did you find this article interesting?Please follow us twitter and LinkedIn to read more exclusive content we post.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

Address:
 091, Peace Plaza, Asaba, Delta State.
216 DBS Road, Asaba, Delta State.
Start a conversation:

Follow Us Social Media

Facebook Twitter Youtube Instagram

All Rights Reserved. Kowatek Blog by IWUCHI

Home | About Us | Disclaimer | Privacy Policy | Contact Us