In the world of cybersecurity, privileged access management (PAM) solutions are increasingly attractive for companies and organizations because they protect their most sensitive data and systems from cyber threats. How do you properly implement these solutions? Our expert replies in this exclusive interview.
It is essential to properly implement a privileged access management solution to ensure data security. In this interview, our cybersecurity expert Julien Patriarca explains the three key stages in implementing a PAM solution according to good practice.
Hello Julien. In concrete terms, what is the correct procedure for implementing a privileged access management solution?
Hello! First and foremost, I believe it is better to have a clear understanding of what is happening in your IT system before deciding to change the passwords, although both are linked. In concrete terms, this involves three key stages.
Enhance visibility thanks to session management
Stage 1: Introduce monitoring of privileged sessions
Session management makes it possible to regain control of your IT system very quickly. It enables super administrators to know exactly what happened during a security incident, as well as to be notified in real time of potentially dangerous events. Session monitoring offers administrators full visibility over their IS (who does what, where, how, etc.). But for it to really be effective, it is necessary to ensure that all users go through the privileged access management solution when they connect to the server or application.
Stage 2: Prevent direct connections by implementing network rules
In the case of nominative accounts where users connect to target servers using their own account, our teams at WALLIX strongly recommend implementing network rules such as server isolation. Doing so ensures that only the Bastion connects to the target servers or apps, the essential requirement being to prevent direct connections.
Contrary to what is generally believed, this stage is quite easy to implement; we have noticed that our customers generally adopt the solution while redefining their global security policy. Users' change of attitude towards security measures is therefore already taking place. But to make it even easier for users to adopt, we recommend first allowing them to use their password for their nominative account to give priority to the monitoring and/or recording of session activities. Then, we can gradually get them to change their habits towards passwords.
Enhance access security thanks to password control
Stage 3: Integrate password management
Once it has implemented the privileged session management stage, the organization has an accurate view of what is happening on its IS, both internally and externally, as regards third party maintenance providers. It is then a good idea to take the security policy a step further with password management, since passwords are currently the most reliable means of connecting to a remote server.
Although they are seen as more reliable, passwords can also be the weakest link in the security chain as they are generally chosen in a simple way and are very easy to guess, either with online tools or simply with a little thought. Users are not yet in the habit of creating genuinely difficult passwords, and being able to entrust password management to an external solution like the WALLIX Bastion makes it possible to overcome a possible vulnerability due to the simplicity of the passwords used on the servers. In the case of generic accounts (host/administrator), it is necessary to change all the passwords of the target servers so that they are only known by the solution, and only the solution can connect to the servers on their behalf.
How does the WALLIX Bastion make these stages easier while adapting to companies' and organizations' new challenges and environments ?
The Bastion currently integrates very easily into the IS and is available in two different offers according to business needs:
- Session Manager, providing session management and governance
- WALLIX AdminBastion Suite, which takes the security policy a step further not only by meeting the challenges of session monitoring, but also by providing businesses with password management while integrating into the customer's specific environment and offering a centralized view of all access to the IS.
When a privileged access management solution is implemented, the provisioning stage - during which the solution is populated with users, equipment, possibly passwords, etc., remains an essential part of its integration in an information system or virtual machine. This process may take time and must be maintained. At the same time, customers’ environments are moving towards ever greater automation; this can be seen for example when they switch to the cloud to make their IT system increasingly simple and automated.
The WALLIX Bastion offers a range of tools such as APIs for provisioning and reporting, etc. providing a direct interface with the customer's information system to automatically create the equipment, users, and everything linked to access rights. It is then possible to automatically create timeslots and other functions when the customer's tools are upgraded (CMDB, directories etc.). The Bastion therefore becomes increasingly integrated with the existing system to avoid maintaining both the original customer repository and ours, by unification of the systems and automatic synchronization. So, the WALLIX solution is continually being enhanced to meet market demands and create ever greater automation and faster deployment etc.
To find out more, visit www.wallix.com or: