NEW TECH: Why it makes more sense for ‘PAM’ tools to manage ‘Activities,’ instead of ‘Access’

By Byron V. Acohido

Privileged Access Management (PAM) arose some 15 years ago as an approach to restricting  access to sensitive systems inside of a corporate network.

Related: Active Directory holds ‘keys to the kingdom’

The basic idea was to make sure only the folks assigned “privileged access’’ status could successfully log on to sensitive servers. PAM governs a hierarchy of privileged accounts all tied together in a Windows Active Directory (AD) environment.

It didn’t take cyber criminals too long to figure out how to subvert PAM and AD – mainly by stealing or spoofing credentials to log on to privileged accounts. All it takes is one phished or hacked username and password to get a toehold on AD. From there, an intruder can quickly locate and take control of other privileged accounts. This puts them in position to systematically embed malware deep inside of compromised networks.

Shoring up legacy deployments of PAM and AD installations has become a cottage industry unto itself, and great strides have been made. Even so, hacking groups continue to manipulate PAM and AD to plunder company networks. And efforts to securely manage privileged access accounts isn’t going to get any easier, going forward, as companies increase their reliance on hybrid IT infrastructures.

I had the chance to discuss this with Gerrit Lansing, Field CTO at Stealthbits Technologies, a Hawthorne, NJ-based supplier of software to protect sensitive company data. We spoke at RSA 2020. For a full drill down of our discussion, give the accompanying podcast a listen. Here are the key takeaways.

Enticing target

For 90 percent of organizations, Windows Active Directory is the hub for all identities, both human and machine. AD keeps track of all identities and enables all human-to-machine and machine-to-machine communications that take place on the network. PAM grants privileges to carry out certain activities on higher level systems.

Together PAM and AD oversee processes that assign identities to all humans and machines while also authenticating these identities for each transaction. As such, AD, in particular, has emerged as a favorite target of threat actors looking to manipulate identities for malicious purposes.

Indeed, most network breaches revolve around the spoofing or otherwise illicit manipulation of a valid identity – and AD invariably plays a central role.

“Active Directory has become one of the most important targets for attackers to compromise after they initially infiltrate an organization,” Lansing says. “Most breaches begin through phishing, or a targeted web attack, to get a foothold on AD.”

Escalation risks


Upon gaining a foothold on an employee’s workstation, attackers seek out AD, with numerous tools in their toolkit to escalate privileges and begin to move laterally inside of the compromised network. AD’s single sign-on (SSO) functionality was a big hit when it was introduced. It an employee to log on once, and gain access to multiple systems, without have to type a username and password every time.

But SSO proved to be a boon for intruders, as well. One common hack is to swipe the cryptographic hash associated with an employee’s AD logon and run a script to gain access to another account, with elevated privileges.

“Being able to go from a lesser environment, say a workstation, all the way up to the domain controller is what the attacker looks for,” he says. “That’s going to allow him to obtain the privileges to actually steal the data or to do the damage he wants to do . . . pretty much every breach you’ve heard about in the news involves this technique to some degree.”

New platform exposures

PAM and AD were designed for on-premises company networks. It has proven to be a big challenge keep them secure. The latest campaign is a security model, called “Zero Trust,”  that advocates maintaining very strict access controls and not trusting anyone by default, even parties that appear to be operating legitimately inside of the network.

But complexities are adding pressures, even to Zero Trust frameworks. Companies increasingly operate on hybrid IT infrastructure, a mix of on-premises data centers and cloud-hosted data storage and processing power. Employees, partners and customers tie in from smartphones outside of the company domain. And supporting software gets created, maintained and improved by far-flung developers using virtual tools that exist in the cloud.

Legacy PAM and AD security solutions, Lansing argues, supply a kind of static, always-on privilege, and then focus on accurately authenticating the entity seeking to use that privilege.

“The problem is static privileges aren’t required in some of these new environments, and definitely don’t work when you’re thinking about standing up whole infrastructures in minutes, or being able to just terminate a single (software) container,” he says. “A lot of the controls that we’ve applied to Active Directory, to stop lateral movement and privilege escalation, don’t necessarily apply very well to these new platforms.”

Authenticating activities

Companies face a two-headed challenge: They’re being pressured by unrelenting daily attacks probing for weaknesses in their legacy PAM and AD identity management systems. And they must, at some point fairly soon, begin to account for fresh exposures spinning out of a heavier reliance on hybrid IT infrastructure. “The speed of digital transformation is adding new challenges to the mix,” Lansing says.

Stealthbits is among a small group of security vendors advocating the wisdom of coming at the identity question from a fresh perspective. Instead of focusing on authenticating the user, these innovators advocate shifting the focus to authenticating a specific activity.

The data collection and data analytics know-how to do this are well-understood and readily  available. Stealthbits recently introduced a product offering that performs what it describes as calls “privileged activity management.” Here’s how Lansing describes it:

“We’ve spent all of these years protecting the privileged identity itself, applying detective controls, changing passwords frequently, ensuring that only authorized people use them . . . but in the world of DevOps and in the world of cloud computing, these identities come and go in the blink of an eye.

“Today the business problem at hand is about ensuring that employees have the privileges to do their jobs when they need them, and only when they need them. So we can think about actually eliminating the attack surface, by making sure that these accounts don’t dispense privileges all the time . . . we can do this through a just-in-time approach to privileged access, where no one ever has full access to Active Directory, all of the time.”

Stealthbits’ new solution revolves around issuing “ephemeral,” accounts that grant access for a specific activity and a finite period of time. “You grant the administrative privilege needed for a specific activity and then you destroy the account when you’re done with it – your risk posture returns to nothing,” Lansing told me.

Sometimes it takes looking at a seemingly unsolvable problem from a different vantage point to come up with the solution. This may be one of those instances. I’ll keep watch.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone