Extending PAM with Automation

Traditional Privileged Access Management (PAM) solutions have had a major gap in their protection.

That’s a bold claim. Most PAM solutions do a pretty good job at protecting credentials for valuable admin and other powerful accounts. Some are easier to install, manage and use than others, but mostly they’re offering similar functionality.

The big gap, though, is protecting what users do while they have access to a privileged account and preventing them doing damage.

Osirium recognised that gap years ago and took action by including the built-in automation capability with “Privileged Task Management (PTM)” in Osirium PAM. Task Automation is being used for many common, frequently executed IT tasks such as checking if a server is running or deleting a user account in Active Directory. It’s worth noting that this is substantially more powerful and secure than running an external batch file or shell script which might have embedded credentials or depend on external scripting environments.

One customer automated a server health check and reduced the time taken for each check from 30 minutes to 8 seconds. That equated to over 200 hours’ effort every year, pretty much equivalent to a full-time employee.

It’s not a surprise that many Osirium customers see this value and often list automation as one of their goals with Osirium PAM. Indeed, task automation was flagged by various Industry Analysts as a standout feature and was part of the reason Osirium earned a Gartner Cool Vendor award.

Osirium further extends that leadership with the announcement of Osirium Automation being added to its PAM solution at no extra charge for existing or new customers. It takes automation and protection to a new level.

Why is automation such a big deal?

Let’s start at the beginning. Most PAM solutions provide a common set of capabilities to store administrator credentials in a secure vault. Some also include session monitoring and recording of privileged sessions to aid with the investigation after privileged credentials have been misused. Certainly, Osirium PAM does a great job in all those areas.

But these protections are limited as there’s nothing they can do to prevent users who legitimately have access to systems from doing something they shouldn’t – deliberately or accidentally. And if those credentials are compromised, then a bad actor can use them to do a lot of damage with unfettered access to corporate IT services and devices before being noticed.

I see the solution as a progression of layers of protection.

Protect credentials
At the core is a secure vault for valuable credentials. Access to this vault is protected by user identity authentication using tools such as multi-factor authentication (MFA) to prove the “who”. Ensuring only the right people have access to the right credentials for the least amount of time needed is a critical part of delivering a “Least Privilege” strategy (sometimes known as “Principle of Least Privilege” or POLP).

At this level, it’s similar to Identity and Access Management (IAM) as a way to protect credentials. Some IAM tools claim “privileged account” features. In reality, these are often not much more than a handy way of tagging a group of accounts as “admin” and don’t provide more protection. This is where PAM tools show their advantages over IAM– PAM controls how people use those credentials to connect to devices and services with elevated privileges.

Know what’s happened
At the next level is session management and recording. When a user starts a session on a corporate system via PAM, PAM injects the admin credentials into the target system, never letting them near the user. Those sessions can be monitored and recorded by the PAM server. The recording is great for looking backwards – “what did someone do to that system last Tuesday?” If you’re monitoring in real-time, you may be able to hit a “kill switch” to terminate the session if (and it’s a big if), you spot the user doing something suspicious. In both cases, PAM isn’t doing any thing to ensure the user is doing what they should.

Limit the potential impact
There’s a danger that PAM will let users access a device or system with much more access than they should. For example, they may open a SSH terminal session or Remote Desktop, which grants the opportunity to run any tool or change any configuration settings available to that account. Osirium PAM limits this exposure with its MAP Server which provides remote access to only the tools they need, not the server. For example, a DBA can only access SQL Server Studio, not the server running the database.

Prevent misuse
Wrapping up the work of a privileged session with automation is a more proactive level of protection. If the user can only run a pre-approved set of steps, they can do little harm. They can’t get access to the tool other than the exact function they need. Even more importantly, they can’t access the whole server where severe damage can be done. It means that less highly-skilled or experienced staff, say Help Desk agents, could perform many mundane tasks that normally wait for the senior admins to be available.

See Osirium Automation with PAM in action

Why Osirium automation?

Osirium Automation is built on Osirium’s years of PAM task automation experience. It’s built on Osirium’s flexible Privileged Process Automation (PPA) platform.

Osirium Automation (OA) is a lightweight, flexible and secure platform. It uses a built-in low-code development environment to build automated playbooks. A plug-in architecture makes it easy to integrate withexisting services and devices via SSH, API or REST interfaces. The PPA ResourceHub has a rapidly growing set of pre-built plug-ins and playbooks.

OA has many advances over the previous task automation, including:

• Easy to use, friendly, browser-based interface for automated playbooks. That’s particularly important when delegating tasks to non-technical users
• Built-in, low-code task builder and management system
• Plug-in architecture to extend support for new devices and systems
• An API to invoke Automation playbooks from external systems such as ITSM tools like ServiceNow or corporate intranet portals
• Built-in scheduler to run playbooks regularly(e.g. health checks or backups)
• Workflow with approvals
• Integration with many communications systems include SMS, Slack or e-mail
• A growing resource library of free plug-ins and playbooks

As well as automating the steps needed to perform a task, playbooks can even be used to extend the security controls of your existing systems. For example, a command line tool that only allows free text as a description could have formatted text collected from the user to ensure descriptions comply with corporate policies.

Being a flexible platform, PPA can be used in a wide-range of situations from server health checks to complex network device configuration to automating the provisioning of all the accounts needed for a new starter. Because the credentials are always protected by PPA and never available to the user, the operations are tightly controlled to only the steps needed to perform the job, and there’s always a rich audit trail; it’s safe to delegate IT tasks to help desk agents or even business users.

With Automation, significant cost and time-savings can be achieved. An early adopter said, “We had a task that used to take half a day to complete. With Automation, we can now do the same task 7 or 8 times every day.” That’s important as, increasingly, IT and cybersecurity need to show benefits to the business, not just improving day-to-day security.

Availability
All existing and new Osirium PAM customers now have access to Osirium Automation user licenses with their current subscription. For further details, speak to your ITHealth Account Manager or contact ITHealth for more information.