System Administration Procedures Need to PAM it Up!
If you are already logging all types of administrative efforts successfully on your network – Congratulations! If you are like the rest of us normal folks, you are probably using some form of super username and password to differentiate between when you are administering significant changes to the network. For a few years now, there has been a movement to limit and improve the documentation of these types of network administrator efforts. Insert your PAM now. This is not going to prevent your steaks from sticking to your 20-year-old frying pan, but it will keep you out of hot water should a significant error occur on your network as you can better track what specific change occurred and where it was made it. The goal is to properly track all of the system changes.
Insert PAM (Privileged Access Management) Here
PAM is a solution that helps restrict privileged access within a computer network environment. This allows more control over the overall environment by isolating the use of privileged accounts thereby reducing the risk of those credentials being used for unintended purposes. The events that it might be used could be privilege escalation, spear fishing, Kerberos compromise, or other types of attacks.
Microsoft has the Microsoft Identify Manager (MIM) to provide this type of administrator security. Other third-party PAM tools exist and can assist in the protection of credentials for system administrators, prevent reuse of stolen credentials, and separate operating system level access and application level access.
Gartner even developed a report identifying best practices of utilizing PAM via four defines pillars in risk decision making. These pillars are 1) Tracking and Securing all privileged account; 2) Govern and control access; 3) Record and audit privileged activity; 4) Operationalize privileged tasks. The Gartner report is a more in depth look at what it takes to identify you needs and execute, but the simple explanation is their number three – recording and auditing. If you can create an audit trail of where and when changes are made, you can track changes on the network and each system on it.
Many different security sites talk about the requirement to document changes that are made to the network. Whether this is done via a change management board or a Microsoft Excel spreadsheet, these changes need to be made. The next step is documenting how the execution of these changes are made. If an unexpected mistake occurs, you can trace the follow-on problems back to when and where it happened. If you can automate this process via a program application (PAM tool) you have solved many CIOs headaches after a possible error because keeping the organization up and running is much more important than placing blame for an unintended error (or a missing semi-colon for my coder friends out there).