Integrating a Privileged Access Manager with Devices Unable to Implement Multi-Factor Authentication

A Privileged Access Manager (PAM) is a tool that helps organizations manage and monitor privileged access to critical systems and sensitive data. It can provide multi-factor authentication (MFA) protection for devices without MFA by acting as a gatekeeper between the user and the device.

Here's how it can work:

1. The user logs into the PAM system with their username and password.
2. The PAM system checks the user's identity and permissions to access the target device.
3. If the user is authorized, the PAM system generates a one-time code or token that is sent to the user's mobile device or email.
4. The user enters the code or token into the PAM system to verify their identity.
5. Once verified, the PAM system provides the user with temporary access to the target device.

By using this approach, the PAM system provides an additional layer of security for devices that do not have built-in MFA capabilities. It also helps to ensure that only authorized users with the correct permissions can access critical systems and data.

Major Features to Look for in a PAM

Privileged Access Management (PAM) solutions are designed to protect and manage access to critical systems and data by privileged users, such as system administrators, IT staff, and executives. The following are some important features that are typically found in a robust PAM solution:

1. Privileged Account Discovery: The ability to discover and identify all privileged accounts and credentials across the enterprise is crucial for effective PAM. This feature should be able to scan and detect privileged accounts in all types of systems, applications, and databases.
2. Password Management: This feature is essential for securing and managing privileged passwords. It should include strong password policies, automatic password rotation, and secure storage of passwords.
3. Session Monitoring: PAM solutions should be able to monitor and record privileged user activity in real-time to detect any suspicious or unauthorized activity.
4. Access Control: A PAM solution should provide granular access control to ensure that privileged users have access only to the resources that they need for their specific job functions.
5. Multi-Factor Authentication: PAM solutions should provide strong authentication mechanisms, such as multi-factor authentication, to ensure that only authorized users can access privileged accounts and systems.
6. Audit and Compliance Reporting: PAM solutions should provide comprehensive audit and compliance reports that can demonstrate compliance with regulations and security policies.
7. Integration with Other Security Solutions: A PAM solution should be able to integrate with other security solutions, such as SIEM, IAM, and endpoint security, to provide a more comprehensive security posture.
8. Automated Provisioning and De-provisioning: This feature should automate the process of granting and revoking access to privileged accounts and resources, based on predefined policies and workflows.

These features are not exhaustive, but they represent some of the most important capabilities that a PAM solution should offer.

Applicable Security Controls

The NIST 800-53 and NIST 800-171 are two commonly used security frameworks that provide guidance and best practices for securing federal information systems and non-federal systems, respectively. Both frameworks include security controls that specify a requirement for Multi-Factor Authentication (MFA). Here are some examples of these controls:

NIST 800-53:

• AC-16: Security Attributes
• AC-17: Remote Access
• AC-18: Wireless Access
• IA-2(12): Identification and Authentication (Organizational Users)
• IA-8: Identification and Authentication (Non-Organizational Users)

NIST 800-171:

• 3.5.3: Multifactor Authentication for local and network access
• 3.7.5: Multifactor Authentication to establish nonlocal maintenance sessions via external network connections

These controls require the implementation of MFA to strengthen the security of authentication mechanisms and protect against unauthorized access to sensitive data and systems. Organizations are required to implement these controls based on their risk assessment and the sensitivity of their data and systems.

The National Institute of Standards and Technology (NIST) has published several Special Publications (SP) that provide guidance on Multi-Factor Authentication (MFA). Here are a few of them:

1. NIST SP 800-63B: Digital Identity Guidelines - Authentication and Lifecycle Management: This publication provides guidelines for federal agencies implementing digital identity services, including MFA. It includes specific recommendations for MFA implementation, such as the use of authenticators that leverage different factors, risk-based authentication, and user experience considerations.
2. NIST SP 800-63C: Digital Identity Guidelines - Federation and Assertions: This publication provides guidelines for federal agencies implementing federated identity services, including MFA for authentication. It includes recommendations for the use of MFA with federated identity providers, as well as guidance on integrating MFA with other authentication methods.

Documenting Compliance

Documenting compliance with Multi-Factor Authentication (MFA) requirements for devices managed through a PAM solution in a System Security Plan (SSP) can be done in several ways. Here are some general steps you can take to document MFA compliance:

1. Identify the specific devices managed through the PAM solution that require MFA compliance, based on the organization's security policies and regulatory requirements.
2. Document the MFA policies and procedures for the PAM solution that apply to these devices, including the types of MFA factors required, the frequency of MFA use, and the procedures for MFA exception handling.
3. Describe how the PAM solution enforces MFA policies and procedures for the managed devices, including how users are authenticated, how access is granted or denied, and how MFA events are logged and monitored.
4. Provide evidence of MFA compliance by including screenshots or reports from the PAM solution that demonstrate MFA usage, such as login attempts, authentication events, and access logs.
5. Describe any deviations from MFA policies and procedures, including the reasons for the deviations, the approval processes, and the corrective actions taken.
6. Include a statement of assurance that the MFA policies and procedures for devices managed through the PAM solution are in compliance with the organization's security policies and regulatory requirements.

By following these steps, you can create a clear and concise documentation of compliance with MFA requirements for devices managed through a PAM solution in an SSP. This documentation can be used to demonstrate to auditors and regulators that the organization is meeting its security obligations and safeguarding critical systems and data.

Available Products

There are several products available that can change device passwords after each use. These products are typically used to provide a higher level of security for privileged accounts and to reduce the risk of password-related attacks such as credential theft, privilege escalation, and lateral movement. Here are some examples of such products:

1. CyberArk Privileged Access Security Solution: This solution includes a feature called Dynamic Access Provisioning, which can automatically generate and change passwords for privileged accounts after each use.
2. BeyondTrust PowerBroker Password Safe: This solution includes a feature called Dynamic Password Management, which can automatically generate and change passwords for privileged accounts after each use.
3. Thycotic Secret Server: This solution includes a feature called Secret Rotation, which can automatically generate and change passwords for privileged accounts after each use.
4. Lieberman RED Identity Management: This solution includes a feature called Rapid Rotation, which can automatically generate and change passwords for privileged accounts after each use.
5. ManageEngine Password Manager Pro: This solution includes a feature called Automatic Password Rotation, which can automatically generate and change passwords for privileged accounts after each use.

These products typically employ an automated password management process that can generate and rotate passwords based on a pre-defined schedule or trigger. The frequency of password rotation can be configured to meet the organization's security requirements and compliance regulations.