Professional Documents
Culture Documents
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Cloud Server Privilege Management For Dummies®,
Delinea Special Edition
Published by
John Wiley & Sons, Inc.
111 River St.
Hoboken, NJ 07030-5774
www.wiley.com
Copyright © 2022 by John Wiley & Sons, Inc., Hoboken, New Jersey
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any
form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise,
except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without
the prior written permission of the Publisher. Requests to the Publisher for permission should be
addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ
07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Trademarks: Wiley, For Dummies, the Dummies Man logo, The Dummies Way, Dummies.com,
Making Everything Easier, and related trade dress are trademarks or registered trademarks of John
Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used
without written permission. All other trademarks are the property of their respective owners. John
Wiley & Sons, Inc., is not associated with any product or vendor mentioned in this book.
For general information on our other products and services, or how to create a custom For
Dummies book for your business or organization, please contact our Business Development
Department in the U.S. at 877-409-4177, contact info@dummies.biz, or visit www.wiley.com/go/
custompub. For information about licensing the For Dummies brand for products or services,
contact BrandedRights&Licenses@Wiley.com.
Publisher’s Acknowledgments
Some of the people who helped bring this book to market include the following:
Project Editor: Elizabeth Kuball Production Editor:
Acquisitions Editor: Ashley Coffey Saikarthick Kumarasamy
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Table of Contents
INTRODUCTION................................................................................................ 1
About This Book.................................................................................... 1
Foolish Assumptions............................................................................. 2
Icons Used in This Book........................................................................ 2
Beyond the Book................................................................................... 3
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
CHAPTER 4: Ten Keys to a Successful PAM Journey...................... 39
Embrace the PAM Maturity Model.................................................... 39
Recognize That Comprehensive PAM Requires Vaulting
and Privilege Elevation........................................................................ 40
You Can’t Effectively Manage and Protect What
You Can’t See....................................................................................... 40
Start with Zero Trust Identity and Least Privilege........................... 41
Enforce Multifactor Authentication Everywhere............................. 41
Choose a Future-Proof PAM-as-a-Service Solution......................... 42
Leverage Automation and Machine Learning.................................. 42
Implement Policy-Based Access Controls........................................ 42
Protect All Your Privileged Accounts................................................. 43
Increase Awareness and Empower Employees............................... 44
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Introduction
R
ansomware and supply-chain attacks are on the rise, and
stolen passwords and credentials are the primary means
used by cybercriminals to breach organizational systems
and networks. According to the 2022 Verizon Data Breach
Investigations Report (DBIR), more than 80 percent of cyberattacks
today involve the use of stolen credentials — a familiar tactic over
the past several years. This trend emphasizes the importance of
strong authentication and authorization at the workstation and
server levels.
Introduction 1
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Foolish Assumptions
It has been said that most assumptions have outlived their use-
lessness, but I assume a few things nonetheless.
This icon explains the jargon beneath the jargon and is the stuff
legends — well, legendary nerds — are made of.
Tips are appreciated, but never expected, and we sure hope you’ll
appreciate these useful nuggets of information.
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
These alerts point out the stuff your mother warned you about.
Well, probably not, but they do offer practical advice.
Introduction 3
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
IN THIS CHAPTER
»» Understanding server access security
Chapter 1
Looking at the Current
State of Hybrid Cloud
Server Security
T
his chapter explores server access vulnerabilities, recent
ransomware and supply-chain attacks and their impacts,
and the need to balance security and productivity.
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
and database administrators, you also now have DevOps teams
orchestrating hundreds of virtual server instances and containers
in public clouds using infrastructure as code (IaC) literally every
day. So, more than ever, secure remote access to servers is a
must-have.
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
server. An enterprise password vault provides better security
than a password manager because it can be deployed, used,
and managed centrally. A vault can also be configured as a
proxy through which all remote sessions are launched and
role-based access controls (RBACs) can also be properly
implemented. However, if an attacker circumvents the vault,
they can also bypass vault-based access controls and session
recording capabilities, making it harder to identify the source
of an attack.
»» Server attacks directly on the server: A disgruntled or
malicious employee can often bypass the end-user worksta-
tion, or sidestep or disable security controls, and target a
server directly — whether that server is in the cloud or on
premises. An external threat actor who is already on the
network and has stolen privileged credentials will move
laterally from server to server to gain access to sensitive data
and exfiltrate it or encrypt it for ransom.
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
world). Each has read/write/execute permissions. That’s it.
The owner — the person who created a file — can do
whatever they want. Access is neither granular nor time-
limited. There’s no request and approval process. As a result,
users have excessive standing privileges that increase
risk — particularly in a modern cloud/DevOps world where
Linux is the preferred operating system for many.
»» Traditional tools can’t adapt to today’s requirements for
server security in a hybrid environment. It’s common for
organizations to deploy a privileged access management
(PAM) tool to address server access security. The problem is
that many organizations are still using tools built more than
a decade ago for servers in data centers where everything
was on the same network. These products weren’t designed
to handle today’s hybrid on-premises and cloud server
environment without high cost and effort, even if the tool
has been “cloudwashed” — that is, running the legacy tool in
a cloud instance.
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
as many systems as possible — all while exfiltrating copies of
sensitive data (see Figure 1-1) to potentially be used in a double or
triple extortion attack.
FIGURE 1-1: Threat actors take advantage of dwell time to perform many
activities during a stealthy, “low and slow” ransomware attack.
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
FIGURE 1-2: How cybercriminals use ransomware as a service and stolen
credentials to launch attacks.
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Yet, despite these perceived burdens, security is indisputably
critical to every organization. Users largely understand the risk
at some level, but they still look for creative ways to circumvent
complex and confusing security controls.
FIGURE 1-3: Complaints from employees is cited as the single biggest factor
(46 percent) in failed least-privilege implementations.
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
IN THIS CHAPTER
»» Assessing your organization’s current
PAM maturity level
Chapter 2
Planning a Long-Term
Privileged Access
Management Initiative
I
n this chapter, you find out about the Delinea Privileged Access
Management (PAM) Maturity Model, how to assess your
organization’s current level of PAM maturity and plan your
PAM journey, the role of vaults and privilege escalation in PAM,
and modern PAM solutions for hybrid environments.
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
FIGURE 2-1: The four phases of the Delinea PAM Maturity Model.
“Privileged access” includes not only who can access what, but
also what they can do with that access and when they can do it.
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Intelligence and automation increase as well. Shifting from man-
ual to automatic password creation and rotation is the first major
step. From there, more capabilities are automated, until, ulti-
mately, PAM is continuously learning and adapting as an intel-
ligent system.
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Phase zero: High risk
The key for organizations in phase zero of PAM maturity is to
recognize their risk and plan for action.
Service accounts are created “in the wild,” leading to poor docu-
mentation, poor mapping to applications or core services, static
passwords that are rarely (if ever) changed, and “re-usage,”
where a single account is used repeatedly for numerous services.
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
TABLE 2-1 Typical Characteristics of Organizations at
Phase Zero
PAM Maturity
Dimension Typical Characteristics
After the organization has vaulted all admin and privileged accounts
and configured periodic credential rotation, it’s important to estab-
lish better processes to enable administrative and help-desk staff
to securely access systems without exposing the vaulted privileged
accounts. Secure remote access and jump host PAM capabilities
facilitate automated login without passwords being revealed.
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Although organizations at this stage are more mature than organi-
zations at phase zero, they continue to operate in a reactive mode.
They often have numerous, disconnected tools and processes rather
than an integrated system that is centrally managed and controlled
by policies. They don’t differentiate access based on roles, don’t
have sufficient visibility into account usage, and can’t easily or
automatically produce reports or compliance documentation.
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
TABLE 2-2 Typical Characteristics of Organizations
at Phase One
PAM Maturity
Dimension Typical Characteristics
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
RBAC is the model and practice of restricting access rights based
on the roles of individual users across the enterprise. RBAC gives
access only to the systems, applications, and information neces-
sary for a user to accomplish specific functions based on their
job role, and prevents them from accessing systems, applications,
and information that is not relevant or necessary to perform their
job role.
During this phase and the next phase, PAM becomes a top priority
within an organization’s security strategy. Organizations at this
level are committed to the continuous improvement of privilege
management practices.
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
PAM Maturity
Dimension Typical Characteristics
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
It isn’t until the adaptive stage of maturity that most organiza-
tions get an accurate picture of privileged service accounts and
their dependencies.
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
The PAM Maturity Model is based on security industry best prac-
tices and Delinea’s work with more than 10,000 customers of all
types, ranging from organizations just beginning their PAM jour-
ney to the most experienced and advanced PAM users. You can
apply lessons and guidance from the model to your cybersecurity
strategy regardless of the size of your company, your industry, or
the number and type of systems you need to secure. The model
help you navigate your PAM journey based on your own risk driv-
ers, budget, and priorities.
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Organizations undergoing digital transformation will likely have
more services in the cloud and will need mature privilege manage-
ment of cloud-based servers, DevOps tools, and service accounts.
PAM
Password vaulting is the most common method for securing access
with PAM solutions. Within the context of enterprise IT and criti-
cal infrastructure, password vaulting refers to taking privileged
administrative accounts and passwords out of the direct control of
IT staff, and storing them securely in a software vault. The vault
then controls who is allowed privileged access, when it’s allowed,
and for how long.
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
only the most basic control on an all-or-nothing basis. Human
users and machines gain access by checking out an administrator
account that either has full access privileges or none at all. Vaults
do not provide visibility or control of privileged actions performed
at the server level.
PSM
PSM refers to managing what someone is allowed to do after
they’ve logged in with a privileged account. There are several
ways organizations use software to manage access on systems or
manage a server session.
PEDM
Privilege elevation and delegation management (PEDM) is the
third element of PAM that provides more granular access controls
than what is typically offered in PAM and PSM tools. PEDM allows
you to apply PSM to both vaulting and elevation — it’s applicable
to both because remote sessions may originate through the vault
or directly with the server.
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
By combining PEDM, PAM, and PSM tools in a modern PAM
solution, IT can significantly reduce the number of privileged
accounts throughout the organization. Because privileged
accounts usually possess powerful access capabilities, they can
pose a serious risk if and when compromised by an attacker. By
eliminating or limiting the total number of privileged accounts,
organizations reduce the risk of abuse from malicious insiders
and external threats.
Legacy PAM was designed for the data center when PAM was eas-
ier to address with a simpler solution. Modern PAM is designed
for hybrid clouds, addressing new use cases resulting from a dis-
tributed IT architecture and expanding identities that include a
remote workforce. Modern PAMaaS comprises new and intelligent
technology such as multi-directory brokering, MFA everywhere,
consistent application of least privilege, cross-domain discov-
ery of hybrid cloud resources, service account management, and
adaptive and intelligent behavioral analytics.
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
IN THIS CHAPTER
»» Establishing identity as the starting point
for Zero Trust
Chapter 3
Aligning PAM with
Security Best Practices
I
n this chapter, you learn why identity is at the heart of best
practices such as Zero Trust and Zero Standing Privileges (ZSP),
how the principle of least privilege provides “just enough”
access for privileged accounts, and how to take your organization’s
privileged access management (PAM) to the next level with
advanced capabilities.
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
critical to a successful Zero Trust strategy. You must be certain of
who (or what) is requesting access and what access permissions
are authorized for that identity.
Identity is key to Zero Trust. In fact, it’s not only a first step, but
an ongoing step in Zero Trust. The identity and associated per-
missions of a user or entity must be verified before granting access
and on an ongoing basis (near continuously in the most robust
Zero Trust implementations) for the duration of the session.
Zero Trust is the first step in redefining legacy PAM for the mod-
ern enterprise IT threat landscape (see Figure 3-1). Organizations
must discard the old “trust but verify” model built on perimeter-
based network security, which relied on implicit user trust and
well-defined logical boundaries. Instead, Zero Trust mandates a
“never trust, always verify, enforce least privilege” approach to
privileged access from inside or outside the network.
FIGURE 3-1: The shift from legacy PAM to modern PAM, founded on Zero
Trust.
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Least privilege is intended to prevent “over-privileged access” by
users, applications, or services and help reduce the risk of exploi-
tation should user credentials be compromised by an outside
attacker or malicious insider. Thus, users are granted only enough
authority to complete a specific task or job. The least privilege
model can also help curtail costs and increase efficiency.
With ZSP, you strive to eliminate accounts and broad user access
privileges that are essentially “always on.” Removing these types
of accounts is ideal but not always possible (for example, “root,”
local administrator, “oracle,” and so on). Accounts that can’t be
removed should instead be secured in a vault with access strictly
controlled based upon a need-to-know (for example, emergency
or “break glass” use) involving management oversight via a
workflow-based access request and approval mechanism. These
controls help ensure that privileged accounts are available only
to legitimate entities (for example, human users or applications
and services) when they’re needed (just in time), via a password
checkout mechanism.
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
However, even if you secure these accounts in a vault, the
privileges are still attached to them and a residual risk remains.
For example, checking out a Windows local administrator account
password to configure a printer is overkill, and a malicious actor
could abuse such privileges.
One way to mitigate this risk is not to touch the vaulted account
passwords, but instead couple just-in-time privileges with privi-
lege elevation. This allows a legitimate user who has minimum
privileges to request what they need and then elevate privilege at
the time of execution of a command or application (just in time)
that requires such rights. The incremental privileges are tied to
the command or application — not to the broader login session —
and the privileges are automatically revoked when the command
completes or the application closes. In this way, just enough priv-
ileges via elevation supports the ZSP model.
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
However, traditional MFA policies are static (for example, MFA
is always enforced, only enforced for certain accounts, or only
required when logging in remotely). These policies can quickly
become stale and rarely cover all the bases with regard to different
risk-based scenarios. Adaptive MFA enables more granularity
and control for the organization. For example, authentication
profiles can be created for specific users or groups, which allows
the organization to be selective about whether to challenge a user
with one or more additional factors and which authentication
methods to permit. These methods may include
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Just-in-time privilege elevation
Just-in-time privilege elevation (that is, ZSP) is a fundamental
security practice where the privilege granted to access applica-
tions or systems is limited to predetermined periods of time or on
an as-needed basis. This helps to minimize the risk of standing
privileges that attackers or malicious insiders can readily exploit.
»» Location
»» Actions
»» Timing
Advanced PAM solutions apply a least privilege (“just enough”)
strategy by controlling where users can access privileged
accounts and what actions they can perform when they have
accessed an account. Controlling when access is granted adds the
critical time dimension to the security equation. Just-in-time
privilege elevation helps to remove the risks associated with
standing privileges.
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
and rotate the credentials after the user checks in the account
or the specified time expires. This ensures that the credentials
are unknown to whoever just used them, and the risk of privilege
abuse is significantly reduced.
Risk-based analytics
Risk-based analytics provide valuable insights into what actions
users or entities perform with privileged access. This information
is used to train machine learning algorithms to support MFA by
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
looking at user behavior. Risk-based analytics can be applied at
multiple access control gates, including the following:
Life-cycle management of
service accounts
Service accounts run critical scheduled tasks, batch jobs, appli-
cation pools, and more across a complex network of databases,
applications, and file systems both on premises and in the cloud.
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
accounts, so access to one service provides access to many,
expanding your attack surface and increasing your risk.
GLOBAL ORGANIZATION
LEVERAGES DELINEA
A large American organization with a global presence was having
trouble controlling its privileged access. The company adopted
Delinea Privileged Access Management (PAM), implementing a limited
number of licenses meant to cover their most critical — and
frequently audited — systems.
Eventually the company extended Delinea PAM across its entire infra-
structure to better manage access and privilege, significantly enhance
security, and alleviate pressure on IT staff.
(continued)
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
(continued)
Challenges
Solution
The company needed to manage user access across its entire Linux
environment. It needed to easily grant and rescind privileges, and it
needed the ability to tie every action taken with a specific person in
order to illustrate accountability to auditors. It identified the following
features as essential:
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
• Centralized authentication: The solution would need to centralize
discovery, management, and user administration for Linux and
UNIX systems through Active Directory.
• Multifactor authentication (MFA): MFA would be required at
both the vault and server level, so the solution would need to
coexist with the company’s existing vault technology.
• Least privilege: The solution would need to provide just enough
privilege, granted just in time and for a limited time only. A secure,
automated process of privilege elevation would grant administra-
tors the ability to perform tasks without a root password.
• Compliance: The solution would need auditing and reporting
capabilities to prove an existing secure access methodology and
adherence to Payment Card Industry (PCI), General Data
Protection Regulation (GDPR), and multiple countries’ privacy laws.
Results
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
IN THIS CHAPTER
»» Using the PAM Maturity Model
Chapter 4
Ten Keys to a Successful
PAM Journey
H
ere are ten tips to help you plan and execute a successful
privileged access management (PAM) journey for your on-
premises and cloud server resources.
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Recognize That Comprehensive
PAM Requires Vaulting and
Privilege Elevation
A complete PAM solution requires both privileged account and
session management (PASM) and privilege elevation and delega-
tion management (PEDM) to protect your business against data
breaches. Take the next logical step in PAM maturity. Build on a
solid foundation of password vaulting with privilege elevation to
enable self-protect capabilities in your servers.
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Perform a data risk assessment to identify privileged accounts
that have access to sensitive data and the users who have access
to them; then take steps to not only harden the application hous-
ing the data but also limit access by regular accounts. Ensure those
accounts are subject to higher security scrutiny and protocols.
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Requiring a hardware authenticator token or software authenticator
such as Microsoft Authenticator or Google Authenticator provides
stronger MFA assurance than an email or Short Message Service
(SMS) text passcode. Particularly for administrator access, use of
phishing-resistant second factors such as Fast Identity Online
(FIDO) authenticators (discussed in Chapter 3) is recommended.
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Control new privileged user account creation with a formal
review and approval process. The creation of any new privileged
user account should be subject to specific reviews and approvals
involving a peer, supervisor, or security review.
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
»» Accounts used to access security tools, such as virtual private
networks (VPNs)
»» Wi-Fi accounts
»» Hardware accounts, such as basic input/output system
(BIOS) and Intel vPro
»» Network and security equipment accounts
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
WILEY END USER LICENSE AGREEMENT
Go to www.wiley.com/go/eula to access Wiley’s ebook EULA.