Delinea Ebook Cloud Server Pam For Dummies

These materials are © 2022 John Wiley & Sons, Inc.
Any dissemination, distribution, or unauthorized use is strictly prohibited.

Cloud Server
Privilege
Management
Delinea Special Edition
by Lawrence Miller and

Tony Goulding
These materials are © 2022 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Cloud Server Privilege Management For Dummies®,
Delinea Special Edition
Published by
John Wiley & Sons, Inc.
111 River St.
Hoboken, NJ 07030-5774
www.wiley.com
Copyright © 2022 by John Wiley & Sons, Inc., Hoboken, New Jersey
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any
form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise,
except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without
the prior written permission of the Publisher. Requests to the Publisher for permission should be
addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ
07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Trademarks: Wiley, For Dummies, the Dummies Man logo, The Dummies Way, Dummies.com,
Making Everything Easier, and related trade dress are trademarks or registered trademarks of John
Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used
without written permission. All other trademarks are the property of their respective owners. John
Wiley & Sons, Inc., is not associated with any product or vendor mentioned in this book.
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: WHILE THE PUBLISHER AND AUTHORS HAVE

USED THEIR BEST EFFORTS IN PREPARING THIS WORK, THEY MAKE NO REPRESENTATIONS
OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF
THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION
ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES REPRESENTATIVES, WRITTEN
SALES MATERIALS OR PROMOTIONAL STATEMENTS FOR THIS WORK. THE FACT THAT AN
ORGANIZATION, WEBSITE, OR PRODUCT IS REFERRED TO IN THIS WORK AS A CITATION AND/
OR POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE PUBLISHER
AND AUTHORS ENDORSE THE INFORMATION OR SERVICES THE ORGANIZATION, WEBSITE, OR
PRODUCT MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. THIS WORK IS SOLD WITH
THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING PROFESSIONAL
SERVICES. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR
YOUR SITUATION. YOU SHOULD CONSULT WITH A SPECIALIST WHERE APPROPRIATE. FURTHER,
READERS SHOULD BE AWARE THAT WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED
OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.
NEITHER THE PUBLISHER NOR AUTHORS SHALL BE LIABLE FOR ANY LOSS OF PROFIT OR ANY
OTHER COMMERCIAL DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, INCIDENTAL,
CONSEQUENTIAL, OR OTHER DAMAGES.
ISBN 978-1-394-15859-1 (pbk); ISBN 978-1-394-15860-7 (ebk)
For general information on our other products and services, or how to create a custom For
Dummies book for your business or organization, please contact our Business Development
Department in the U.S. at 877-409-4177, contact info@dummies.biz, or visit www.wiley.com/go/
custompub. For information about licensing the For Dummies brand for products or services,
contact BrandedRights&Licenses@Wiley.com.
Publisher’s Acknowledgments
Some of the people who helped bring this book to market include the following:
Project Editor: Elizabeth Kuball Production Editor:
Acquisitions Editor: Ashley Coffey Saikarthick Kumarasamy
Editorial Manager: Rev Mengle Special Help: David McNeely,

Sara Otremba, Israel Biscaia,
Senior Client Account Manager: Jayson Gehri, Shweta Khare
Matt Cox
Table of Contents
INTRODUCTION................................................................................................ 1
About This Book.................................................................................... 1
Foolish Assumptions............................................................................. 2
Icons Used in This Book........................................................................ 2
Beyond the Book................................................................................... 3
CHAPTER 1: Looking at the Current State of Hybrid

Cloud Server Security................................................................ 5
Understanding Server Access Vulnerabilities.................................... 5
Recognizing the Impact of Ransomware and
Supply-Chain Attacks............................................................................ 8
Balancing Productivity and Security in Remote Access.................. 10
CHAPTER 2: Planning a Long-Term Privileged Access

Management Initiative.......................................................... 13
Looking at the PAM Maturity Model................................................. 13
Phase zero: High risk..................................................................... 16
Phase one: Foundational.............................................................. 17
Phase two: Enhanced.................................................................... 18
Phase three: Adaptive................................................................... 21
Planning Your PAM Journey............................................................... 23
Understanding Key Parts of PAM: Vault and Privilege
Escalation............................................................................................. 24
PAM.................................................................................................. 24
PSM.................................................................................................. 25
PEDM............................................................................................... 25
On-Premises Server Security and Modern PAM as a Service........ 26
CHAPTER 3: Aligning PAM with Security Best Practices............ 27

Implementing Zero Trust Identity..................................................... 27
Enforcing Least Privilege.................................................................... 28
Enabling Advanced PAM Maturity for Stronger
Server Protection................................................................................. 30
Adaptive multifactor authentication........................................... 30
Just-in-time privilege elevation..................................................... 32
Advanced session recording......................................................... 33
Risk-based analytics....................................................................... 33
Life-cycle management of service accounts............................... 34
Table of Contents iii
CHAPTER 4: Ten Keys to a Successful PAM Journey...................... 39
Embrace the PAM Maturity Model.................................................... 39
Recognize That Comprehensive PAM Requires Vaulting
and Privilege Elevation........................................................................ 40
You Can’t Effectively Manage and Protect What
You Can’t See....................................................................................... 40
Start with Zero Trust Identity and Least Privilege........................... 41
Enforce Multifactor Authentication Everywhere............................. 41
Choose a Future-Proof PAM-as-a-Service Solution......................... 42
Leverage Automation and Machine Learning.................................. 42
Implement Policy-Based Access Controls........................................ 42
Protect All Your Privileged Accounts................................................. 43
Increase Awareness and Empower Employees............................... 44
iv Cloud Server Privilege Management For Dummies, Delinea Special Edition
Introduction
R
ansomware and supply-chain attacks are on the rise, and
stolen passwords and credentials are the primary means
used by cybercriminals to breach organizational systems
and networks. According to the 2022 Verizon Data Breach
Investigations Report (DBIR), more than 80 percent of cyberattacks
today involve the use of stolen credentials — a familiar tactic over
the past several years. This trend emphasizes the importance of
strong authentication and authorization at the workstation and
server levels.
There is a common misconception that privileged access man-

agement (PAM) is just a vault for administrative passwords and
secret keys. However, vaulting must be combined with privilege
elevation to fully implement the principle of least privilege and
minimize the enterprise attack surface. Modern PAM is a pro-
active solution that organizations implement to reduce the risks
associated with privileged credentials, as well as to help address
their regulatory and cyber insurance requirements.
About This Book

Cloud Server Privilege Management For Dummies, Delinea Custom
Edition, consists of four chapters that explore the following:
»» How server access vulnerabilities, ransomware and supply-

chain attacks, and remote access challenges are shaping the
hybrid cloud security landscape (Chapter 1)
»» How to assess your current PAM maturity and plan your
PAM journey (Chapter 2)
»» How to align PAM with security best practices including Zero
Trust, least privilege, and more (Chapter 3)
»» Ten keys to a successful PAM journey (Chapter 4)
Each chapter is written to stand on its own, so if you see a topic
that piques your interest, feel free to jump ahead to that chapter.
You can read this book in any order that suits you (though I don’t
recommend upside down or backward).
Introduction 1
Foolish Assumptions
It has been said that most assumptions have outlived their use-
lessness, but I assume a few things nonetheless.
Mainly, we assume that you’re an IT or security executive, a

server administrator, or a cloud architect. As such, you’re likely
responsible for identifying and implementing strategic IT initia-
tives, overseeing IT and security teams that manage operations
and systems performance, and identity and access management
(IAM) in a hybrid environment comprised of public cloud and on-
premises server resources. Thus, we assume you’re somewhat
technical and you have at least some understanding of PAM fun-
damentals and concepts, but you’re interested in learning more
about how a modern PAM solution can help your organization
reduce its attack surface and improve its security posture.
If any of these assumptions describes you, then this is the book

for you! If none of these assumptions describes you, keep reading
anyway — it’s a great book and after reading it, you’ll have the
privilege of being a PAM guru!
Icons Used in This Book

Throughout this book, we occasionally use special icons to call
attention to important information. Here’s what to expect:
This icon points out important information you should commit

to your nonvolatile memory, your gray matter, or your noggin.
This icon explains the jargon beneath the jargon and is the stuff
legends — well, legendary nerds — are made of.
Tips are appreciated, but never expected, and we sure hope you’ll
appreciate these useful nuggets of information.
2 Cloud Server Privilege Management For Dummies, Delinea Special Edition
These alerts point out the stuff your mother warned you about.
Well, probably not, but they do offer practical advice.
Beyond the Book

There’s only so much we can cover in this short book, so if you
find yourself at the end wondering, “Where can I learn more?,” go
to https://delinea.com.
Introduction 3
IN THIS CHAPTER
»» Understanding server access security
»» Assessing the impact of ransomware and

supply-chain attacks
»» Striking the right balance between

security and productivity
Chapter 1
Looking at the Current
State of Hybrid Cloud
Server Security
T
his chapter explores server access vulnerabilities, recent
ransomware and supply-chain attacks and their impacts,
and the need to balance security and productivity.
Understanding Server Access

Vulnerabilities
Modern enterprise IT environments have become highly diverse
and distributed. Most organizations still maintain a significant
number of servers in a local, on-premises data center. Meanwhile,
cloud transformation projects are accelerating, with new types
of servers emerging, including cloud workloads, containers,
microservices, and so on. These various server instances may also
be deployed across multiple cloud platforms such as Amazon Web
Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).
At the same time, the number of users with access to serv-

ers has grown exponentially. In addition to traditional IT server
CHAPTER 1 Looking at the Current State of Hybrid Cloud Server Security 5
and database administrators, you also now have DevOps teams
orchestrating hundreds of virtual server instances and containers
in public clouds using infrastructure as code (IaC) literally every
day. So, more than ever, secure remote access to servers is a
must-have.
The elastic and dynamic world of the cloud is very different

from the traditional enterprise data center. Diverse, distributed
server environments are harder to manage and secure. You have
multiple operating systems and applications with different risk
profiles. Typically, each cloud server is governed by different
policies, rather than a consistent security framework across

teams, geographies, and business units.
Typical server attack vectors include the following:
»» Server attacks through user workstations: With employ-

ees working remotely and organizations adopting more
cloud services to support them, the user workstation attack
surface is bigger than ever. Any attack that gains access to
the user’s workstation gives the threat actor a foothold and
stepping-stone into the server network. The common bad
practice of giving the user local administrator account access
(to install desktop applications, update drivers, connect to
printers, and so on) plays into the attackers’ hands. If a threat
actor gets access to this privileged local administrator
account, they own the workstation and can exploit it to get
access to other areas of the network — including servers.
Without proper server security controls, an attacker can
install hacking tools and move from workstations to servers
with ease. The use of virtual private networks (VPNs) has
expanded massively in the wake of COVID-19. VPNs typically
don’t support granular access controls. Instead, the user’s
workstation is granted access to the corporate network and
infections can easily spread. Also, VPNs typically rely on a
jump host (or gateway) that can expose users (or attackers)
to the broader network instead of surgically connecting the
user only to the desired (or target) system.
»» Server attacks through a password manager: Some
organizations rely on weak, consumer-grade password
manager that provide a false sense of security. But not all
password managers are created equal. If a password
manager isn’t properly protected and a user is phished or an
insider goes rogue, the threat actor can gain a foothold on a
server. An enterprise password vault provides better security
than a password manager because it can be deployed, used,
and managed centrally. A vault can also be configured as a
proxy through which all remote sessions are launched and
role-based access controls (RBACs) can also be properly
implemented. However, if an attacker circumvents the vault,
they can also bypass vault-based access controls and session
recording capabilities, making it harder to identify the source
of an attack.
»» Server attacks directly on the server: A disgruntled or
malicious employee can often bypass the end-user worksta-
tion, or sidestep or disable security controls, and target a
server directly — whether that server is in the cloud or on
premises. An external threat actor who is already on the
network and has stolen privileged credentials will move
laterally from server to server to gain access to sensitive data
and exfiltrate it or encrypt it for ransom.
Humans, applications, and services use privileged accounts and

their associated roles and rights to log into server infrastructure
and run administrative tasks. Cybercriminals use these same
accounts for very different, nefarious purposes.
Securing accounts and their associated entitlements to log into

machines and run privileged commands and applications is
critical to server security. Should these privileged accounts fall
into the wrong hands, your systems and data will be at risk.
Unfortunately, enterprises continue to struggle with server secu-

rity for the following reasons:
»» Native server security is insufficient. Although Windows

servers have built-in centralized policy management and
local enforcement, they rely heavily on Active Directory (AD)
for creating and managing access control policies.
Mechanisms for AD are very convoluted and brittle. Windows
admin teams have complex role and rights management
tasks — and they don’t want to touch AD for fear of breaking
it. So, these rules and mechanisms — and the accounts and
permissions that they provision — grow over time.
UNIX/Linux servers are traditionally managed on a per-
machine basis rather than via a centralized directory service
like AD. The file/folder system for UNIX/Linux servers allows
for only three levels of standard access (owner, group, and
world). Each has read/write/execute permissions. That’s it.
The owner — the person who created a file — can do
whatever they want. Access is neither granular nor time-
limited. There’s no request and approval process. As a result,
users have excessive standing privileges that increase
risk — particularly in a modern cloud/DevOps world where
Linux is the preferred operating system for many.
»» Traditional tools can’t adapt to today’s requirements for
server security in a hybrid environment. It’s common for
organizations to deploy a privileged access management
(PAM) tool to address server access security. The problem is
that many organizations are still using tools built more than
a decade ago for servers in data centers where everything
was on the same network. These products weren’t designed
to handle today’s hybrid on-premises and cloud server
environment without high cost and effort, even if the tool
has been “cloudwashed” — that is, running the legacy tool in
a cloud instance.
Recognizing the Impact of Ransomware

and Supply-Chain Attacks
High-profile ransomware and supply-chain attacks are increas-
ingly exploiting privileged accounts to target organizations and
their server assets.
Ransomware attacks are increasing drastically on a global scale. The

United States, for example, has seen a rise of nearly 200 percent in
the past two years. The average cost of a data breach in 2022 was
$4.35 million (www.ibm.com/security/data-breach).
Cybercriminals are also getting more sophisticated, and ransom

demands continue to skyrocket. Email is still a common attack
vector for cybercriminals who use phishing campaigns for account
takeover, giving the attacker a local credential. Most ransomware
attacks now involve cybercriminals gaining unauthorized access
to a target environment using stolen credentials. A cybercriminal
may dwell in a target environment for weeks or months — moving
laterally across the network, establishing persistence, harvesting
(or creating) additional credentials, and installing ransomware on
as many systems as possible — all while exfiltrating copies of
sensitive data (see Figure 1-1) to potentially be used in a double or
triple extortion attack.
FIGURE 1-1: Threat actors take advantage of dwell time to perform many
activities during a stealthy, “low and slow” ransomware attack.
In a double extortion ransomware attack, a cybercriminal threatens

to expose sensitive data that has been exfiltrated before the
ransomware encrypts the data. The target organization must pay a
ransom to recover its data that has been encrypted by the ransom-
ware, and an additional ransom to avoid having their data publicly
exposed. Of course, there’s no guarantee that the cybercriminal
won’t expose or sell the data — even if the ransom is paid. In a triple
ransomware attack, a cybercriminal goes a step further, launching
a distributed denial-of-service (DDoS) attack against the original
target and/or directly targeting individuals who are identified in
sensitive data and threatening to publish their sensitive personal
information (such as financial data and health records).
Ransomware payouts have become so lucrative that ransomware

developers have emerged to sell or establish an affiliate program
for their tools and expertise, offering ransomware as a service
(RaaS). In this new model, cybercriminals create ransomware
and sell it to other cybercriminals or provide it for free. The RaaS
provider may even offer to negotiate the ransom and facilitate
payment on the affiliate’s behalf, making it a complete turnkey
gambit. The attackers deploy the software, collect the ransom
from their targets, and provide a percentage of the ransom back
to the creator (see Figure 1-2). The creator has minimal risk and
broader opportunities for success.
Ransomware could further evolve into a subscription model where

you pay the criminal gangs not to target you. The Delinea 2021
State of Ransomware Survey and Report found that two out of three
companies surveyed were victims of a cyberattack in the last
12 months, and more than four out of five felt they had no choice
but to pay the ransom demands.
FIGURE 1-2: How cybercriminals use ransomware as a service and stolen
credentials to launch attacks.
Supply-chain attacks are also contributing to the notoriety of

cybercriminals and ransomware. In late 2020, the SolarWinds
attack demonstrated the vulnerability and widespread potential
for damage across the software supply chain when cybercriminals
installed malware into SolarWinds’ Orion software. More than
18,000 SolarWinds customers were impacted by the attack,
including Microsoft; the U.S. departments of Commerce,

Homeland Security, State, and Treasury; and the U.S. National
Institutes of Health (NIH). In 2021, several ransomware attacks
disrupted critical U.S. energy and food supply chains.
Balancing Productivity and Security in

Remote Access
In our modern global economy, businesses must constantly and
rapidly innovate to deliver new products and services to market.
Thus, employees and their managers are laser-focused on pro-
ductivity. But security and productivity have always been at odds
with each other.
Users perceive security as a bottleneck to productivity. Logging in

with usernames and passwords that were difficult to remember
and had to be changed frequently was enough of a hassle to users.
Now, multifactor authentication (MFA) is increasingly being
enforced, requiring yet another step by users to verify and autho-
rize their access. VPNs are commonly required for remote access
but also require user interaction and can significantly slow down
network performance.
Yet, despite these perceived burdens, security is indisputably
critical to every organization. Users largely understand the risk
at some level, but they still look for creative ways to circumvent
complex and confusing security controls.
The COVID-19 pandemic hastened the need for secure remote

access to support work-from-home (WFH) and work-from-
anywhere (WFA) models. As a result, the enterprise attack has
grown exponentially. Organizations have less visibility and
control of the devices (and the potentially unsecure home Wi-Fi
networks) accessing the enterprise network.
Least privilege is one example of a well-known security best

practice that many organizations struggle to implement. Least
privilege describes the concept of limiting user and application
access to privileged accounts through various controls and tools
without impacting productivity. According to the Delinea Global
State of Least Privilege Security report, complaints from users is the
single biggest cause of failure in least privilege implementations
(see Figure 1-3). When implementing strict controls for least
privilege, organizations can negatively impact user productivity.
Thus, it’s critical to create a strategy for least privilege that limits
end users’ privileges without preventing them from successfully
doing their jobs.
FIGURE 1-3: Complaints from employees is cited as the single biggest factor
(46 percent) in failed least-privilege implementations.
To be successful in securing the enterprise attack surface, you

need to implement security controls and solutions that minimize
the impact on user productivity and reduce employee friction.
Security should be seamless — if not invisible — to your users.
IN THIS CHAPTER
»» Assessing your organization’s current
PAM maturity level
»» Determining your next steps on the PAM

journey
»» Understanding the role of vaults and

privilege escalation in PAM
»» Implementing on-premises server

security and modern PAM as a service
Chapter 2
Planning a Long-Term
Privileged Access
Management Initiative
I
n this chapter, you find out about the Delinea Privileged Access
Management (PAM) Maturity Model, how to assess your
organization’s current level of PAM maturity and plan your
PAM journey, the role of vaults and privilege escalation in PAM,
and modern PAM solutions for hybrid environments.
Looking at the PAM Maturity Model

The Delinea PAM Maturity Model is a framework to help you sys-
tematically lower privileged access risk, increase business agility,
and improve operational efficiency in your organization. The PAM
Maturity Model outlines four phases as shown in Figure 2-1.
As you progress through the phases of the Maturity Model, you

expand your protection to include more types of privileged users,
sensitive systems, and their privileged accounts. The more mature
your organization is, the more your attack surface is under control.
CHAPTER 2 Planning a Long-Term Privileged Access Management Initiative 13
FIGURE 2-1: The four phases of the Delinea PAM Maturity Model.
Most organizations have significantly more privileged accounts

and systems than employees. A by-product of cloud migration is a
much larger attack surface due to an exponential increase in priv-
ileged accounts and virtual systems. Privileged accounts include
domain administrator accounts, local accounts, and nonhuman
service accounts that can run applications, databases, and other
communications and data exchanges between systems.
In a mature PAM strategy, the term privileged user isn’t limited

to IT users with administrative permissions. Instead, privileged
users also include business users who access financial, personal,
or other sensitive information from web apps and developers who
build products on platforms using Amazon Web Services (AWS),
Microsoft Azure, Google Cloud Platform, or their own private
cloud.
In each phase of the model, the scope of privileged users and

use cases expands. For example, organizations in Phase 1 (Foun-
dational) are focused on privileged accounts and secure remote
access. Organizations in Phase 2 (Enhanced) focus on privileged
access and least privilege. In Phase 3 (Adaptive), intelligence and
automation are the primary focus.
“Privileged access” includes not only who can access what, but
also what they can do with that access and when they can do it.
PAM maturity begins with static policies and controls and

becomes more granular and dynamic in each phase. Native oper-
ating controls aren’t sufficiently granular. As you progress along
your PAM journey, you add more granular controls and imple-
ment conditions and time limits to access. Ultimately, access con-
trols become risk-based and adapt as your risk profile changes.
Intelligence and automation increase as well. Shifting from man-
ual to automatic password creation and rotation is the first major
step. From there, more capabilities are automated, until, ulti-
mately, PAM is continuously learning and adapting as an intel-
ligent system.
Integration with other enterprise tools is a key aspect of automa-

tion. Thus, as your organization’s maturity increases, more tech-
nologies are integrated, to the point where virtually all privileged
users access PAM via another system — such as their IT service
management (ITSM) or identity governance and administration
(IGA) tools, continuous integration/continuous deployment (CI/
CD) tooling for DevOps, web browsers, native clients, and so on —
making PAM virtually invisible to your end users.
PAM maturity is also multidimensional and includes the following:
»» Governance, risk, and compliance (GRC): How strong is

the integrity of your system, and how much visibility and
oversight do you have?
»» Privilege administration: How do you create, define, and
manage privileges across your organization?
»» Identity and access management (IAM): How strong are
your authorization controls, and how granular are your
access controls?
These dimensions span all the phases of maturity. They’re based

on U.S. National Institute of Standards and Technology (NIST)
Special Publication (SP) 800-53, which provides a catalog of secu-
rity and privacy controls for information systems and organiza-
tions. Customers can measure their maturity based on the PAM
investments in each phase and the degree to which they contrib-
ute to these dimensions.
The three dimensions of maturity aren’t tied to specific job roles

or business functions. For example, governance may be shoul-
dered by people responsible for IT infrastructure or desktop
teams, not necessarily by a central GRC function alone.
The next sections shows you how to evaluate your organization’s

PAM maturity along these three dimensions. It’s not unusual
for an organization to be more mature in one dimension than
another. After you determine your maturity level, you’ll be able to
prioritize your activities so one dimension doesn’t accelerate too
rapidly without the support of the others.
Phase zero: High risk
The key for organizations in phase zero of PAM maturity is to
recognize their risk and plan for action.
Organizations in this phase secure their privileged accounts in a

limited way, if at all. They typically set up privileges manually
and may keep track of them via spreadsheets. As a result, they
often provide excess privileges to people who don’t need them,
share privileges among multiple administrators, and neglect to
remove privileges promptly when users leave the organization or
change roles.
These organizations tend to have minimal complexity require-

ments for password creation and use single-factor authentica-
tion, which opens the door to password cracking.
Service accounts are created “in the wild,” leading to poor docu-
mentation, poor mapping to applications or core services, static
passwords that are rarely (if ever) changed, and “re-usage,”
where a single account is used repeatedly for numerous services.
It’s also common in UNIX/Linux environments for administrators

to create their own local privileged accounts because they don’t
have a single, unified account (like an Active Directory account)
to log in across all their systems. This greatly increases the risk
associated with a single compromised account that potentially
exposes a significant portion of the enterprise attack surface.
Security and operations teams are typically unaware of the breadth

of web applications in use and allow users to make independent
decisions regarding privileged access and permissions.
These organizations have a high degree of cyber risk. If an external

attacker or malicious insider has access to privileged accounts, they
can steal confidential information, disrupt IT infrastructure (or
even shut it down), and cost the organization millions of dollars.
Table 2-1 lists the typical characteristics associated with organi-

zation at phase zero of the maturity model.
The /etc/sudoers file is used to determine if an account has

permission to run commands that require elevated privileges on
UNIX/Linux systems. Often, the default sudoers file grants mem-
bers of the local “wheel” group privileges, so be sure to check its
membership.
TABLE 2-1 Typical Characteristics of Organizations at
Phase Zero
PAM Maturity
Dimension Typical Characteristics
GRC There is no PAM vault.
There is no centralized inventory of all assets in the

environment.
There is no easy way to report on user access permission and

privileges.
There is no easy way to reconcile who has access to what, who

did what, and who approved access.
Failed audits occur.
Privilege Domain admin group membership is used for Windows servers

administration and workstations.
Local accounts are created on each UNIX/Linux system in /etc/

passwd and privileges are managed in the /etc/sudoers file.
IAM There are no centralized access controls and/or identity

management.
Local admin accounts are used.
It’s difficult to determine who has access to what and what

privileges they have.
Phase one: Foundational

The key for organizations in phase one of PAM maturity is to gain
visibility of all assets and their privileged accounts across the
environment and begin to reduce the size of the attack surface.
With complete visibility, organizations can begin to take con-

trol of their environment by vaulting local admin and privileged
accounts. They focus first on privileged accounts managed by
domain administrators and other IT users.
After the organization has vaulted all admin and privileged accounts
and configured periodic credential rotation, it’s important to estab-
lish better processes to enable administrative and help-desk staff
to securely access systems without exposing the vaulted privileged
accounts. Secure remote access and jump host PAM capabilities
facilitate automated login without passwords being revealed.
Although organizations at this stage are more mature than organi-
zations at phase zero, they continue to operate in a reactive mode.
They often have numerous, disconnected tools and processes rather
than an integrated system that is centrally managed and controlled
by policies. They don’t differentiate access based on roles, don’t
have sufficient visibility into account usage, and can’t easily or
automatically produce reports or compliance documentation.
Organizations in this stage must make periodic pushes to redis-

cover new accounts across the network. Occasionally, business-
critical applications experience downtime or fail because service
accounts that are reused haven’t been associated with the cor-
responding service account managed in the PAM solution. This
can lead to business interruptions, diminish customer experi-
ences, and create a culture of mistrust between teams, making
full adoption of a PAM solution difficult.
For administrators, you can optionally assign two accounts. One is

public, on a business card, email signature, used on social forums,
and so on, and carries minimum rights; thus, if the account is
compromised, the blast radius is contained. The other account is
private and used exclusively for privileged tasks; because it isn’t
exposed externally, this “alternate admin” account helps drive
down risk and eliminates anonymous administrator access.

zation at phase one of the maturity model.
Phase two: Enhanced

In this phase there is more focus on accountability for staff
accessing sensitive systems, apps, and data, minimizing use of
admin accounts, and logging in with unique identities associ-
ated with a unique user. There is also more focus on host-based
controls — to prevent malicious access, better assure identity via
MFA, and audit and record privileged session activity.
The move to least privilege can be gradual where privileges are

initially granted broadly, using roles that will be tightened over
time as the organization matures and defines more stringent
roles to reduce risk.
Achieving this objective also includes normalization (reducing

excessive privileges) and consolidation (removing additional local
privileged accounts for administrators so they have only a cen-
tralized account for administrative access).
TABLE 2-2 Typical Characteristics of Organizations
at Phase One
PAM Maturity
GRC An accurate inventory of administrative privileged accounts and

passwords is established.
Credentials and secrets are classified.
Privilege All administrative accounts are vaulted, and periodic rotation is

administration automated.
Vaulted Active Directory privileged accounts and privileged

account groups are tightly controlled.
Local administrative accounts are discovered and vaulted.
A secure administrative environment for both local and remote

sessions is established.
An initial privileged access workflow is established for

credential checkout.
IAM Multifactor authentication (MFA) is enforced for vault access,

including secret checkout and initiation of remote sessions.
Alternate admin accounts are created for admin access to

prevent use of normal user accounts associated with public
identities.
Remote access requires use of separate admin accounts with

MFA enforced.
Organizations in this phase include business users, develop-

ers, and vendors in addition to domain administrators in their
definition of privileged users who should be managed. In addi-
tion to implementing a central vault, they expand granular PAM
controls to endpoints, including servers and workstations. PAM
practices aren’t siloed within the security or IT operations team
but instead integrate PAM seamlessly into other areas of IT
and software development, even within a high-velocity DevOps
environment. PAM can also expand to privileged business users.
PAM can govern and control access to software as a service
(SaaS) and web apps that aren’t typically used by regular end
users and aren’t typically integrated into identity as a service
(IDaaS) solutions.
RBAC is the model and practice of restricting access rights based
on the roles of individual users across the enterprise. RBAC gives
access only to the systems, applications, and information neces-
sary for a user to accomplish specific functions based on their
job role, and prevents them from accessing systems, applications,
and information that is not relevant or necessary to perform their
job role.
During this phase and the next phase, PAM becomes a top priority
within an organization’s security strategy. Organizations at this
level are committed to the continuous improvement of privilege
management practices.

zation at phase two of the maturity model.
TABLE 2-3 Typical Characteristics of Organizations

at Phase Two
PAM Maturity
GRC Local accounts, servers, groups, roles, and security

configuration files that may grant privileges are discovered,
classified, and managed across all assets.
Real-time session monitoring and security access controls

policies for endpoints are implemented.
Host-based session, file, and process auditing is enforced with

integration to a security information and event management
(SIEM) platform.
Access control request workflows are tied to help-desk tickets

through integration with ITSM.
Privilege Basic privilege escalation policies for all endpoints (workstations

administration and servers) are established.
Just-in-time, just-enough privileges are established.
UNIX/Linux and local administrative credentials, including

passwords and Secure Shell (SSH) keys are vaulted.
Remote access controls are extended to vendors and

contractors without creating Active Directory accounts.
PAM Maturity
IAM MFA is enforced on endpoints for direct login and privilege

escalation.
Local accounts are eliminated through account consolidation

for UNIX/Linux systems.
Hard-coded credentials and configuration data are removed

from applications and scripts.
Privilege management is automated in DevOps workflows and

tooling.
Phase three: Adaptive

The key for organizations in phase three of PAM maturity is to
increase automation and artificial intelligence (AI), taking the
concept of continuous improvement to a higher level.
As such, these organizations fully and automatically manage the

entire life cycle of a privileged account, from provisioning and
rotation to deprovisioning and reporting. At this stage, PAM sys-
tems are fully integrated for an automated defense-in-depth
security strategy. PAM controls are layered to break the cyberat-
tack chain at multiple points. Continuous monitoring automati-
cally identifies anomalous privileged account behavior and kicks
off appropriate incident response activities.
The most mature PAM programs achieve a holistic security cul-

ture. They consider every account a privileged account and have
a consolidated view of all accounts, credentials, access, and user
permissions, for all types of privileged accounts throughout the
organization.
Following discovery and automation activities, governance is

extended to the provisioning of new service accounts seam-
lessly and automatically. This can be managed centrally in Active
Directory or through a PAM SaaS platform to increase efficiency
and oversight. Accounts are also decommissioned automatically
based on policies without causing disruption to critical services or
business processes. Organizations establish workflows requiring
approval prior to creation of new service accounts. Enforced cer-
tification and entitlements for service accounts ensure account-
ability and ownership. Failed attempts to update new credentials
result in automatic rollback to previous credentials.
It isn’t until the adaptive stage of maturity that most organiza-
tions get an accurate picture of privileged service accounts and
their dependencies.
Table 2-4 lists the typical characteristics associated with an orga-

nization at phase three of the maturity model.
TABLE 2-4 Typical Characteristics of Organizations at

Phase Three
PAM Maturity
GRC Audit data, machine learning, behavioral analytics, and

automation are leveraged to detect, track, and alert on threats.
Service accounts are discovered and classified with service

account discovery, provisioning, and governance across identity
and cloud service providers implemented.
Operating systems and application components are hardened.
Risk-based analytics are integrated.
IGA tools are integrated for attestation reporting and risk-based

approvals.
Privilege More granular policies for privilege elevation are established.

administration
Onboarding of new managed assets is automated.
IAM All connections required for privileged operations are mutually

authenticated with cryptographic controls.
MFA Authenticator Assurance Level 2 (AAL2) is strictly enforced

on all privileged accounts.
Privileged access is restricted to registered and company-

owned endpoints.
Privileged access by any client system that isn’t known,

authenticated, properly secured, and trusted is prohibited.
Dual authorization is required for privileged operations on

critical or sensitive systems.
NIST Authenticator Assurance Level 1 (AAL1) is single-factor

authentication, most commonly a user ID and password. AAL2 is
MFA and provides greater identity assurance due to the require-
ment for the user to have another factor (such as a physical
authenticator) in addition to a user ID and password.
The PAM Maturity Model is based on security industry best prac-
tices and Delinea’s work with more than 10,000 customers of all
types, ranging from organizations just beginning their PAM jour-
ney to the most experienced and advanced PAM users. You can
apply lessons and guidance from the model to your cybersecurity
strategy regardless of the size of your company, your industry, or
the number and type of systems you need to secure. The model
help you navigate your PAM journey based on your own risk driv-
ers, budget, and priorities.
Planning Your PAM Journey

After you’ve determined your organization’s current PAM matu-
rity level using the PAM Maturity Model, you can plan the next
steps on your PAM journey. Your PAM journey — and how rapidly
you undertake the journey — should reflect your organization’s
risk profile.
For some organizations, protecting access to a small num-

ber of critical systems has the greatest impact on their overall
risk profile. Based on its risk tolerance, a company may imple-
ment PAM capabilities for one department, geographical region,
or type of privileged account, and never roll them out to the full
organization.
As organizations begin to scale and migrate more workloads to

the cloud, security risk increases so PAM maturity must keep
pace. For example, when organizations grow business func-
tions, they may decide not to — or may not be able to — hire IT
staff with cloud experience, which means that the same IT team
must manage a broader, more diverse range of IT operations
and security. The demand for IT automation in these situations
may hasten the need for such organizations to mature their PAM
capabilities.
Similarly, rapidly growing organizations tend to work with more

vendors, partners, and contractors as they expand into new mar-
kets and provide more offerings. Organizations with substantial
third-party risk will need to accelerate their maturity faster than
others.
Organizations undergoing digital transformation will likely have
more services in the cloud and will need mature privilege manage-
ment of cloud-based servers, DevOps tools, and service accounts.
Finally, organizations subject to regulatory and compliance

mandates and cyber insurance requirements will likely priori-
tize implementing least privilege access policies, MFA, and ses-
sion monitoring ahead of other capabilities. As they become more
mature, they also need to be able to easily customize and share
reports with executives and auditors.
Understanding Key Parts of PAM: Vault

and Privilege Escalation
PAM is composed of three main elements:
»» Privileged access management (PAM)

»» Privileged session management (PSM)
»» Privilege escalation and delegation management (PEDM)
PAM
Password vaulting is the most common method for securing access
with PAM solutions. Within the context of enterprise IT and criti-
cal infrastructure, password vaulting refers to taking privileged
administrative accounts and passwords out of the direct control of
IT staff, and storing them securely in a software vault. The vault
then controls who is allowed privileged access, when it’s allowed,
and for how long.
A password (or key) vault reduces the risk of privileged access

being abused by malicious internal users or external threat actors.
The passwords are encrypted in the vault and access is managed
via RBAC. The vault may include additional security features, such
as scheduled password rotation and a workflow-based access
request and approval mechanism to support a just-in-time access
control model.
Vaults are an important aspect of PAM. However, a vault alone is

not sufficient to protect privileged server access. Vaults restrict
direct access to privileged account credentials, but they offer
only the most basic control on an all-or-nothing basis. Human
users and machines gain access by checking out an administrator
account that either has full access privileges or none at all. Vaults
do not provide visibility or control of privileged actions performed
at the server level.
PSM
PSM refers to managing what someone is allowed to do after
they’ve logged in with a privileged account. There are several
ways organizations use software to manage access on systems or
manage a server session.
Session monitoring is a useful feature of PSM. It typically includes

the ability to record videos of privileged sessions and log key-
strokes of what’s typed. It even makes it possible for someone to
review sessions live or shut the session down if the user is doing
something harmful.
PEDM
Privilege elevation and delegation management (PEDM) is the
third element of PAM that provides more granular access controls
than what is typically offered in PAM and PSM tools. PEDM allows
you to apply PSM to both vaulting and elevation — it’s applicable
to both because remote sessions may originate through the vault
or directly with the server.
Least privilege and clean sources (for example, user workstations

are not permitted to connect directly to servers; PAM provides
isolation between the user workstation and the server infra-
structure) are important principles that a PEDM solution enables.
These capabilities are particularly important in hybrid or cloud
environments.
PEDM solutions reduce the risk posed by credentials with exces-

sive privileges by providing host-based command control fil-
tering and privilege elevation capabilities that allow specific
commands to run with a higher level of privileges. Thus, PEDM
enables companies to improve their cybersecurity posture by
granting only admin rights associated with certain tasks, appli-
cations, or scripts on a limited basis. This finely grained control
enables organizations to deploy and enforce the principle of least
privilege, providing employees and other users with just the right
level of access to accomplish their jobs.
By combining PEDM, PAM, and PSM tools in a modern PAM
solution, IT can significantly reduce the number of privileged
accounts throughout the organization. Because privileged
accounts usually possess powerful access capabilities, they can
pose a serious risk if and when compromised by an attacker. By
eliminating or limiting the total number of privileged accounts,
organizations reduce the risk of abuse from malicious insiders
and external threats.
On-Premises Server Security and

Modern PAM as a Service
Legacy PAM solutions have traditionally been implemented
to protect servers in an on-premises data center. However, as
organizations have increasingly adopted cloud technologies,
their environments have become a hybrid combination of both
on-premises servers and public cloud infrastructure as a service
(IaaS) and platform as a service (PaaS) servers.
To address these hybrid environments, modern PAM solutions are

increasingly delivered as a service. In a PAM as a service (PAMaaS)
model, your PAM software is deployed by experts in the cloud as
a fully managed solution complete with built-in high availabil-
ity and multi-region disaster recovery. Instead of incurring the
expense and resources of installing PAM on premises, you can
rely on your PAM vendor to manage hosting and updates. Cloud-
native, PAMaaS solutions also provide tighter integrations with
cloud resources to strengthen protection of PAM Services in the
cloud.
Legacy PAM was designed for the data center when PAM was eas-
ier to address with a simpler solution. Modern PAM is designed
for hybrid clouds, addressing new use cases resulting from a dis-
tributed IT architecture and expanding identities that include a
remote workforce. Modern PAMaaS comprises new and intelligent
technology such as multi-directory brokering, MFA everywhere,
consistent application of least privilege, cross-domain discov-
ery of hybrid cloud resources, service account management, and
adaptive and intelligent behavioral analytics.
IN THIS CHAPTER
»» Establishing identity as the starting point
for Zero Trust
»» Enabling “just enough” access
»» Taking the next steps on your PAM

journey
Chapter 3
Aligning PAM with
Security Best Practices
I
n this chapter, you learn why identity is at the heart of best
practices such as Zero Trust and Zero Standing Privileges (ZSP),
how the principle of least privilege provides “just enough”
access for privileged accounts, and how to take your organization’s
privileged access management (PAM) to the next level with
advanced capabilities.
Implementing Zero Trust Identity

Zero Trust requires granting least privilege access based on the
following:
»» Verifying who requests access

»» Understanding the context of the request
»» Determining the access environment’s risk posture
The first step in Zero Trust is to verify who is requesting access.
Is a human at the keyboard? Positively identifying a user or other
entity (such as a device, process, service account, and so on) is
CHAPTER 3 Aligning PAM with Security Best Practices 27
critical to a successful Zero Trust strategy. You must be certain of
who (or what) is requesting access and what access permissions
are authorized for that identity.
Identity is key to Zero Trust. In fact, it’s not only a first step, but
an ongoing step in Zero Trust. The identity and associated per-
missions of a user or entity must be verified before granting access
and on an ongoing basis (near continuously in the most robust
Zero Trust implementations) for the duration of the session.
By implementing least-privileged access, organizations mini-

mize their attack surface, improve audit and compliance visibil-
ity, and reduce risk, complexity, and costs for the modern, hybrid
enterprise.
Zero Trust is the first step in redefining legacy PAM for the mod-
ern enterprise IT threat landscape (see Figure 3-1). Organizations
must discard the old “trust but verify” model built on perimeter-
based network security, which relied on implicit user trust and
well-defined logical boundaries. Instead, Zero Trust mandates a
“never trust, always verify, enforce least privilege” approach to
privileged access from inside or outside the network.
FIGURE 3-1: The shift from legacy PAM to modern PAM, founded on Zero
Trust.
Enforcing Least Privilege

The principle of least privilege is a well-established security best
practice that describes the concept of limiting user and application
access to privileged accounts through various controls and tools,
without impacting productivity or requiring IT help-desk support.
Least privilege is intended to prevent “over-privileged access” by
users, applications, or services and help reduce the risk of exploi-
tation should user credentials be compromised by an outside
attacker or malicious insider. Thus, users are granted only enough
authority to complete a specific task or job. The least privilege
model can also help curtail costs and increase efficiency.
With least privilege at the core of a PAM solution founded on Zero

Trust, this establishes a model of just enough privilege, granted
just in time for a limited time.
Least privilege helps break the attack chain (discussed in Chap-

ter 2) at multiple places, including the workstation and servers.
Common tactics used to execute the steps of the kill chain during
an attack typically include account takeover, workstation com-
promise, privilege escalation, and vertical movement to the server
network.
On the server, privilege elevation and lateral movement is another

common tactic leading to data exfiltration or encryption for ran-
som. Least privilege breaks the kill chain at the workstation and
server levels, preventing privilege escalation and vertical and
lateral movement.
The workstation is a bigger target than ever due to the rapidly

growing remote workforce.
ZSP extends the principle of least privilege further by enabling

just enough privilege, granted just in time, for a limited time. ZSP
eliminates standing privileges associated with administrative and
other accounts with elevated rights.
With ZSP, you strive to eliminate accounts and broad user access
privileges that are essentially “always on.” Removing these types
of accounts is ideal but not always possible (for example, “root,”
local administrator, “oracle,” and so on). Accounts that can’t be
removed should instead be secured in a vault with access strictly
controlled based upon a need-to-know (for example, emergency
or “break glass” use) involving management oversight via a
workflow-based access request and approval mechanism. These
controls help ensure that privileged accounts are available only
to legitimate entities (for example, human users or applications
and services) when they’re needed (just in time), via a password
checkout mechanism.
However, even if you secure these accounts in a vault, the
privileges are still attached to them and a residual risk remains.
For example, checking out a Windows local administrator account
password to configure a printer is overkill, and a malicious actor
could abuse such privileges.
One way to mitigate this risk is not to touch the vaulted account
passwords, but instead couple just-in-time privileges with privi-
lege elevation. This allows a legitimate user who has minimum
privileges to request what they need and then elevate privilege at
the time of execution of a command or application (just in time)
that requires such rights. The incremental privileges are tied to
the command or application — not to the broader login session —
and the privileges are automatically revoked when the command
completes or the application closes. In this way, just enough priv-
ileges via elevation supports the ZSP model.
Enabling Advanced PAM Maturity for

Stronger Server Protection
After organizations have implemented least privilege to align with
Zero Trust principles, they can begin to enable more advanced
PAM capabilities including adaptive multifactor authentica-
tion (MFA), just-in-time privilege elevation, advanced session
recording, server login analytics, and life-cycle management of
service accounts.
Adaptive multifactor authentication

MFA enhances authentication security by requiring additional
authentication factors in security policies. Attackers are thus
unable to misuse accounts without having access to the physi-
cal device or email address needed to complete the authentication
process. This ensures the entity attempting to gain access to
critical resources is a human user and is legitimate.
Many cyber-insurance companies are now requiring insured

entities to require MFA for system login as a prerequisite for cov-
erage due to the rapid rise in security breaches and associated
cyber-insurance claims.
However, traditional MFA policies are static (for example, MFA
is always enforced, only enforced for certain accounts, or only
required when logging in remotely). These policies can quickly
become stale and rarely cover all the bases with regard to different
risk-based scenarios. Adaptive MFA enables more granularity
and control for the organization. For example, authentication
profiles can be created for specific users or groups, which allows
the organization to be selective about whether to challenge a user
with one or more additional factors and which authentication
methods to permit. These methods may include
»» Push notifications sent to a smartphone or smart watch

»» One-time passwords (OTPs) sent to a mobile app or via Short
Message Service (SMS) text
»» Interactive phone calls
»» Security questions
»» Open authentication (OATH)–based software or hardware
tokens
»» Smart cards
»» Universal Serial Bus (USB) public key infrastructure (PKI)
keys, including Fast Identity Online (FIDO) Universal 2nd
Factor (U2F) and FIDO2 authenticators
FIDO2 is the latest specification from the FIDO alliance that

improves security and productivity and sets the baseline for what
is referred to as “passwordless” authentication.
Adaptive MFA enforces risk-aware policies for users who are

logging into a workstation or server, initiating a privileged session,
or checking out a password. With a combination of risk-level, role-
based access controls (RBACs), user context, and MFA, IT teams can
enable intelligent, automated, real-time decisions on whether to
grant privileged access. These dynamically enforced access policies
can grant the user immediate access (that is, “no friction”), prompt
for a second factor, or deny access completely, protecting your criti-
cal resources even when users’ credentials have been compromised.
The power of analytics and machine learning in adaptive MFA is

that it doesn’t rely on static rules (or policies) and can cover situ-
ations that static rules can’t. Even situations that haven’t been
recognized yet (for example, zero-day exploits) can potentially be
flagged if the “user’s” behavior is inconsistent with the baseline.
Just-in-time privilege elevation
Just-in-time privilege elevation (that is, ZSP) is a fundamental
security practice where the privilege granted to access applica-
tions or systems is limited to predetermined periods of time or on
an as-needed basis. This helps to minimize the risk of standing
privileges that attackers or malicious insiders can readily exploit.
When your IT and business users are allowed standing (unlimited)

access to privileged accounts, you introduce significant risks of
compromise by cybercriminals or even accidental exposure. With
standing access, you’re effectively giving users an open window
to critical data and resources. Should they give a password to
another user or have their own password compromised, they’re
potentially providing total control over a privileged account that
would likely remain undetected by conventional cybersecurity
safeguards.
To limit your risk and exposure, organizations must apply the

principle of least privilege (discussed earlier in this chapter), lim-
iting the three major elements of privileged access:
»» Location
»» Actions
»» Timing
Advanced PAM solutions apply a least privilege (“just enough”)
strategy by controlling where users can access privileged
accounts and what actions they can perform when they have
accessed an account. Controlling when access is granted adds the
critical time dimension to the security equation. Just-in-time
privilege elevation helps to remove the risks associated with
standing privileges.
PAM solutions provide a “request access” feature to enable users

to request access to privileged systems, applications, information,
or other functions, for a specified time. Other features such as
“checkout” automatically rotate credentials whenever a checkout
time period ends. These features effectively apply the concept of
just-in-time access in the context of a robust PAM solution.
In more basic just-in-time implementations, PAM solutions

limit the time frame a single user can have access to an account
and rotate the credentials after the user checks in the account
or the specified time expires. This ensures that the credentials
are unknown to whoever just used them, and the risk of privilege
abuse is significantly reduced.
In more advanced just-in-time implementations, the PAM solu-

tion will rotate the passwords and move accounts in and out of
privileged groups on demand or create brand-new accounts and
delete them at the end of the checkout window. The PAM solution
may create a short-lived (that is, “ephemeral”) account, OATH
token, or Secure Shell (SSH) certificate for the user to log into
a server, which is revoked or destroyed when the session ends.
Just-in-time protects privileged access even in the case where
an attacker can compromise the password to the account. The
account is rendered useless or is completely eliminated when
applying the just-in-time methodology.
Advanced session recording

Privileged session management (PSM) establishes login sessions
(typically injecting vaulted credentials), provides full session
recording, and potentially includes the ability to pause or terminate
suspicious sessions. Session recording can be done in two places:
at the vault (proxy) and on the server via privilege elevation and
delegation management (PEDM), discussed in Chapter 2. If the
vault is circumvented, you need session recording on the server
to ensure visibility into privileged activities. You also get more
granularity on the server (for example, capture shell and process-
level events).
Advanced session recording includes the ability to record videos

of privileged sessions and log keystrokes of what’s typed. It even
makes it possible for someone to review sessions live or shut down
the session if the user is doing something malicious or risky.
Server-level session recording is part of a PEDM solution that

complements privileged account and session management
(PASM) vaulting and provides proxy session recording, which is
an essential capability.
Risk-based analytics
Risk-based analytics provide valuable insights into what actions
users or entities perform with privileged access. This information
is used to train machine learning algorithms to support MFA by
looking at user behavior. Risk-based analytics can be applied at
multiple access control gates, including the following:
»» Vault: Login, secret/credential checkout, session initiation

»» Server: Login, privilege elevation
Instead of relying strictly on predefined rules to define what
kinds of behavior are acceptable, risk-based analytics allows the
IT security team to measure and determine what should be con-
sidered normal behaviors. This gives them a baseline to help spot
abnormal activity when it occurs and respond accordingly. Thus,
risk-based analytics provides situational awareness for tracking
user activity that deviates from the norm and assists analysts in
knowing what to look for in the event of a breach.
Modern PAM uses machine learning, algorithms, and statistical

analysis to establish baseline behaviors that reflect the normal
activity. Deviations from these behaviors are highlighted as poten-
tial security threats. Risk-based analytics can also aggregate data
reports and logs and analyze file, flow, and packet information.
The concept of risk-based analytics is similar to monitoring

spending patterns that credit card companies rely on to detect
fraud. Suppose a card and user credentials are lost or stolen and
a thief starts using the card to make big-ticket purchases. In that
case, the sudden change in purchasing behavior is a red flag trig-
gering an alert and possibly suspending card activity.
Casting a broad net, risk-based analytics goes beyond tracking

events or devices to monitor all users on the network along with
servers, applications, and devices. It has proven particularly useful
for identifying insider threats from employees who may be abusing
their privileges or had their credentials compromised. This includes
contractors and third parties that have access to sensitive data.
Life-cycle management of
service accounts
Service accounts run critical scheduled tasks, batch jobs, appli-
cation pools, and more across a complex network of databases,
applications, and file systems both on premises and in the cloud.
Despite their importance and critical dependencies, service

accounts become stale and vulnerable without ongoing manage-
ment. Plus, privileged credentials are often shared across service
accounts, so access to one service provides access to many,
expanding your attack surface and increasing your risk.
Management of service accounts is often neglected because updat-

ing or changing credentials is risky. It’s difficult, if not impossible,
for many IT and security departments to map and keep track of
business services that rely on these accounts. However, service
accounts need the same level of oversight as privileged accounts
tied to human identities.
Make sure new service accounts adhere to PAM best practices,

including the following:
»» Store service accounts in a central vault.

»» Create unique, complex passwords that automatically rotate
and expire.
»» Document service account dependencies.
»» Eliminate local service accounts, if possible (for example, use
a single/centralized account in Active Directory or a vault).
»» Assign owners and approvers as responsible parties.
Many UNIX/Linux apps support Pluggable Authentication Mod-
ules that allow use of an Active Directory or Lightweight Directory
Access Protocol (LDAP) account instead of a local account for
authentication.
GLOBAL ORGANIZATION
LEVERAGES DELINEA
A large American organization with a global presence was having
trouble controlling its privileged access. The company adopted
Delinea Privileged Access Management (PAM), implementing a limited
number of licenses meant to cover their most critical — and
frequently audited — systems.
Eventually the company extended Delinea PAM across its entire infra-
structure to better manage access and privilege, significantly enhance
security, and alleviate pressure on IT staff.
(continued)
(continued)
Challenges
When the company’s lead security analyst joined in 2018, a small

group of servers was under the control and management of the
Delinea solution. The remaining 1,500 servers were still using local
accounts for access and sudo to elevate privilege. The result was an
increasingly difficult to manage, insecure environment.
“Every time a user requested access to a server that wasn’t managed

by Delinea, we created a new local account,” says the lead security
analyst. “But those accounts add up fast, and with only three techni-
cians tasked with managing them, it quickly became a nightmare —
not to mention the fact that every new local account adds another
element of risk to the environment.”
As part of a cybersecurity initiative, the company undertook an exten-

sive evaluation of their infrastructure to identify and address their
most critical issues. They found that, despite the focus on compliance
to industry standards and government regulations, they were
overlooking several key best practices.
Sessions that were directly connected to target systems had no privi-

lege management component in place. Specific privileges within
systems were granted and revoked manually. A manual process was
also used for privilege elevation.
Most of the company’s operations teams still used root access to

perform their duties, which undermined the company’s ability to
understand who had access to which systems, when they had it, and
where they were located.
The company was using a competitive product to perform some key

security elements, but it didn’t provide all the features necessary to
maintain a strong security posture.
Given the large number of servers and the complexities of managing

local accounts manually, it decided to implement a PAM solution
across the remaining infrastructure.
Solution
The company needed to manage user access across its entire Linux
environment. It needed to easily grant and rescind privileges, and it
needed the ability to tie every action taken with a specific person in
order to illustrate accountability to auditors. It identified the following
features as essential:
• Centralized authentication: The solution would need to centralize
discovery, management, and user administration for Linux and
UNIX systems through Active Directory.
• Multifactor authentication (MFA): MFA would be required at
both the vault and server level, so the solution would need to
coexist with the company’s existing vault technology.
• Least privilege: The solution would need to provide just enough
privilege, granted just in time and for a limited time only. A secure,
automated process of privilege elevation would grant administra-
tors the ability to perform tasks without a root password.
• Compliance: The solution would need auditing and reporting
capabilities to prove an existing secure access methodology and
adherence to Payment Card Industry (PCI), General Data
Protection Regulation (GDPR), and multiple countries’ privacy laws.
Having already executed a full product evaluation process just a few

years earlier, the company opted to expand Delinea across the entire
environment.
The rollout across the remaining environment took approximately 18

months. An interview process that involved users, application owners,
and those responsible for servers was used to analyze thousands of
legacy local accounts, and to determine current access and privilege
requirements across the organization.
Results
With the expansion of the Delinea solution, the company’s nearly

2,000 servers now fully leverage Active Directory. User accounts are
centrally managed through Delinea PAM, and that has resulted in the
removal of thousands of local accounts from UNIX servers, dramati-
cally simplifying the identity management process while improving
the company’s risk profile.
Adding and removing individual access from a central location has

eliminated the need to scan thousands of servers to determine access
rights. It also ensures that each individual has a consistent user ID
throughout the environment. With appropriate Delinea PAM roles
centrally managed from Active Directory, administrators can access
any Linux system using their personal Active Directory account.
Privileged activity is no longer anonymous but is tied back to a unique
individual.
IN THIS CHAPTER
»» Using the PAM Maturity Model
»» Selecting a complete PAM solution that

provides full visibility
»» Implementing Zero Trust, least privilege,

and multifactor authentication
»» Choosing PAMaaS and leveraging

automation and machine learning
»» Leveraging policy-based controls
»» Extending PAM to all your privileged

accounts
»» Training and empowering your users
Chapter 4
Ten Keys to a Successful
PAM Journey
H
ere are ten tips to help you plan and execute a successful
privileged access management (PAM) journey for your on-
premises and cloud server resources.
Embrace the PAM Maturity Model

To better understand your existing security posture, your future
desired state, and the gaps you must close in your organization’s
PAM maturity, use the Delinea PAM Maturity Model (see Chapter 2)
to help guide the steps in your PAM journey.
Understand the different phases and dimensions of PAM maturity

and their contribution to driving down risk to help you prioritize
and align your budget and resources.
CHAPTER 4 Ten Keys to a Successful PAM Journey 39
Recognize That Comprehensive
PAM Requires Vaulting and
Privilege Elevation
A complete PAM solution requires both privileged account and
session management (PASM) and privilege elevation and delega-
tion management (PEDM) to protect your business against data
breaches. Take the next logical step in PAM maturity. Build on a
solid foundation of password vaulting with privilege elevation to
enable self-protect capabilities in your servers.
Cybercriminals exploit elevated privileges to compromise servers,

move laterally across your network, and exfiltrate and encrypt your
data for ransom. A comprehensive PAM solution is the antidote.
You Can’t Effectively Manage and

Protect What You Can’t See
Without complete visibility of your hybrid IT environment —
including on-premises and public cloud servers — you can’t
protect your enterprise. Continuous discovery in a modern PAM
solution gives you visibility into servers and privileged accounts
across your hybrid IT infrastructure.
Ensuring complete visibility enables proactive oversight. You

should actively monitor and routinely audit any privileged user
accounts that have elevated permissions to spot illicit activity
and to de-authorize or deprovision user accounts that no longer
require elevated permissions.
Evaluate your privileged user accounts to set appropriate

expiration dates. This policy helps prevent what’s known as

privileged access creep, where users accumulate privileges over
time that may not still be required. Review and disable privileged
accounts or granular privileges that aren’t appropriate for specific
users — especially for accounts used by third-party contractors
that are no longer needed. This kind of entitlement certification
process is often performed in a third-party Identity Governance
and Administration (IGA) solution, requiring an integration to
PAM so entitlement changes are fed into the PAM solution.
Perform a data risk assessment to identify privileged accounts
that have access to sensitive data and the users who have access
to them; then take steps to not only harden the application hous-
ing the data but also limit access by regular accounts. Ensure those
accounts are subject to higher security scrutiny and protocols.
Start with Zero Trust Identity

and Least Privilege
Implement Zero Trust identity and enforce the principle of
least privilege (both discussed in Chapter 3) to eliminate over-
privileged access for users, applications, and services in your
hybrid IT environment.
Limit privileged account access through a least-privilege strategy,

meaning privileges are only granted at the level necessary. Enforce
least privilege on workstations by keeping them configured to a
standard user profile and automatically elevating their privileges
to run only approved applications.
For IT users with administrative privileges, control access and

implement super-user privilege management for Windows and
UNIX/Linux systems across your hybrid cloud infrastructure.
Enforce Multifactor Authentication

Everywhere
Multifactor authentication (MFA) is becoming increasingly
commonplace because it’s often required to log into standard
user accounts, as well as privileged accounts. MFA significantly
enhances access security, and broad adoption is a good thing.
For your privileged accounts, consider implementing adaptive

MFA or conditional access (CA) policies to further enhance
privileged account security. For example, you can restrict remote
privileged access to specific IP addresses or IP address ranges,
company-owned and registered workstations, and other factors.
Requiring a hardware authenticator token or software authenticator
such as Microsoft Authenticator or Google Authenticator provides
stronger MFA assurance than an email or Short Message Service
(SMS) text passcode. Particularly for administrator access, use of
phishing-resistant second factors such as Fast Identity Online
(FIDO) authenticators (discussed in Chapter 3) is recommended.
Choose a Future-Proof PAM-

as-a-Service Solution
Avoid the cost, complexity, and risk of point solutions that incur
massive technical debt. Instead, choose a modern PAM as a service
(PAMaaS) solution designed to support your evolving business
and satisfy hybrid-cloud use cases.
Leverage Automation and

Machine Learning
As attacks become more sophisticated and response time becomes
even more critical, leverage machine learning and behavioral ana-
lytics for adaptive, real-time anomaly detection. Use automation
to accelerate privilege management workflows and implement
runbooks.
Implement Policy-Based Access Controls

Implement a structured security process that details which types
of users should have access to which resources.
Share a formal policy for privileged accounts to ensure account-

ability. Review and update it at least once a year, if not more often.
Policies should be based on the categorization and classification
of privileged user accounts specific to your organization. Rely on
purpose-built security policy documents, don’t start from scratch.
Control new privileged user account creation with a formal
review and approval process. The creation of any new privileged
user account should be subject to specific reviews and approvals
involving a peer, supervisor, or security review.
Privileged account access should be limited by time, geographical

location, the scope of permissions, and approval needed.
Users might need access to some accounts for a limited time.

Provide a mechanism for them to request “on-demand” or “just-
in-time” access to these accounts; then revoke access automati-
cally after a specified time has elapsed.
Protect All Your Privileged Accounts

Just as privileged accounts used by human admins must be pro-
tected, so too must accounts used by applications, services, and
DevOps. These types of privileged accounts often slip through
the cracks because they aren’t used on a daily basis by humans
to log in to a server, so a breach or anomaly is less likely to be
detected through traditional methods. DevOps teams often use
infrastructure as code (IaC) and orchestration to rapidly deploy
hundreds (or even thousands) of virtual servers and containers
that may only persist for a few seconds or minutes — just enough
time for a skilled attacker with stolen privileged credentials to
gain a f oothold in your environment.
Here are some examples of common, but often overlooked, privi-

leged accounts to include in your PAM strategy:
»» Domain admin and domain service accounts

»» Local administrator accounts
»» Emergency “break glass” accounts
»» Service accounts
»» Application accounts
»» Privileged-data user accounts
»» Root accounts
»» Accounts used to access security tools, such as virtual private
networks (VPNs)
»» Wi-Fi accounts
»» Hardware accounts, such as basic input/output system
(BIOS) and Intel vPro
»» Network and security equipment accounts
Increase Awareness and Empower

Employees
With more sophisticated social engineering and phishing attacks,
and with more personal devices used for business purposes, you
must regularly train your employees to create a secure culture.
Provide PAM training to employees who will be using and

are accountable for privileged accounts. PAM training should
emphasize the importance of privileged account security and

include IT security policies specific to your organization. Make
sure you get buy-in from your executive team (remember, in a
mature PAM organization, executive accounts with access to
sensitive data are covered by PAM) by training them as well.
WILEY END USER LICENSE AGREEMENT
Go to www.wiley.com/go/eula to access Wiley’s ebook EULA.

Delinea Ebook Cloud Server Pam For Dummies

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Delinea Ebook Cloud Server Pam For Dummies

Uploaded by

Copyright:

Available Formats

These materials are © 2022 John Wiley & Sons, Inc.

Any dissemination, distribution, or unauthorized use is strictly prohibited.

by Lawrence Miller and

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: WHILE THE PUBLISHER AND AUTHORS HAVE

ISBN 978-1-394-15859-1 (pbk); ISBN 978-1-394-15860-7 (ebk)

Editorial Manager: Rev Mengle Special Help: David McNeely,

CHAPTER 1: Looking at the Current State of Hybrid

CHAPTER 2: Planning a Long-Term Privileged Access

CHAPTER 3: Aligning PAM with Security Best Practices............ 27

Table of Contents iii

iv Cloud Server Privilege Management For Dummies, Delinea Special Edition

There is a common misconception that privileged access man-

About This Book

»» How server access vulnerabilities, ransomware and supply-

Mainly, we assume that you’re an IT or security executive, a

If any of these assumptions describes you, then this is the book

Icons Used in This Book

This icon points out important information you should commit

2 Cloud Server Privilege Management For Dummies, Delinea Special Edition

Beyond the Book

»» Assessing the impact of ransomware and

»» Striking the right balance between

Understanding Server Access

At the same time, the number of users with access to serv-

CHAPTER 1 Looking at the Current State of Hybrid Cloud Server Security 5

The elastic and dynamic world of the cloud is very different

Typical server attack vectors include the following:

»» Server attacks through user workstations: With employ-

6 Cloud Server Privilege Management For Dummies, Delinea Special Edition

Humans, applications, and services use privileged accounts and

Securing accounts and their associated entitlements to log into

Unfortunately, enterprises continue to struggle with server secu-

»» Native server security is insufficient. Although Windows

CHAPTER 1 Looking at the Current State of Hybrid Cloud Server Security 7

Recognizing the Impact of Ransomware

Ransomware attacks are increasing drastically on a global scale. The

Cybercriminals are also getting more sophisticated, and ransom

8 Cloud Server Privilege Management For Dummies, Delinea Special Edition

In a double extortion ransomware attack, a cybercriminal ­threatens

Ransomware payouts have become so lucrative that ransomware

Ransomware could further evolve into a subscription model where

CHAPTER 1 Looking at the Current State of Hybrid Cloud Server Security 9

Supply-chain attacks are also contributing to the notoriety of

Balancing Productivity and Security in

Users perceive security as a bottleneck to productivity. Logging in

10 Cloud Server Privilege Management For Dummies, Delinea Special Edition

The COVID-19 pandemic hastened the need for secure remote

Least privilege is one example of a well-known security best

To be successful in securing the enterprise attack surface, you

CHAPTER 1 Looking at the Current State of Hybrid Cloud Server Security 11

»» Determining your next steps on the PAM

»» Understanding the role of vaults and

»» Implementing on-premises server

Looking at the PAM Maturity Model

As you progress through the phases of the Maturity Model, you

CHAPTER 2 Planning a Long-Term Privileged Access Management Initiative 13

Most organizations have significantly more privileged accounts

In a mature PAM strategy, the term privileged user isn’t limited

In each phase of the model, the scope of privileged users and

PAM maturity begins with static policies and controls and

14 Cloud Server Privilege Management For Dummies, Delinea Special Edition

Integration with other enterprise tools is a key aspect of automa-

PAM maturity is also multidimensional and includes the following:

In a double extortion ransomware attack, a cybercriminal threatens