Iraje PAM GRC Report for April 2023

GRC
Governance Risk Compliance

Prepared by: Sneha Thakur

MOM

Date:21-April-2023 Attendees: Sneha Thakur, Dilip Parmar, Umang Mehta

Sr# Task By Whom By When Status

1 PAM User reconciliation (AD Automation is recommend) Nayara TBD

2 Update configuration file for change password request workflow Iraje 03rd May,2023 Closed

3 Password request workflow testing Iraje 03rd May,2023 Closed

4 Review password enforcement Iraje/ Nayara TBD WIP

5 BCP drill demo Iraje 25th April,2023 Closed

6 Enable agent tampered alerts Iraje 03rd May,2023 WIP

7 Enable vod backup Iraje 03rd May,2023 Closed

The above is the MOM for review took place in last month (March 2023)
GRC Report: Why do we need it?
The main purpose of this report is to cover the following:

Risk Responsibility Compliance Governance

Iraje PAM Capabilities
PAM Platform Information
Below chart displays the working status of PAM servers and OS patching summary deployed in your environment

Server Role Status Installed Version Latest Available Version OS patching summary

PAM Primary Working Version - 8.3.04 Version - 8.3.04 24th April,23

PAM DC Vault Working Oracle 21c Oracle 21c 07th March,23

PAM DC Vault 2 Working Oracle 21c Oracle 21c 07th March,23

PAM Active Working Version - 8.3.04 Version - 8.3.04 24th April,23

PAM DR Working Version - 8.3.04 Version - 8.3.04 27th March,23

PAM DR Vault Working Oracle 21c Oracle 21c 07th March,23

Please note: Above data is generated on 19 th May, 2023

License Consumption Summary

Used
250

Users
Enabled 250
Available
0 Entitled 2700 250
Used 2236 250
Remaining Licenses 464 0

License’s
Used
2236

Connections
Connections 2700
Available
464

Please note: Above data is generated on 19 th May, 2023

Types of User integrated

• Used : 250
• i-Auth : 2 i-Auth User Risk
• AD : 248 • Local Authentication
• The default password expiry policy enabled for i-auth users is 30
Type of days
Auth • Account lockout policy is unavailable for i-Auth

AD Users Potential benefits for the client

Ensure to have AD integrated ID’s only.
• Enabled : 250
Note : I-Auth is designed for PAM SUPER administration in version
7.5 . The above i-Auth risks are mitigated in latest PAM version 8.

The attached file consists of list of users integrated in

PAM.
List of admin
users

Please note: Above data is generated on 19 th May, 2023

Management Comment :
Password Enforcement Summary
Open passwords are at Risk

Password reuse is one of the main reasons why passwords have been questioned as an effective measure to guarantee protection
against intrusion into accounts and systems.
This practice is extremely risky as it allows a malicious agent to have access to numerous accounts with a single string of characters,
being able to steal confidential and valuable data, in addition to extorting a common user.
This type of problem can be especially devastating for organizations, which deal with a variety of information every day and can
respond to legal proceedings if they do not comply with legislation such as the LGPD, which determines how the personal data of
their customers, employees, and suppliers should be handled.

Potential benefits for the client

Password vaulting is a time saving solution that stores all passwords in one place. No more time wasted remembering where you
wrote down your passwords. Password vaulting works autonomously without any external data transfers to eliminate privacy and
data leak risks.. With Password Vault you'll never lose a password again!
Password Enforcement Status (Graphical)

The above chart represents next ACP cycle

Please note : Above graph shows graphical representation of password enforcement from PAM for April 2023
Management Comment :
Manage Hidden Devices This capability will help you to find out Connection
types. Iraje PAM helps in providing in-depth about IAM
for privileged ids. Below is the status of users and
devices integrated with PAM.

Below is the status of device scanning on sample

network segments.
• Configured devices : 159 (Data based on sample)
• Not Configured devices : 185

Risks :
• Non PAM 185 devices on high risk *
• High risk on default port SSH, RDP, TELNET and HTTP
*

Potential benefits for the client

• Mix mode environment detect, better security and
hardening environment must follow the
standardization, either SSH or SSHKey/ Http or
HTTPS.
• Ensure to have Test, UAT, DEV and Production
environment in PAM for complete visibilities.
Management Comment :
User Non-Compliance Summary

As per the non usage data from PAM, Approx. 4% of the users never login since more than 120 days.

Potential Benefits for the client

By finding out the last usage, client can reconcile users and utilize the remaining application licenses.
Client can also optimize the usage of application to improve governance in the organization.
User Non-Compliance (Graphical)

The above chart displays the list of users who have logged in PAM since 120 days. Also we have observed that there are around
8 users who have never logged into PAM. Below attached excel shows the list of users who have not logged into PAM.

Non usage report

Management Comment :
Target User Connection Summary

AD Nomenclature Risk :
Default IDs are one of the major contributing factors to large-scale security compromises. Attackers can easily identify and access
internet-connected devices that use shared default passwords. It is imperative to change default manufacturer User ID &
Passwords and restrict network access to critical and important systems only.
To ensure you are protected from these vulnerabilities you need to ensure your devices are not using default user names or
passwords. Refer to the OEM manual that came with your Product / Device or visit the manufacturer’s support website for
instructions to change this information.

Potential benefits for the client

By changing the default user name to something more difficult to guess, you greatly increase the difficulty of accessing the
account. An attacker must correctly guess both the user name and password at the same time to gain access. This is several
magnitudes more difficult than simply guessing the right password.
Target User Connection summary (Graphical)

The above graph shows the list of target ids integrated in PAM
Management Comment :
Target User Non-Compliance Summary
Target server admin ids non-compliance

• The admin ids which are not integrated with application are at risk.
• Users with privileged accounts are tapped into an enterprise’s most critical systems. Not only do these accounts have the
highest clearance levels, but they also manage and regulate smaller accounts with fewer privileges.
• Since there is no centralized management for these ids, it leads to inconsistent policy enforcement, which can be just as
bad as having no policies at all.
• Also there is lack of monitoring for these privileged ids and an unsecured password management which can be a reason
for cyberattacks by compromised passwords.

Potential benefits for the client:

Credentials and passwords are stored in an encrypted vault behind layers of role-based permissions and multi-factor
authentication.
Least privilege access is enforced.
Track Privileged Access to Sensitive Data.
Ensure privileged users cannot monitor themselves, since they can alter security controls to conceal their irregular activities
Target User Non-Compliance Summary (Graphical)
Please refer below chart for non-compliance observed in admin ids present on the target servers
Device IP Address Admin Configured in PAM Admin Not Configured in PAM
150.0.46.37 IRADM1, PIM_HSODAM, PIM_SRINIVASANS, SE_IRAJDBADM ADRMS Admin Account, Admin, Qualys, Administrator, Azure AD, Directory Sync - Nayara
Energy, IRAJadm, PIM, IT Admin, HP-DP - Nayara Energy, IT Admin, IT Enterprise - Nayara
Energy, IT Admin, SCCM - Nayara Energy, IT Admin, Veeam - Nayara Energy, IT Admin, Veeam
Backup Exch 2016 - Nayara Energy, PIM, Aipte, PIM, Clakhani, PIM, Dbvighe, PIM, Diparmar,
PIM, Dturbhekar, PIM, Entadmin - Nayara Energy, PIM, Jsoni, PIM, Rkhoja, PIM, Sdhameliya,
PIM, Svhadiyal, PIM, Vnhadial, SE_PEM - Nayara Energy, SROIL\apmcadmin, SROIL\
se_hsodam, SROIL\se_srinivasans, ServerAdmin, eolitadmin, traversemonitor - Nayara
Energy

150.0.46.83 IRADM1, IRAJADM, PIM_HSODAM, PIM_SRINIVASANS, SE_IRAJDBADM

150.0.46.86 IRADM1, IRAJADM, IRAJRDP, PIM_HSODAM, PIM_SRINIVASANS, SE_IRAJDBADM
150.0.46.95 IRADM1, IRAJADM, IRAJRDP, PIM_AKATARIA, PIM_VCHUDASAMA, SE_IRAJDBADM
172.25.1.84 IRADM1, SE_IRAJDBADM
172.25.1.91 IRADM1, SE_IRAJDBADM
172.25.1.92 IRADM1, SE_IRAJDBADM
172.25.1.94 IRADM1, IRAJADM, PIM_DIPARMAR, PIM_HSODAM, PIM_SRINIVASANS, SCCMMANAGER,
SE_IRAJDBADM
172.25.2.17 IRADM1, IRAJADM, PIM_HSODAM, PIM_SRINIVASANS, SE_IRAJDBADM
172.25.2.18 IRADM1, IRAJADM, SE_IRAJDBADM
172.25.2.19 IRADM1, IRAJADM, SE_IRAJDBADM
172.25.2.20 IRADM1, PIM_HSODAM, PIM_SRINIVASANS, SE_IRAJDBADM ADRMS Admin Account, Admin, Qualys, Administrator, Azure AD, Directory Sync - Nayara
Energy, IRAJadm, PIM, IT Admin, HP-DP - Nayara Energy, IT Admin, IT Enterprise - Nayara
Energy, IT Admin, SCCM - Nayara Energy, IT Admin, Veeam - Nayara Energy, IT Admin, Veeam
Backup Exch 2016 - Nayara Energy, PIM, Aipte, PIM, Clakhani, PIM, Dbvighe, PIM, Diparmar,
PIM, Dturbhekar, PIM, Entadmin - Nayara Energy, PIM, Jsoni, PIM, Rkhoja, PIM, Sdhameliya,
PIM, Svhadiyal, PIM, Vnhadial, SE_PEM - Nayara Energy, ServerAdmin, eolitadmin,
traversemonitor - Nayara Energy

Please note : The above scan is performed for sample basis on Windows group
Target User Non-Compliance Summary (Graphical)
Device IP Address Admin Configured in PAM Admin Not Configured in PAM
172.25.1.158 ROOT
172.25.1.159 ROOT
172.25.1.160 ROOT
172.25.1.161 ROOT
172.25.1.162 ROOT
172.25.1.163 ROOT
172.25.1.164 ROOT
172.25.1.165 ROOT
172.25.130.39 ROOT appadmin, sysadmin, user
172.25.130.40 ROOT se
172.25.181.83 ROOT
172.25.181.84 ROOT
172.25.181.85 ROOT
172.25.131.127 ROOT
172.25.131.128 ROOT
172.25.131.129 ROOT
172.25.131.130 ROOT
172.25.131.131 ROOT
172.25.131.132 ROOT
172.25.131.199 ROOT
172.25.131.208 ROOT
172.25.131.238 IRADM1, IRAJADM, ROOT
172.25.131.239 ROOT
172.25.131.245 ROOT
172.25.131.246 ROOT
172.25.131.247 ROOT
172.25.131.248 ROOT
172.25.131.249 ROOT
172.25.131.250 ROOT
172.25.131.251 ROOT
172.25.131.252 ROOT
172.25.132.143 ROOT ciscosda

Please note : The above scan is performed for sample basis on Linux group
Management Comment :
 SOD (Segregation of duty) Conflict Summary
A SoD conflict is a situation where one role in an organization has permission to perform more than area access.

SOD Conflict Risk :

Defining conflicting roles can lead to inconsistent results.
For example, an organization has three roles, R1, R2, and R3. Two of these roles, R1 and R2, are defined as conflicting.
If R2 and R3 are built with the same permissions, then both pairs (R1, R2) and (R1, R3) would give the user access to conflicting permissions. Basically R2 is
equivalent to R3, even though, by definition, only the pair (R1, R2) can be considered as conflicting roles.
According to the RBAC model, roles are containers of groups of permissions; the user's actual operating capacity depends on the permissions that define the
operational characteristics of a role.

Potential benefits for the client

The implementation of an effective system for managing user rights that ensures appropriate segregation of duties allows you to achieve the following benefits:
Build awareness among the management and process owners of the risks associated with having an ineffective system user authorizations
Reduce the risk of fraud and error due to excessive user privileges
Improve the internal control system through better use of the opportunities offered by utilized IT systems
Improve business processes through better use of available system tools and eliminating unnecessary manual controls
Improve utilization of available resources (eg, a license to use the PAM system)
Addressing the issues of lack of adequate segregation of duties raised by the auditors, contractors, regulators and other stakeholders.
SOD Conflict Chart
Management Comment :
 Trend Analysis

PAM Trend Analysis report elaborates about privileged users and connections to track, collect, analyze, and build user
behavior patterns.
Apart from monitoring, this integration offers detailed reports about privileged users, resources, access levels, and
their usage patterns along with a comprehensive history of past operations performed by users.

Risks associated with access

• Experts estimate that as many as half of all security breaches occur as the result of insider activity. Insider threats are
especially serious when associated with employees who have higher access privileges than needed.
• Whether the privilege misuse occurs due to employee error or is the work of a cybercriminal who has leveraged the
credentials of an insider to gain access to your IT network, you can best manage this risk by closely controlling and
monitoring what privileged users, such as superusers and database administrators, are doing with their access.
Trend Analysis - Connection Access Review for April 2023
Trend Analysis - User access review for April 2023
Failed Login Attempts
Failed Login Attempt report provides you with the number of failed login attempts on PAM dashboards by Admin Users.
Alerts & Notifications

List of Alerts & Notifications Configured and its Status is given below.

Alert Type Configured Status Remarks

2 Factor Alert Yes Working

Change Password Alert Yes Working

Bypass alert on Windows Yes Configured

Restricted Command Alert Yes Working

EMS Alert Yes Working
Connection Access No Not Configured
Maker Checker No Not Configured
Show Password Alert Yes Working
Admin Option No Not Configured
Access Control No Not Configured
Replication Alert No Not Configured

And more option available

 PAM Matrix Index

GRC PA IAM Product & Process

Governance, Risk and Compliance
• AU - Audit & Accountability
• CM - Config Management
• RA, SA - Risk & Security Assessment
Model • SI - System & Info Integrity
Privileged Administration Identity and Access Management
• Specific controls from • AC - Access Control
• AC – Access Control • IA - Identity & Authentication
• CM - Configuration Management
• MA - Maintenance
• SC - System & Communications Protection SP

• No PAM vault.
• No centralized inventory of all assets in the
environment.
• No easy way to report on user access
permission and privileges.
• No easy way to reconcile who has access to
what, who did what, and who approved access.
• Failed audits
Phase 0
• Managing administration for Windows servers
using Domain Admin Group membership.
• Managing local accounts on each Unix/Linux
system and editing local /etc/ sudoers files.
• Users are often admins of their own
workstations.
• No centralized access controls. Products
• Identity management is not centralized. • PAM Vault - Secret Server
• Admins access using local admin accounts. • Bastion Service - Remote Access Service
• Hard to tell who has access and what privileges • Connection Manager (optional) Integrations
they have • SIEM Process Changes
• PAM Vault Training
• Remote Access Training
• IWAR Enablement
• I-URA Enablement

Continue….
 PAM Matrix Index
GRC
Governance, Risk and Compliance
• AU - Audit & Accountability
• CM - Config Management
• RA, SA - Risk & Security Assessment
Model • SI - System & Info Integrity
PA IAM Product & Process
Privileged Administration Identity and Access Management
• Specific controls from • AC - Access Control
• AC – Access Control • IA - Identity & Authentication
• CM - Configuration Management
• MA - Maintenance
• SC - System & Communications Protection SP

• Establish an accurate inventory of
administrative privileged accounts and
passwords.
• Classify credentials and secrets
Phase I
• Vault and automate periodic rotation for all
administrative accounts.
• Vault Active Directory and Azure privileged
accounts and manage privileged account Groups.
• Discover and vault local administrative
accounts.
• Establish a secure administrative environment
for both local and remote sessions.
• Establish initial privileged access workflow.
• Enforce MFA for access to vault, including Products
secret check out and remote session initiation. • Server PAM - Server & Cloud Suite
• Establish Alternative Admin accounts to prevent • Workstation PAM - Privilege Manager
using public identities. • DevOps Secrets Vault Integrations
• Enforce Alternative Admin and MFA for remote • ITSM for change control, trouble tickets
access. • SIEM Process Changes
• Privilege Elevation training
• Third-party access training
• IWAR Enablement
• I-URA Enablement

Continue….
 PAM Matrix Index
GRC
Governance, Risk and Compliance
• AU - Audit & Accountability
• CM - Config Management
• RA, SA - Risk & Security Assessment
Model • SI - System & Info Integrity
• Discover, classify, and manage local accounts,
servers, Groups, roles, and security configuration
files that might grant privileges across all assets.
• Implement real-time session monitoring and
security access control policies for endpoints.
• Enforce host-based session, file, and process
auditing with integration to SIEM.
• Integration with ITSM to drive access control
request workflows tied to help desk tickets.
Phase II
PA IAM Product & Process
Privileged Administration Identity and Access Management
• Specific controls from • AC - Access Control
• AC – Access Control • IA - Identity & Authentication
• CM - Configuration Management
• MA - Maintenance
• SC - System & Communications Protection SP
• Establish basic privilege elevation policies for all • Enforce Multi-Factor Authentication at Products
endpoints (workstations and servers). endpoints for direct log-in and privilege • Privilege Behaviour Analytics
• Establish just-in-time, just-enough privileges. elevation. • Account Lifecycle Manager Integrations
• Vault Linux and local administrative credentials • Eliminate local accounts via identity • IGA
(passwords and SSH keys). consolidation for Unix and Linux. • SIEM & EUBA Process Changes
• Expand remote access control to vendors and • Remove hardcoded credentials and config data • App Developer Security Training
contractors without creating AD accounts. from applications and scripts. • Automate security and compliance
• Automate privilege security in DevOps • IWAR Enablement
workflows and tooling. • I-URA Enablement
Continue….
 PAM Matrix Index
GRC
Governance, Risk and Compliance
• AU - Audit & Accountability
• CM - Config Management
• RA, SA - Risk & Security Assessment
• SI - System & Info Integrity
Model
• Integrate with Identity Governance and
Administration (IGA) tools for attestation reporting
and risk-based approvals.
• Leverage audit data, machine-learning, behavioural
analytics, and automation to detect, track, and alert to
any threats.
• Integrate with User and Entity Behaviour Analytics
tools (UEBA).
• Discover and classify service accounts. Implement
service account discovery, provisioning, and
governance across identity and cloud service
providers.
• Harden operating systems and application
Phase III components.
PA IAM Product & Process
Privileged Administration Identity and Access Management
• Specific controls from • AC - Access Control
• AC – Access Control • IA - Identity & Authentication
• CM - Configuration Management
• MA - Maintenance
• SC - System & Communications Protection SP
• Establish more granular policies for privilege • Ensure all connections required for privileged
elevation. operations must be mutually authenticated with
• Automate onboarding of new managed assets. cryptographic credentials.
• Increase MFA from NIST Authenticator Assurance
Level 1 (authenticating with an ID and password) to
NIST Authenticator Assurance Level 2 (AAL2). AAL2 has
more identity assurance due to the presence of a
second factor.
• Restrict privileged access to registered and company-
owned endpoints.
• Prohibit privileged access by any client system that
isn’t known, authenticated, properly secured, and
trusted.
• Require dual authorization for privileged operations
on critical or sensitive systems.
Thank You.