Providing Privileged Access Management (PAM) to On-Premises Infrastructure and Azure AD

To build upon towards following the best practice towards providing PAM, it is important to specify the features for On-Prem & Azure AD, for which provision of (PAM) is being explored:

On-Premises infrastructure features, includes:

· Active Directory DS

· Network Equipment

· Member Servers

Azure AD features include:

· PIM

· MFA

· Conditional Access

· Access Governance

Now, Azure AD features doesn’t seem to provide much protection for services outside the cloud. Third-party Privileged Access Management (PAM) providers e.g., CyberArk seems prohibitively expensive.

One of prospects recently identified the need to take out insurance against cyber-security incidents mainly Ransomware Attack via on-premise AD. The insurer had a checklist, which included privileged access management of all privileged identities. Non-compliance with that requirement would push up the insurance premium.

They have a hybrid environment, but most of it is still on-premises, even their Windows VMs in Azure are domain joined. A primary location where privileged accounts authenticate is thus Active Directory Domain Services.

So, my conclusion was that Azure AD P2 PIM could manage and protect Microsoft 365 and Azure roles but wouldn’t provide any protection to the non-cloud part of the infrastructure. Commercial 3rd party Privileged Access Management (PAM) (CyberArk) seems too expensive for their basic requirements. There are open-source PAM solutions, but choosing OSS products that are immature “works in progress” and require hundreds of hours of time to get them running reliably, is a tough spot to choose.

MIM PAM have been implemented before for other prospects before in my organization, and it is a lot of infrastructure to deploy and maintain, while only providing a subset of the functionality required.

One of the suggestions that came it was PAW notebooks for top-tier admins and general lock-down of privileged accounts. Another recommendation was RADIUS authentication (Windows Server NPS) with Azure AD MFA for connections to the 3rd party VPN and admin logins to network equipment.

Though it’s still vague how to use Azure AD Identity Governance to manage access to on-premises services (e.g., Active Directory Domain Services).

Now such a practice of recommending separate admin accounts for the privileged users — that way may seem unfashionable, but if an admin clicks on a bad link (or something similar) while reading mail or surfing the web, at least the account that is executing malware is non-privileged. Tiered admin accounts also make it easier to enforce PAW and other restrictions on highly privileged accounts.

Azure AD Application Proxy will allow to publish any browser-based admin interfaces, requiring Azure AD accounts, thus enabling you to enforce MFA, other Conditional Access policies, and you can manage these logins using Azure AD Access Governance. However, there’s a tiny proportion of on-premises admin functions that use browser-based access, so it’s not that useful in this scenario.

Options for implementing a secure “jump box” for RDP access to on-premises are being thought through. The jump box is also where all the admin tools and consoles can be installed. Server can be locked down so that RDP is only possible from the jump box. Then jump box can be secured as much as possible. One option would be to require admins to connect to the jump box via the Remote Desktsop Services Gateway, where an MFA and other controls can be enforced.

So, let’s have a constructive criticism of above suggestion and explore the other ideas that can be investigated:

First, we need to understand what CyberArk is providing and who are their direct competitors. Here is a list of its competitors:

· GroupID

· Beyond Trust

· Thycotic

· Centrify

· Broadcom

· HashiCorp

· IBM

· ManageEngine

· One Identity

Now, we are looking for a solution for the hybrid model where we must secure multiple things through PAM for on-premises and Cloud.

What are things we are seeking to secure in PAM?

1. On-Premises infrastructure, including AD DS, Network Equipment, Member Servers, etc.

2. Azure AD features (PIM, MFA, Conditional Access, Access Governance, etc.)

So, to better understand let’s start with one of third-party vendors ManageEngine and what they are offering:

1. Create, modify, move, or delete multiple groups at once.
2. Provide special privileges to a group of users in a single click.
3. Add users to groups based on requests raised using tools such as ADManager Plus workflow abilities.
4. Remove members from groups automatically after a certain amount of time. — Audit delegates permissions.
5. Manage and report on permissions.

Now Let’s compare with another third-party’s vendor, GroupID by Imanami:

1. Creating, modifying, moving, or deleting multiple groups easily with Automate and SSP.

2. Creating role-based security groups to give privileges to different tier of users (PAM).

3. Providing Hierarchical based workflows to handle different tasks for managing groups and user creation.

4. Group Lifecycle management using SSP for members to join groups temporarily.

5. Providing Reports. History and helpdesk for auditing purposes via Security Roles and Insights by GroupID can give better insights for what’s going on within the infrastructure.

Let’s talk about the main query now:

If we are asking for managing on-premises infrastructure, MFA, conditional access:

To manage these GroupID gives windows hello, SMS authentication, YubiKey for MFA purposes but for conditional access we need to use 3rd party solution e.g., Azure SSO and in this case MFA responsibility would be on Azure SSO.

Reason: If we use conditional access then we are bypassing traditional MFA methods.

We can provide conditional access based on security roles to use MFA as well.

In this case we can use from Azure side, can be cloud app security but again handling on-premises feature through traditional MFA would be complex and on top of that managing network security is the main challenge here which to me at this point is CyberArk.

Because they offer network equipment and member server services which GroupID and mange engine doesn’t provide.

Reason: If we have to comply for the following scenario. “They have a hybrid environment, but most of it is still on-premises, even their Windows VMs in Azure are domain joined. A primary location where privileged accounts authenticate is thus Active Directory Domain Services” then we need solution: PAM for network security. Which again we (GroupID) and Manage engine doesn’t provide.

If we read user statement. He is not only talking about CyberArk, but a mix solution with PAW notebooks. So, in short- current scenario which fulfills all the requirement is CyberArk.

So, for Creating, modifying, moving, or deleting multiple groups easily with Automate and SSP, creating role-based security groups to give privileges to different tier of users (PAM), providing Hierarchical based workflows to handle different tasks for managing groups and user creation, Group Lifecycle management using SSP for members to join groups temporarily and providing reports, history and helpdesk for auditing purposes via Security Roles and for better insights for what’s going on within the infrastructure ,GroupID can be deployed. Combining it with other solutions (open source or paid) for network and member server side, we can move towards achieving all the requirements.