お久しぶりです、きおかです。
私は最近、CyberArkというPAM(Privileged Access Management: 特権アクセス管理)ツールの管理に関わる機会がありました。
それに伴いPAMについて色々調べてみたのですが、ふわっとした説明しか出てきませんでした。
そこで英語論文を調べ、Aalto大学の博士論文と、とある学士学生の論文を見つけたので、紹介しようと思います。
論文①
Abstract
Privileged accounts can be the entry point for cybersecurity attacks or step stones for further escalations to critical organization resources. Beside privileged accounts for users, there are a large number of credentials for different pair of a system accessing a system. This is one challenge of Privileged Access management on maintaining security and visibility on the usage of confidential resources like system credentials.
Two case studies are applied for this problem, one is on the system to system cases in a large organization, and one is on available approaches for a service to not only securely managing credentials but also able to maximize adaptation to most of the system to system cases.
This thesis also contributes the procedure to analyze S2S cases based on four steps: (1) identifying the Accessing System (AS), the Target System (TS); (2) identifying the identity model at the TS side and the authentication protocol between AS and TS; (3) identifying the process of initial setup of AS-TS credential; and (4) the process of updating the credential.
From these four steps, four criteria for a system to system credential management service are defined including (A) capable to adapt with different the identity model and authentication protocol of target systems; (B) support mechanisms for initial credential setup at different AS; (C) support mechanisms for updating credential automatically following credential policies; (D) capable to managing credentials securely.
The study shows S2S cases can be classified into three groups including accessing group, target group, and environment group. The environment group has additional infrastructure supports to automate the step (3) and (4) of deployed systems.
Also from the study, the solutions from two cloud providers are only applicable to their owned environment, two self-deployed packages with Hashicorp Vault and Thycotic Secret Server can be deployed on-premises but available to applications and services on different infrastructure environments.
要旨要約
課題提起
特権アカウントの裏には、認証のための大量のシステム間認証が存在する。
これは、システムの認証情報など、機密情報を利用する際の保守性や可視性における課題となっている。
2つの事例研究の紹介
- 大規模組織におけるシステム間通信(でのアプローチ)
- 認証情報のセキュアな管理に加え、様々なケースのシステム間通信に対応可能なサービス(でのアプローチ)
システム間認証プロセスの分析方法の紹介
- アクセス側のシステム(Accessing System: AS)とアクセス先のシステム(Target System: TS)の特定
- TS側の認証モデルとAS-TS間の認証プロトコルの特定
- AS-TS間の初期認証設定プロセスの特定
- 認証情報を更新するプロセスの特定
システム間認証管理サービスに求められる4つの基準の紹介
- 異なるターゲットシステムの認証モデルと認証プロトコルに適応できること
- 異なるアクセスシステムでの初期認証設定の仕組みがあること
- 認証情報ポリシーに従って自動的に認証情報を更新する仕組みがあること
- 認証情報を安全に管理できること
citation
Luong, T. (2020). Privileged Access Management for System to System communications [Master’s thesis, Aalto University]. http://urn.fi/URN:NBN:fi:aalto-202008245171
論文②
Abstract
A considerable portion of today’s cybercrime involves misusage of privileged accounts. It has been estimated that on average in company environments there is double the number of privileged accounts compared to the number of employees. Often these accounts are left behind in different systems without being actively managed, sometimes leading to eventually being completely forgotten. Considering the access level of such credentials to confidential and critical company resources, they pose a severe risk to the company’s cybersecurity. In different organizations awareness has been increasing about the need to bring these privileged accounts under active management and protection.
A growing need for privileged access management in the customerfield has also been noticed in the assigner company of this work. Based on the theory part, the goal was to write an introduction guide for the assigner company, which could be used in introducing new employees to PAM (Privileged Access Management).
Privileged accounts can be managed by taking benefit from PAM tools and processes. The theory part concentrated on PAM backgrounds, necessity, features, and implementation. Locating PAM in a wider IAM (Identity and Access Management) framework was also one of the addressed topics.
The introduction guide was divided into three main categories: PAM backgrounds, components, and lifecycle process. The guide can be used to gain necessary base-level understanding about PAM, which provides the possibility to further deepen knowledge about technical implementations and PAM products from different vendors. Goal of the guide is not to give detailed description about technical configurations or features, but instead give introduction to the subject for someone who gets involved in the subject for the first time.
要旨要約
課題提起
今日のサイバー犯罪では、特権アカウントの不適切な運用・利用に関係するものがままある。
従業員の数に対して約2倍の特権アカウントがあると推測されている。これらは異なるシステムで放置されていたり、完全に忘れ去られていたりする→危険。
特権アカウントを適切に管理・保護する必要があるという意識が高まっている。
PAM周りの紹介
- PAM導入(をしてくれる)企業
- PAMの背景知識
- PAMの必要性
- PAMの特徴
- PAMの導入
入門ガイドの構成紹介
- PAMの背景
- PAMの構成要素
- PAMのライフサイクルプロセス
citation
Antti, K. (2020). Newcomer’s introduction to Privileged Access Management [Bachelor’s thesis, Nixu Corporation Oyj] https://www.theseus.fi/bitstream/handle/10024/348503/Opinnaytetyo_Kuokkanen_Antti.pdf?sequence=2
さいごに
今回は要旨紹介のみでした。次回以降は内容の紹介をしていこうと思います。
それではまた。