Mind the Gap: Using PAM for Network Segmentation
Network segmentation and segregation have been around for a long while – as long, in fact, as there have been private networks connected to the internet. And while network segmentation is vital and will be familiar to many through its implementation via firewalls and DMZs, network segregation also has a vitally important role to play in cybersecurity.
Network segmentation, broadly defined, is the control of access to resources within a network, and is achieved by creating and enforcing rules to assure that control. In essence, the goal is to create a gap between users and resources within a network. This gap provides an additional layer of cybersecurity by helping to ensure that users inside of a network, be they admins or hackers who have somehow breached the corporate firewall – do not have access to resources to which they are not privileged.
PAM and Network Segmentation
Of course, ensuring that privileged access to resources is always appropriate is what lies at the heart of Privileged Access Management (PAM) – which is why a PAM solution should be considered a prime tool for creating the desired gap between users and resources. In effect, the PAM solution acts as a reception desk, creating a barrier between users and the assets they wish to access, checking credentials and verifying authorization (privileges) before allowing the user to proceed.
But in order to properly create that air-gap, a PAM implementation needs to have several key features in order to be robust enough to truly get the job done. On top of basic functionality to grant and revoke privileges to guarantee that users can gain access only to resources to which they are authorized, it also must:
- Ensure that circumstantial access is enforced by making sure that users are not simply granted privileged access to a resource, but that things like the time and location of such access are also managed;
- Segregate privileged resources on the network so that they are not even visible to users without the appropriate privileges;
- Monitor session traffic in real time for unauthorized attempts at access to sensitive resources, and have the ability to automatically terminate such sessions;
- Record and archive all session activity for future training and for security and compliance audit review;
- Be both sufficiently granular and sufficiently transparent to users that operations are never impacted;
- And be easy enough to use that security teams will actually do so.
All of the above features are important in properly creating the air-gap between users and resources that’s the desired goal of network segregation. Ultimately, by ensuring that privileged users can only access the specific resources they need to do their jobs, when they need it, a kind of virtual network segregation is created. The gap is widened even further by removing visibility of resources to which a user has no privileges – creating what’s essentially an infinite gap.
That segregation – that gap – is what provides the added layers of cybersecurity that are essential to a secure infrastructure. But such a gap won’t be created at all if the privileged access tools available to the security team are not easy enough for daily use, or impact operations to such an extent that users find workarounds to avoid them altogether. Thus, it takes all elements of a robust PAM solution, working in concert, to properly create the gap between users and resources, and thus to properly create layers of defense needed in the modern cyberthreat environment.