PAM-ITSM Integration: What Good Practices Should Be Applied?
According to Forrester, 80% of security breaches involve compromised privileged account credentials, and these can have a major impact on a company’s business. However, the risk posed by these accounts can be mitigated by integrating a Privileged Access Management (PAM) system with an Information Technology Service Management (ITSM) solution. This integration preserves the notion of approval to prevent anyone (even authorized individuals) from logging on to machines without reason, and also ensures end-to-end management traceability of interventions. These principles of Zero Trust and least privilege, combined with the ITSM incident management system, firmly protect the company’s sensitive assets, closing the door to attacks and ensuring compliance with cybersecurity regulations.
PAM & ITSM Integration: Just-In-Time (JIT) Incident Management
Privileged Access Management (PAM) is a subset of Identity and Access Management (IAM) that focuses exclusively on protecting privileged accounts and access. In addition, PAM is part of organizations’ overall cybersecurity strategy by controlling, monitoring, securing and auditing all privileged accounts in IT or industrial environments. It also makes it possible to track who accesses resources and when, in order to control user privilege levels. All this is done through three key processes: identification, authentication and authorization.
IT Service Management (ITSM) tools are suites of solutions that integrate workflow management systems for handling incidents, service requests and/or configuration changes. This suite of tools also includes a database that lists and guarantees all the configurations deployed on the company’s assets – CMDB (Configuration Management DataBase).
Therefore, these two solutions are very useful independently, but it is their close integration that raises the overall security level. For example, by integrating PAM and ITSM, it is possible to track actions on machines by granting access to a target directly through a Just-In-Time ticket. Each time an employee wants to connect to a target, he must justify his connection request before obtaining an authorization for a defined period. In this way, access security is reinforced and traced end-to-end.
PAM & ITSM Integration: Better Correlation Of Information
If PAM solutions coupled with IdaaS solutions can manage identities, access and passwords of privileged accounts, how do you keep track of access to targets and details of interventions?
In many companies, the isolation of ITSM and PAM solutions can be seen. On the one hand, the ITSM tool recognizes the incident and lists requests for interventions or requests to create new services, and on the other, the PAM solution focuses on the people identified and authorized to work on these requests.
Its siloed operation, lack of ITSM/PAM integration does not allow to validate and justify interventions and makes post-incident analysis more complex, due to the lack of traces and evidence.
All requests made in the PAM solution must therefore be linked to those also recorded and integrated in the ITSM solution. Thanks to the interaction of these two solutions, all requests for action are thus declared and auditable from the ITSM. This policy makes it possible to use the capabilities of the PAM solution, such as WALLIX Bastion PAM4ALL, to trace events and authorize not only the people who are going to carry out the intervention order, but also the people who have authorized this operation, as well as the motivation for it.
In case of an audit following an incident, or a compliance audit, it is then possible to correlate the information related to the event and the actions performed through the ticket number registered in the ITSM tool. Auditors can then link an executed session and understand the validity (or otherwise) of the original request.
For this policy to be effective, it is therefore recommended that both PAM and ITSM have a synchronized asset list.
Coherence Between ITSM, CMDB and PAM: An Additional Protection
This perfect synchronization between the ITSM system’s Configuration Management DataBase (CMDB) and the deployed PAM solution proves very useful during post-incident analysis in order to rely on traces and evidence.
It makes it easier to identify fraudulent access to a target, especially when the actors are outsourced. Remote sessions need to incorporate the same level of control, approval, monitoring and oversight as internal sessions, so the mapping of the CMDB to the targets declared in the PAM solution adds further protection.
Thanks to the provisioning implemented in the PAM solution and linked to the CMDB, it is then possible to verify that an identified and authorized user is indeed trying to connect to the target specified in the ticket that was previously opened in the ITSM.
This consistency between CMDB, ITSM and PAM can be achieved in different stages depending on the level of integration the company wishes to implement:
- The first level of integration can be between the ITSM ticketing system and the PAM4ALL Bastion approval workflow. In this case, the objective is to establish the link thanks to a dedicated script that can automatically adapt to the different types of workflows on the ITSM side. Indeed, as these can be different if it is an incident resolution or a service creation, the approval workflows on the PAM side must take this differentiation into account. Depending on their configuration, approvals can also be automatic or manual, with dynamic authorization support.
- It is also possible to establish a second level of tight integration between the CMDB and PAM at the resource level, with API calls from the PAM solution. In this case, Bastion provisioning can be done in conjunction with the CMDB. This level of integration adds an extra level of protection, for example, by checking that the person requesting approval is filling in a ticket on the ITSM side that concerns the same target as the one he wishes to access through the Bastion.
As we have just seen, ITSM and PAM solutions are highly configurable by companies, it is necessary to build an integration project according to the strategic objectives of each organization: a standardized ITSM/PAM integration does not exist as such.
Each company must list its needs in terms of priority, determine what is possible within the framework of its cybersecurity policy, customize its authorization or prohibition settings, define the desired automation, adapt its IT and business approval or delegation workflows, and above all not neglect the user experience.
Each integration must therefore involve, upstream, the teams managing the ITSM, those managing the PAM solution and, often, the devops team that works on the scripts.
Integrating Your PAM & ITSM Solutions, A Good Practice
Deploying a Privileged Access Management (PAM) solution enables robust monitoring of privileged access to critical IT infrastructures. To reduce the analysis and research time of IT and security teams, a relevant integration with an ITSM solution can facilitate the task by linking to the incident management or service creation request. It becomes possible to correlate the need for intervention with the interventions themselves.
The view of an action is thus complete, from the initial request when the ticket is created in the ITSM system, through the approval workflow, to the incident processing report and the video trace provided by the PAM solution: a key element in the event of an audit and in the context of regulatory compliance.