Privileged Account Management

[deanwebb]

What are your ideas about best practices for Privileged Account Management (PAM)?

Here are some of mine:

1. Network devices - a VTY ACL will limit inbound SSH connections from only authorized IP addresses, such as management servers, integrated systems, and the like.

2. Devices that work with the network stuff - if the GUI can be integrated with Active Directory or whatever else you use, do so and be done with it. As for the CLI access on those things, consider a PAM system where you log in with an AD account and the PAM system will then record your session and log on with the root account for you. This keeps you from having to do too much to the system that might invalidate vendor support contracts. As for securing the local system, see if you can limit the IP addresses where SSH sessions are permitted from to the PAM servers and any other devices required by the vendor to communicate with it.

3. If the solution you use has different requirements for Unix boxes and network devices, get anything you have connected to the network defined as a network device, even if it's running a variant of Unix under the hood. The reason why is that your devices doing network things are NOT developer or production boxes running tons of VMs, scripts, apps, cron jobs, or things like that for the general business. Your network-connected device is there for the *network*, so it's a network device, not a Unix server.

Put another way, is your network *nix going to run any applications that handle financial data? Personal health information? Personally-identifying information? Trade secrets? Copyrighted works of recorded art? No? Then you do not have a server. You have a glorified router or something like that, and it's a *network* device, and it should be treated as such.