PAM in Active Directory & Entra (Azure AD)

Posted on

If you don’t know PAM- Privilege account management in Active Directory, while better than it was is “limited”. The story in Entra/Azure / The cloud is a lot better. (This blog post needs an update)

GMSA – or Group Managed Service Accounts are the way to go, if you can. By Can, it depends if the application/service can use them. Microsoft have guidance on everything but the “current guidance” is here

Third party PAM providers

There are a number of vendors in this space, while it feels wrong to provide a static list, I’m going to, however please check out your standard design/architecture resources for evaluating the offerings of vendors, I should do an architecture selection blog post, I mean creating criteria for test/evaluation with out bias, and which is meaningful for analysis isn’t easy, no one mention Adoption of New technology/capabilities? Your organisation has standard tooling, and shared services, and if the new capabilities isn’t / doesn’t play nicely it’s going to create a royal pain in the arse.

Two common, independent vendor/product analysis providers are

Forester and Gartner

List of vendors in the PAM space, this isn’t a definitive list, please let me know if you have any questions, comments, or feel a specific vendor should be added.

  • CyberArk PAM
  • Manage Engine PAM 360
  • StrongDM
  • BeyondTrust
  • Delina (Secret Server)
  • OneIdentity
  • Okta ASA
  • HashiCorp Boundary

A few suggestions for product / technology adoption are listed below, this isn’t a complete list mind. it’s the rambling / thinking I had at 08:00 on a Wednesday

  • What shared services integrations do we need ?
    • Example – Existing Architecture blueprints/standards
      • Backup/Recovery
      • Application Monitoring
      • Service management, impact of JML.
      • Service life management
  • Scaleability, this is less “challenging” than it use to be, but limits to the services / constraints need to be understood.
  • Availability requirements (I was trying not to use requirements)
  • Maturity of the vendor, against our known integrations elements
    • Support agreement / terms offered, does this meet our need/commercial coverage. I didn’t say RFQ/RFC

PAM architectures.

Be aware, I suspect you are but in case. Please Please secure your PAM providers, please limit access, please isolate (that wonderful phrase zero trust, assume breach) please use strong authentication and log, please please log, and allow/test the automation to lock out accounts where there is suspicious activity. The following are Principals/guidance which applies to any PAM service. There have been a several terms used by vendors over the years, red forest, bastion forest. The point here is isolation of those privileged environments.

PAM Vendors

Please let me know how you found this, what you thought was useful, what you and your company/organisation needs, in short how can I / we help each other?

CategoriesPAM

Leave a Reply

Your email address will not be published. Required fields are marked *