I was browsing through Hacker News and this article about a Critical Code Execution Flaw Found in CyberArk Enterprise Password Vault caught my attention.

I started thinking about how the risk could be mitigated. Managing privileged users or identities is a fundamental security task for all organizations and many have already started using privileged access management (PAM) solutions, such as IBM Secret Server and CyberArk. In these solutions privileged user IDs and credentials are locked in a digital vault and are only accessible through a PAM tool that has advanced logging and controls.

To sign into the PAM solution, it is considered a best practice to use multifactor authentication to provide assurance the user is who they say they are. Once authenticated to the PAM solution, you can access privileged IDs that will log you into the specific  system requested, let’s say an IBM Z mainframe. The PAM solution controls the login credentials, so they are never known by the user, creating a perimeter defense around PAM.

What happens though, if the PAM solution is hacked or a disgruntled employee is able to escalate privileges via the PAM solution itself? This type of breach would allow access to all critical systems.

One way to mitigate this type of attack is to implement multifactor authentication with the privilege user’s IDs on the Z server that is being logged into. This would be considered additional hardening, much in line with the zero-trust principle. IBM Z Multi-Factor Authentication has the ability to do compound authentication which allows for a password and MFA credentials to be used.  This would allow the PAM solution to store the privilege ID password as customary and strengthen assurance by requiring an additional credential.

Here are the high-level steps:

1. 1. User gets change ticket to update zOS
2. 2. User logs onto Privilege Account Management system with at least 2 (Something they have, are and/or know). Credentials provide access to PAM solution.
3. 3. User navigates to privilege ID required and checks out it with change ticket record.
4. 4. PAM solution prompts for additional zOS privilege user credential, which needs to be something they have or are.
5. 5. PAM solution takes credential, plus password stored (something PAM knows) for privilege ID and logs user into system. This provides added assurance that the user is whom they say they are and are authorized to log onto the target zOS system.

Architected and implemented correctly, this is a comprehensive, elegant approach that won’t sacrifice user experience.