Many organizations have outsourced their IT and OT to external service providers. Generic parts of the infrastructure such as the network and workplaces, as well as components such as process automation, have been invested with third parties when it comes to maintenance. Appropriate measures are required to control the work carried out by external service providers.

Control over your external service providers

The Amsterdam Energy Company has dozens of suppliers that manage specific IT and OT components. More and more often, you see that these activities take place remotely from the supplier's location or from a home office.

In doing so, the supplier has direct control in the following areas.

• Control the lifecycle of the identities that carry out the management tasks, because these employees are employed by the supplier.
• Control over the rights and their use that are necessary to carry out the administrative tasks.
• Control the security of the workstations that are used to perform the administrative tasks.
• Control the security awareness of the employees who carry out the management tasks.

In order to gain control as an organization with regard to the management tasks to be carried out by third parties, Navaio has implemented a PAM solution at AEB.

PAM implements the following functionalities.

Password Vault

The user of a privilege account must not be aware of the current passwords for critical systems and applications. The PAM solution protects these credentials with a Vault.

‍

Password management (auto-generation, rotation, workflow approval)

Each time a privilege user requests access, the PAM solution creates a unique password for the specific session. In the case of highly critical systems, an approval flow can be applied.

‍

Multi-Factor Authentication

The user is authenticated using a password and a second factor.

‍

Remote Access

The PAM solution gives third party employees remote access based on role based access (RBAC) without providing AEB domain credentials to these employees.

‍

Session management

The PAM solution sets up a session for each individual privilege user. This session can be recorded based on command line activity and/or video. In addition, you can watch in real time during a session.

‍

Real-time visibility and alerting

The PAM solution provides real-time insight into active sessions and provides insight into possible abuse with privilege accounts based on behavioral analysis.

Emergency access

The PAM solution supports a break glass procedure.

‍

Emergency access

The PAM solution supports a break glass procedure.

‍

Auditing and Reporting

The PAM solution has a clear audit trail

‍

Solutions

Navaio uses Delinea's Secret Server and Microsoft Entra as selected PAM products. In doing so, various starting points were considered.

• If the organization has a hybrid landscape with strict regulations regarding the management of the supplier chain, Secret Server is an appropriate solution. Delinea's Secret Server is a SaaS solution and can be deployed in a relatively short time.
• If the organization has all its workloads running in the Azure Cloud and also uses SaaS solutions, Microsoft Entra is a suitable solution.

These principles provide direction. If you want to know more about the different solutions, implementation methods and how they translate to your organization, please contact us.

Sander Baas

sander.baas@navaio.com