The bastion, an essential step in your security approach

What is the purpose of a bastion solution?

The favourite target of cybercriminals remain login credentials (login and password). Why is it an interesting target? To take advantage of an id theft to elevate its privileges in order to corrupt a server or harm on an even larger scale. It is therefore necessary to protect these privilege accounts.

This is where the notion of PAM, Privileged Access Management, comes in. PAM answers the question: How do I manage privileged accounts transparently and securely ? An extension of the vast field of IAM (Identity Access Management), the PAM has given birth to well-known technical solutions today such as bastions published by Wallix or CyberArk for example.

These solutions have made it possible to industrialize the safe management of accounts around 3 main themes:

• Traceability
• Password management (storage and rotation)
• Detection of abnormal behavior

These solutions have developed rapidly these years, to the point of becoming a relevant solution for SMEs.

What a bastion does

A bastion solution, therefore, has three main objectives:

• Ensure traceability of privileged accounts: it is essential to know who is doing what and when to detect abnormal activity. The bastion allows you to track all the actions of the supervised accounts, or even for some to record the screen and the session. In the event of an attack or compromise, it is thus possible to know precisely the extent of the damage.
• Manage password storage and rotation : with vault functions, bastion solutions help protect passwords, like a password manager such as Keepass. The user will only have to connect to an account to be able to find all this information. These solutions also know how to manage an essential part of password hygiene: rotation. The bastion is able, at a defined interval, to generate new passwords. The famous “admin” password may be known only from the bastion and be of greater complexity.
• Detect abnormal behavior of privileged accounts : since bastions can track users’ actions, it’s easy for them to compare behaviors to those defined as normal. Connections are thus detected from foreign IPs or at undue hours, which can be signs of compromise or attack.

Our tips for a successful Bastion integration

• Choose the solution that meets your needs while respecting its philosophy: each solution has its specificities and it must be in line with your current choices and constraints as well as your roadmap. This is true for any technical solution but remains essential for such a project. You will indirectly transmit the keys of your IS to this component, which will become very sensitive. For example, if your activity is sensitive, you could opt for a product labeled CSPN by ANSSI.

• Identify the key players during the project and communicate the benefits and impacts of a Bastion : to facilitate the adoption of such a solution it is necessary to anticipate the obstacles that may appear upstream. It is therefore necessary to explain the objectives and challenges of such a project. A bastion project is, in our experience, as technical as it is organizational. You will switch from passwords sent by email to a solution that allows administrators to respect security rules. Their habits will be changed ! Then plan a sequence of accompaniment and awareness, explaining why you are leading this project, how it is cut and what it brings.
• Create a solid roadmap : bastion projects are often large projects. It is therefore necessary to start with a reasonable perimeter and take the time to scale up. The objective of a batch approach is to allow each group of users to take ownership of the solution in its use and administration. If you proceed by successive change of scale you will be able to use the experience acquired at each stage to facilitate the transition to the future.
• Choose an agile and experienced integrator: Define your needs, choose the right solution and deploy it serenely… so many structuring subjects that can be accelerated and simplified by relevant support. The goal is not simply to “plug in the wires”. It is necessary to understand how and by whom the solution will be used to choose it at best and achieve a real transfer of knowledge.