What is Privileged Access Management (PAM)?

Privileged Access Management (PAM) is the continuous, real-time control and monitoring of accounts with elevated permissions, ensuring they are only used for necessary tasks and are never implicitly trusted. PAM is built on the principle of 'least privilege', a security concept that dictates that a user, application, or system process should only be granted the minimum permissions necessary to perform its specific tasks and nothing more. According to the latest HHS OCIO Access Control (AC) Procedures, privileged accounts with elevated permissions to sensitive systems or data should only be granted the permissions they need. The OCIO procedures state that Application Development Organizations (ADOs) managing privileged access should:

"Compare the inventory to what is necessary to meet the organization’s mission, and then remove all unnecessary privileged accounts, unnecessary permissions for privileged accounts, conflicting permissions for privileged accounts, unnecessary user access to privileged accounts by the principle of least privilege, and perform automated reviews of privileged user access."

Why is PAM an important challenge for CMS?

PAM is significant for CMS because it directly supports the agency's mission to protect beneficiary data while enabling secure, efficient operations. By implementing systematic privileged access controls, CMS can maintain compliance with federal security mandates, reduce the risk of data breaches, and ensure that only authorized personnel have access to critical healthcare systems and sensitive information. 

Implementing robust PAM is also challenging at agencies of scale. CMS Hybrid Cloud supports a wide range of ADOs with various needs, leading CMS's approach to PAM to be overly general in order to accommodate a wide range of diverse use cases. The resulting "stock" Identity Access Management (IAM) policies and roles were designed to be broad, with only critical restrictions (e.g., preventing the destruction of entire AWS accounts). While simplifying some administrative tasks, this broad access significantly increases security risk by exposing sensitive services and data to too many internal personas.

Simultaneously, the OCIO AC Procedures emphasize the importance of systematically inventorying privileged accounts and permissions to enforce least privilege. Most ADOs are not currently performing this significant work.

In response to this challenge, the CMS Zero Trust Team has been working with ADOs to address granular, customized PAM policies for human and non-human users to adhere to OCIO procedures, enhance general security, and improve Zero Trust Maturity. The Zero Trust Team's Privileged Access Management (PAM) initiative enables ADOs to address PAM through automated tooling with their CMS Zero Trust Forge, a Github based React app designed to help ADOs secure their AWS environments by enforcing least-privilege access and quickly advancing Zero Trust maturity in the Identity-Access Management pillar-function pair, granting ADOs at least Advanced maturity for Developers, with as little toil as possible.

What else does PAM allow us to do?

Implementing a PAM framework goes far beyond meeting compliance requirements. When ADOs transition away from overly permissive roles to least-privilege access, they unlock powerful new capabilities that transform security operations:

• Security automations for suspicious access are available via SecurityHub or Splunk
• Rapid and accurate provisioning and deprovisioning of users
• Customized session management
• Dramatically enhanced logging

... all of which substantially improve Zero Trust maturity!

PAM roles for Non-Person Entities (NPEs)

Building on the concept of Privileged Access Management (PAM) for human users, the ISPG Zero Trust team advises ADOs to secure their Cloud and Hybrid Cloud environments by enforcing least-privilege access for machine-to-machine interactions and Non-Person Entities (NPEs). The CMS Zero Trust Forge helps ADOs create and manage these roles with minimal effort. Using these roles quickly advances Zero Trust maturity in multiple pillars of the CMS Zero Trust maturity model.

IAM Roles for NPEs 

IAM roles for NPEs link an IAM role to a service or service account in a cloud or hybrid cloud environment, particularly in containerized environments (like Kubernetes). This approach allows workloads to have defined access permissions to AWS services without distributing long-lived sensitive AWS credentials. This adds another layer of authentication and authorization, ensuring each service account only has the permissions it needs and nothing more.

A gateway to Zero Trust maturity

By implementing IAM roles for NPEs, ADOs create a foundation for Zero Trust that combines preventive security measures (least privilege, micro-segmentation) with detective capabilities (enhanced logging, visibility), ultimately strengthening CMS's overall cybersecurity posture while protecting sensitive healthcare data.

Securing CI/CD processes

Creating PAM roles for services also helps secure your Continuous Integration / Continuous Deployment (CI/CD) processes. A service role, created through the CMS Zero Trust Forge, can be configured to grant a CI/CD pipeline (like those in GitHub Actions or Jenkins) the minimal permissions needed to deploy an application. For example, a role could be scoped to only allow deployments to a specific Amazon S3 bucket or an Amazon Elastic Container Service (Amazon ECS) cluster.

This eliminates the need to store static, long-lived AWS credentials in the CI/CD platform, reducing the attack surface and minimizing the risk of human error. It ensures the deployment process is authenticated and authorized with the least privilege necessary, limiting the potential blast radius if a build tool is compromised. This approach manages machine-to-machine interactions and enables more fine-grained controls, elevating overall cybersecurity resilience.