Best practices for effective Privileged Access Management
It feels like almost every week, we hear of a new breach, and each week, we’re thankful it wasn’t our company. But how long can we dodge the breach bullet? No one wants to be the next headline, but what can we do to ensure that we aren’t?
The common denominator in virtually every breach is that somehow, someone who shouldn’t have access to your company’s system and data sources has found a way in. The bad guys are smart, creative and motivated, and can use even the smallest opening.
So how do we defend ourselves against these relentless attacks? A look at the tactics of bad actors may provide some insight.
Most breaches occur when someone procures the administrative credentials that come with every system. In order to run most technologies, there must be a system account that provides the high-level access entitlements necessary to set up, maintain and operate the system.
Risk is heightened, and a breach is more likely when these accounts (think passwords) are shared across multiple individuals, can operate with little-to-no oversight, and are assigned with no thought into if the user "should" have access and how much access is appropriate.
Bad actors will go to extreme measures to get their hands on these accounts. Phishing of regular user credentials followed by a series of lateral movement and permission escalation activities is a very common method. However, mismanagement of these passwords is just as dangerous. Many breaches result from someone keeping a credential long after they need it or simply deciding to do something bad with the permission they have.
It all boils down to three common symptoms:
- Anonymity -- By default, most admin accounts are shared across any and all employees that may need them. This means that if something bad happens, you can only narrow it down to the population of people with access to the shared account. This makes it very difficult to find imposters posing among the legitimate users.
- Complexity -- Often, efforts to eliminate anonymity result in increased complexity, more manual processes, an increase in human error, and in turn, users looking for ways around your security measures to facilitate more efficient performance of their job.
- Lack of visibility -- With native tools and widely diverse systems, it is extremely difficult to know who has rights to what, if those permissions are appropriate, and how and when those entitlements were granted.
One of the best ways to address these challenges is to implement a comprehensive and modern privileged access management (PAM) program. Most of us use pieces of PAM in our security program. For example, most Unix/Linux organizations implement the open source sudo tool to delegate the root account and eliminate password sharing. But as history has shown, while limited PAM is better than no PAM, it isn’t close to good enough.
There are some technologies and practices that can close the gaps and help you implement a strong PAM-based defense against breaches.
- Change the passwords -- Never use the default admin password on any system. If possible, change the password after each use.
- Don’t share the passwords -- Implement a password vault to overcome the anonymity of shared credentials. The best vaults include policy-based workflows and approvals to ensure that when someone logs in with a superuser account, you know who they are and you have approved that access. They will also automatically change the password after each use. Don’t limit it to just access by admins, the whole world of service accounts and application-to-application access must be addressed as well.
- Monitor access -- It isn’t enough to just vault and change the password. Ensure that you know what is being done with the permissions you issue through the vault. This not only provides a real-time view into what is happening now, but gives you forensic evidence to find and remediate the cause should something occur.
- Use analytics -- Controlling access and monitoring activity are great PAM approaches that deal with ongoing activity, but what about potential risk? The latest PAM principles include analytics. Identity analytics look at the cumulative collection of permissions and finds instances where rights and entitlements are out of line with peers, industry best practices, or have escalated unexpectedly (easily detecting a bad actor waiting to act badly). And privileged behavior analytics combine with session monitoring to preemptively find anomalous activities and remove the risk.
Let privileged access management become your ally at the front lines of your battle to prevent incidents, secure your enterprise, and avoid the breach headline nightmare.
Todd Peterson is product manager, One Identity.