Five steps to mitigating privileged account risks: Getting ahead of a security breach
Privileged accounts are a necessity in all enterprise IT environments. Administrators must have enhanced privileges to manage the environment. Unfortunately, these privileged accounts bring high risk to a company’s network; in fact, recent research shows that almost half (44 percent) of all security breaches that happened in 2017 involved privileged account access.
There are a number of reasons these privileged accounts bring such high risk with them. For example, something so simple as a password reset can mistakenly grant a user full administrative rights that can be misused either intentionally or accidentally. These accounts are also inherently difficult to manage due to the high volume of users and systems that need access to the same credentials, making it difficult to keep the credentials secure. Luckily, there are some concrete, critical steps that an organization can take to ensure risk on its network is minimized and protected from privileged account misuse.
Step 1: Take full inventory of your privileged accounts, including the users and systems that use them
In order to mitigate the risks of privileged accounts, an enterprise must first know how many accounts there are on the network and which users need access to them. Careful inventory is a crucial first step.
With a comprehensive list of all privileged accounts and the users and systems that have access to them, an organization can accurately assess where it is most vulnerable to internal or external security breaches and accurately prioritize investigation and remediation of those vulnerabilities.
Steps 2: Ensure your privileged passwords are stored securely
Once the inventory of all accounts and passwords for the privileged accounts is complete, the next step is to ensure those credentials are secure. One option is a password manager, which provides multiple security layers, including encryption, firewalls, and secure communication.
Password management technology can also help ensure that privileged credentials are provided to users who need them in a timely manner with appropriate approvals. If a password manager is not a viable option for your system, it is important to ensure that at a minimum all privileged passwords are encrypted and that accessing the credentials requires at least two layers of authentication.
Step 3: Enforce strict change management processes for privileged passwords
Ensuring passwords are changed on a regular basis is a proven best practices for tightening security. But when it comes to password change management for privileged accounts, bad practices -- such as, well, not changing them at all -- have become the norm.
Since these credentials are often hard-coded in scripts and applications, changing privileged passwords can be tedious and introduces the risk of important applications failing leading to a reluctance to doing it altogether.
To avoid failure, businesses should create a complete and accurate inventory of the scripts and applications that use privileged credentials. It also helps to invest in a software solution that can replace hard-coded passwords with programmatic calls that dynamically retrieve the account's credentials to reduce friction in the process.
Step 4: Whenever possible, ensure individual accountability and least privileged access
Implementing best practices and abiding by compliance regulations requires both individual accountability and least privileged access. An organization must know exactly who has had access to what and when, and users should only be granted the level of access needed in order to perform their role’s tasks.
In doing this, a business can limit harmful actions, whether unintentional or malicious. Not all systems provide native tools that enable a system to enforce individual accountability and least-privileged access. If this is the case, a third-party solution can provide granular delegation and control.
Step 5: Audit use of privileged access on a regular basis
It is not enough to simply control what privileged users are allowed to do, it is also necessary to audit what those users are doing with their access. On a regular basis it’s important to generate and review reports that note when privileged passwords were changed and what potentially harmful commands have been used on each system, and by which users.
It is also important to institute a process for periodic certification to ensure users who can gain or request access to privileged accounts should retain those abilities. Through regular auditing, reporting, and certification, an organization can better understand how well it is securing privileged accounts, discover areas for improvement and take steps to reduce risk.
Privileged accounts present a high risk to all organizations, and managing access must be addressed in a thoughtful, practical, and balanced way. There is, unfortunately, no silver bullet for IT security, but implementing these five steps will set any business on the path to privileged account management best practice, arming it with the ability to assess its current security environment, identify gaps or vulnerabilities, and mitigate the risks.
Tyler Reese is Product Manager at One Identity. With more than 15 years in the IT software industry, Tyler Reese is extremely familiar with the rapidly evolving IAM challenges that businesses face. He is a product manager for the Privilege Account Management portfolio where his responsibilities include evaluating market trends and competition, setting the direction for the product line -- and ultimately, meeting the needs of end-users. His professional experience ranges from consulting for One Identity’s largest PAM customers to being a systems architect of a large company.