At its recent Security and Risk Management Summit, Gartner laid out the top 10 security projects that chief information security officers (CISOs) should concentrate on in 2018, among which privileged account management (PAM) stood first. In fact, Gartner isn't the only one asserting the importance of managing privileged accounts; the web is packed with several other firms and security experts lobbying for PAM.
Privileged accounts, despite being a vital part of an organization's network, remain poorly protected and mostly ignored by IT teams, making them easy targets for cybercriminals. With that in mind, here is a set of must-dos that every organization's CISO should implement to drive a strong privileged account protection program.
The first step to secure and manage your organization's privileged accounts is to discover all critical assets on your corporate network, as well as the associated accounts and credentials. As your organization grows and expands its infrastructure, you should ensure that your IT team is equipped with a strong discovery mechanism to tackle the proliferation of privileged accounts and keep track of them. Running a fully automated program that regularly scans your network, detects new accounts, and adds them to a central database is the best way to build a strong foundation for your PAM strategy.
Do away with localized, siloed databases that are often maintained by various teams. More importantly, make sure employees stop writing down passwords on sticky notes or storing passwords in plaintext files. These practices are dangerous and lead to increased instances of outdated passwords and coordination issues, resulting in operational inefficiency. Instead, privileged accounts and credentials belonging to all departments should be catalogued into one centralized repository. Further, protect your stored privileged accounts with well-known encryption algorithms such as AES-256 to protect against unwanted access.
Once your organization's privileged accounts are securely locked in a vault, it's time to decide who should have the keys. You can do this by charting clear roles for the members of your IT team and making sure that each member's role gives them only the minimum required access privileges. A well-defined role-based access provisioning concept can go a long way towards ensuring that all activities around the vault are traceable to authorized employees.
According to Symantec’s 2016 Internet Security Threat Report, 80 percent of breaches can be prevented by using multi-factor authentication. Implementing two-factor or multi-factor authentication for both PAM administrators and end users will guarantee that only the right people have access to sensitive resources.
Beyond eliminating security vulnerabilities related to loose role division, it's also important to implement secure sharing practices. For ultimate protection, your organization's PAM administrator should be able to provide employees or contractors access to IT assets without disclosing the credentials in plaintext. Users should instead be allowed to launch one-click connections to target devices from the PAM tool's interface, without viewing or manually entering the credentials.
Convenient as it may be for IT teams to use the same password for every privileged account on the network, this is an unhealthy practice that ultimately fosters a fundamentally insecure environment. Secure management of privileged accounts requires the use of strong, unique passwords that are periodically reset. You should make automatic password resets an integral part of your PAM strategy to get rid of unchanged passwords and protect sensitive resources from unauthorized access.
Establish a policy that forces users to send a request to your organization's PAM administrator whenever they require specific account credentials to access a remote asset. To further reinforce control, provision users only with temporary, time-based access to these credentials, with built-in options to revoke access and forcefully check in passwords when the stipulated time expires. For further security, you can also automatically reset passwords once users check them in.
Many applications require frequent access to databases and other applications to query business-related information. Organizations often automate this communication process by embedding the application credentials in clear text within configuration files and scripts, but it's hard for administrators to identify, change, and manage these embedded passwords. As a result, the credentials are simply left unchanged to not hinder business productivity. Hard-coding credentials may make technicians' jobs easier, but they're also an easy launch point for hackers looking to make their way into an organization's network. Alternatively, your IT team can use secure APIs to allow applications to query your PAM tool directly when they need to retrieve privileged accounts for another application or a remote asset.
When it comes down to it, comprehensive audit records, real-time alerts, and notifications are really what make life easier. Capture every single user operation and establish accountability and transparency for all PAM-related actions. An integration with an in-house event logging tool can also help by consolidating PAM activities with other events from the rest of your organization and providing intelligent tips about unusual activities. This proves extremely useful in acquiring a comprehensive overview of security events and detecting breaches or insider exploits.
Executing these must-dos isn't going to be an end-all solution to security—there's always more to be done. According to Verizon's 2018 Data Breach Investigation Report, 201 of the 2,216 confirmed data breaches in 2017 were due to privilege abuse. A statistic like that calls for organizations to record and monitor privileged sessions as a way to stay vigilant and detect unusual access. Your organization should leverage a strong privileged account management plan to build an even more advanced privileged identity and access management strategy that establishes wider boundaries and creates an impenetrable defense.