Asia's Source for Enterprise Network Knowledge

Monday, April 22nd, 2019


Nine essential elements for a strong privileged account management strategy

Internet of trusted things

Recent events in Singapore have shone a high-wattage spotlight on the issue of Privileged Account Management (PAM). Industry experts have been warning for years that enterprises should pay more attention to the management of privileged accounts.  For example, a Forester Wave report revealed that unmanaged, unmonitored privileged accounts make up 80% of security breaches.  And the Ponemon Institute estimated the global average cost of a data breach in 2017 to be US$3.62 million, with the average cost for each lost or stolen record containing sensitive and confidential information to be US$141.  

Despite the warnings, research showed that one in five businesses or 22 percent in Singapore still depend on paper-based logbooks to manage privileged account passwords, while 90 percent say they face challenges managing such passwords.  55 percent confessed they were monitoring only some privileged accounts, or not monitoring at all.  Furthermore, 38 percent of IT security administrators did not change a default admin password.

It must be obvious by now that a key cyber security strategy is the restriction of administrative privileges. Hackers, looking for a way into an organization's network, often seek vulnerable users with administrative privileges. Any hacker who lands on an unused privileged account can gain access to pretty much everything that the account owner has access to. This is why privileged user accounts are considered the "keys to the kingdom."

However, despite regular reminders, many privileged accounts still remain poorly protected, ignored, or mismanaged, making them easy targets. With that in mind, here's a list of essentials policies that every IT manager or security administrator should implement to protect privileged accounts.

1) Track and consolidate all privileged accounts—old and new—with an automated discovery mechanism. The first step to secure and manage your organization's privileged accounts is to discover all critical assets on your corporate network, as well as the associated accounts and credentials. As your organization grows and expands its infrastructure, you should ensure that your IT team is equipped with a strong discovery mechanism to tackle the proliferation of privileged accounts and keep track of them. Running a fully automated program that regularly scans your network, detects new accounts, and adds them to a central database is the best way to build a strong foundation for your PAM strategy. 

2) Store privileged accounts in a secure, centralized vault. Do away with localized, siloed databases that are often maintained by a number of different teams. And make sure employees stop writing down passwords on sticky notes or storing passwords in plaintext files! These practices are dangerous and lead to increased cases of outdated passwords and coordination issues, resulting in operational inefficiency. Instead, privileged accounts and credentials belonging to all departments should be catalogued into one centralized repository. Further, protect your stored privileged accounts with well-known encryption algorithms such as Advanced Encryption Standard AES-256 to protect against unwanted access.    3) Establish clearer roles with limited access privileges. Once your organization's privileged accounts are securely locked in a vault, it's time to decide who should have the keys. A rule of thumb is to restrict administrative privileges to operating systems and applications based on user duties. You can do this by charting clear roles for the members of your IT team and making sure that privileged accounts are not used for routines such as reading email or web browsing. Each member's role should give them only the minimum required access privileges. 

4) Insist on multi-factor authentication for employees and third parties alike. According to Symantec’s 2016 Internet Security Threat Report, 80 percent of breaches can be prevented by using multi-factor authentication. Implementing two-factor or multi-factor authentication for both PAM administrators and end users will guarantee that only the right people have access to sensitive resources.    5) Share privileged account credentials without revealing them in plaintext. Beyond eliminating security vulnerabilities that arise from lax role allocation, it's also important to implement secure sharing practices. For ultimate protection, your organization's PAM administrator should be able to provide employees or contractors access to IT assets without disclosing the credentials in plaintext. Users should instead be allowed to launch one-click connections to target devices from the PAM tool's interface, without viewing or manually entering the credentials.

6) Enforce strict policies for automatic password resets. It may be convenient for IT teams to use the same password for every privileged account on the network, this is an unhealthy practice that fosters a fundamentally unsecure environment. Secure management of privileged accounts requires the use of strong, unique passwords that are periodically reset. Automatic password resets should form an integral part of your PAM strategy to get rid of unchanged passwords and protect sensitive resources from unauthorized access.    7) Fine-tune your access policy by adding release controls for password retrieval. Establish a policy that forces users to send a request to your organization's PAM administrator whenever they require specific account credentials to access a remote asset. Reinforce control by provisioning users only with temporary, time-based access to these credentials, with built-in options to revoke access and forcefully check in passwords when the stipulated time expires. For further security, you can also automatically reset passwords once users check them in.

8) Stop embedding credentials within script files. Many applications require frequent access to databases and other applications to query business-related information. Organizations often automate this communication process by embedding the application credentials in clear text within configuration files and scripts, but it's hard for administrators to identify, change, and manage these embedded passwords. As a result, the credentials are simply left unchanged in order to not affect productivity. Hard-coding credentials may make technicians' jobs easier, but they're also an easy launch point for hackers looking to make their way into an organization's network. Alternatively, your IT team can use secure APIs to allow applications to query your PAM tool directly when they need to retrieve privileged accounts for another application or a remote asset.    9) Make sure everything is audited. When it comes down to it, comprehensive audit records, real-time alerts, and notifications are really what make life easier. Capture every single user operation and establish accountability and transparency for all PAM-related actions. Integration with an in-house event logging tool can also help by consolidating PAM activities with other events from the rest of your organization and providing intelligent tips about unusual activities. This proves extremely useful in acquiring a comprehensive overview of security events and detecting breaches or insider exploits.

Executing these nine policies isn't going to be an end-all solution to security—there's always more to be done. According to Verizon's 2018 Data Breach Investigation Report, of the 2,216 confirmed data breaches in 2017, 201 were due to privilege abuse. A statistic like that should highlight the importance of not only protecting privileged accounts, but also recording and monitoring privileged sessions to stay vigilant and detect unusual access. Your privileged account management strategy should support your strategy to control privileged access to your critical assets, which should support your identity and access management plan, and so on. That's the best way to protect an organization; keep widening your boundaries and securing those boundaries, because the war against cybercriminals is unending.



Anusha K M, Analyst, ManageEngine