In 2018 the UK’s National Cyber Security Centre (NCSC) published online guidance on identity and access management, providing an introduction to the technologies and best practice techniques for access management. Privileged user management (PAM) was a key area covered in this guidance.
There are numerous firms and security experts continuously lobbying for privileged access management (PAM). Similar to the NCSC, the Australian Cyber Security Centre (ACSC) also published the "Essential Eight", another helpful guide for those tasked with overseeing the cyber security strategy in their organisation. While created around the practices of Australian federal and state agencies, the guide is well worth reading for any type of organisation anywhere in the world.
At Gartner’s Security and Risk Management Summit in June, the top 10 security projects that chief information security officers (CISOs) should concentrate on in 2018 were laid. Once again, PAM was identified the most significant.
Despite these steady reminders, many privileged accounts still remain poorly protected, ignored, or mismanaged, making them easy targets. With that in mind, here's a list of essentials policies that every IT manager or security administrator should implement to protect privileged accounts:
1) Track and consolidate each privileged account with an automated discovery mechanism
The first step to secure and manage your organisation's privileged accounts is to discover all critical assets on your corporate network, as well as the associated accounts and credentials. As your organisation grows and expands its infrastructure, you should ensure that your IT team is equipped with a strong discovery mechanism to tackle the proliferation of privileged accounts and keep track of them. Running a fully automated program that regularly scans your network, detects new accounts, and adds them to a central database is the best way to build a strong foundation for your PAM strategy.
2) Store privileged accounts in a secure, centralised vault
Do away with localised, siloed databases that are often maintained by various teams. More importantly, make sure employees stop writing down passwords on sticky notes or storing passwords in plain text files. These practices are dangerous and lead to increased instances of outdated passwords and coordination issues, resulting in operational inefficiency. Instead, privileged accounts and credentials belonging to all departments should be catalogued into one centralised repository. Further, protect your stored privileged accounts with well-known encryption algorithms such as AES-256 to protect against unwanted access.
3) Establish clearer roles with limited access privileges
Once your organisation's privileged accounts are securely locked in a vault, it's time to decide who should have the keys. As ACSC puts it, "restrict administrative privileges to operating systems and applications based on user duties." You can do this by charting clear roles for the members of your IT team and making sure that privileged accounts are not used for routines such as reading email or web browsing; that each member's role gives them only the minimum required access privileges.
4) Implement multi-factor authentication for employees and third parties
According to Symantec’s 2016 Internet Security Threat Report, 80 per cent of breaches can be prevented by using multi-factor authentication. Implementing two-factor or multi-factor authentication for both PAM administrators and end users will guarantee that only the right people have access to sensitive resources.
5) Stop sharing privileged account credentials in plaintext
Beyond eliminating security vulnerabilities related to loose role division, it's also important to implement secure sharing practices. For ultimate protection, your organisation's PAM administrator should be able to provide employees or contractors access to IT assets without disclosing the credentials in plain text. Users should instead be allowed to launch one-click connections to target devices from the PAM tool's interface, without viewing or manually entering the credentials.
6) Enforce strict policies for automatic password resets
Convenient as it may be for IT teams to use the same password for every privileged account on the network, this is an unhealthy practice that ultimately fosters a fundamentally insecure environment. Secure management of privileged accounts requires the use of strong, unique passwords that are periodically reset. You should make automatic password resets an integral part of your PAM strategy to get rid of unchanged passwords and protect sensitive resources from unauthorised access.
7) Add release controls for password retrieval
Establish a policy that forces users to send a request to your organisation's PAM administrator whenever they require specific account credentials to access a remote asset. To further reinforce control, provision users only with temporary, time-based access to these credentials, with built-in options to revoke access and forcefully check in passwords when the stipulated time expires. For further security, you can also automatically reset passwords once users check them in.
8) Stop embedding credentials within script files
Many applications require frequent access to databases and other applications to query business-related information. Organisations often automate this communication process by embedding the application credentials in clesar text within configuration files and scripts, but it's hard for administrators to identify, change, and manage these embedded passwords. As a result, the credentials are simply left unchanged to not hinder business productivity. Hard-coding credentials may make technicians' jobs easier, but they're also an easy launch point for hackers looking to make their way into an organisation's network. Alternatively, your IT team can use secure APIs to allow applications to query your PAM tool directly when they need to retrieve privileged accounts for another application or a remote asset.
9) Audit everything
When it comes down to it, comprehensive audit records, real-time alerts, and notifications are really what make life easier. Capture every single user operation and establish accountability and transparency for all PAM-related actions. An integration with an in-house event logging tool can also help by consolidating PAM activities with other events from the rest of your organisation and providing intelligent tips about unusual activities. This proves extremely useful in acquiring a comprehensive overview of security events and detecting breaches or insider exploits.
Executing these nine policies isn't going to be an end-all solution to security—there's always more to be done. According to Verizon's 2018 Data Breach Investigation Report, of the 2,216 confirmed data breaches in 2017, 201 were due to privilege abuse. A statistic like that should highlight the importance of not only protecting privileged accounts, but also recording and monitoring privileged sessions to stay vigilant and detect unusual access. Your privileged account management strategy should support your strategy to control privileged access to your critical assets, which should support your identity and access management plan, and so on. That's the best way to protect an organisation; keep widening your boundaries and securing those boundaries, because the war against cybercriminals is unending.
Anusha K Muralidharan, product consultant, ManageEngine
Image source: Shutterstock/deepadesigns