With great privilege comes great responsibility

null

Most organisations are aware that cyber criminals are constantly on the prowl for entry points into their network and are increasingly taking more effective action to protect their data and assets. However, many firms continue to leave themselves vulnerable to a major breach by completely overlooking their privileged accounts.

These accounts have elevated powers that enable users to carry out essential tasks. These capabilities mean that privileged accounts are the holy grail for a cyber attacker, and leading analyst group Forrester estimates that around 80 per cent of data breaches involve compromised privileged accounts.

Privileged accounts represent twice the threat for Managed Service Providers as they not only have to secure their own ‘superusers’, but also those of all of their clients – potentially adding up to hundreds of different accounts. This doubled threat means it is essential you ensure that your MSP is keeping the most valuable keys to your network safe.

The risk can also be a major issue when it comes to complying with regulations such as GDPR. Even if you have entrusted vital IT services to a provider, the onus is on you, as the data owner, to protect your organisation’s sensitive data. This means carrying out the necessary due diligence to make sure your MSP can demonstrate that these privileged accounts and associated credentials are as secure as possible. 

Why are privileged accounts so important?

Privileged accounts are an essential building block of the IT world, and can be used by both human users, or by applications to run services requiring specific permissions. The advanced permissions and powers of these accounts enable them to perform actions such as creating and modifying other user accounts and logging into any machine on the system. They can also access any sensitive data on the network and are capable of making major changes to the network infrastructure.

If an attacker is able to commandeer a superuser, they can use the elevated powers to enact an extremely damaging cyber-attack. For example, they can bypass multiple security controls that would restrict a normal user to freely travel around the network and install malware, while simultaneously erasing audit trails to destroy evidence of their activity. They can also copy, manipulate and destroy any sensitive and essential information on the network.

The risk of weak passwords

Like a normal user account, privileged accounts use passwords to control access. Unfortunately, the majority of companies still struggle with good password management, and privileged accounts are usually just as poorly secured as any other.

MSPs will often have the task of overseeing all the passwords of their clients, which means an MSP is likely to have the responsibility for hundreds of different sets of credentials across their clients, including those for privileged accounts. In addition, they also need to ensure that each password adheres to the client’s specifications on strength and how frequently it is changed.

Organisations using MSPs should ensure they are using the right tools and processes to keep all of these credentials secure and properly updated. For example, a common approach is to simply manage all the passwords in an excel document. Not only does this make it very likely that important data will be overlooked or entered incorrectly but having so much information in one spreadsheet is a huge security liability. If an attacker gets their hands on such a document, they will be able to wreak havoc on dozens or hundreds of organisations.

The value of PAM

When you entrust your IT services to an MSP, you should ensure you are aware of how they plan to manage your privileged account credentials and secure them against misuse. One of the best approaches an MSP can use for this crucial task is a Privileged Access Management (PAM) solution.

Rather than having to manually track and manage hundreds of passwords across dozens of clients, a good PAM solution can be used to automatically scan the network and detect any privileged accounts and then apply security measures to any relevant security policies to ensure they are compliant. A good starting point is to assess how many superusers are actually needed and delete any unnecessary accounts. Moving forwards, the management and updating of passwords can also be handled automatically in line with each client’s specific requirements.

A full PAM system can also ensure that all credentials are stored within a secure vault that can only be accessed by administrative and IT staff who have clearance, instead of relying on a spreadsheet that could easily be exploited by a hacker or malicious insider.

Alongside management credentials, PAM can also be used to monitor and limit the use of privileged accounts themselves. Any session accessing sensitive data or essential systems can be tracked to ensure there is no misuse, and the capabilities of each superuser can also be curtailed. Sessions can be given strict time limits, and no single account should be able to access all systems simultaneously.

PAM as a service

Increasingly, MSPs are able to offer PAM to their clients as a service, often bundled with other security offerings. Taking on PAM as a service will not only enable your company to effectively monitor and control how privileged accounts are used but will also help with a number of other common but crucial IT tasks. For example, a good PAM offering can be used to manage service and local admin accounts or tie up the large number of loose ends that are created whenever an administrator leaves the company.

Without these capabilities, your organisation’s mission-critical credentials may be vulnerable to misuse, and it will be very difficult to stay compliant with the new GDPR. 

Kris Hansen, MSP Sales Director (EMEA/APAC),  Thycotic
Image source: Shutterstock/alexskopje