Are your privileged accounts under control? - Part One

By Dan Legault on March 15, 2017 (Last Updated on August 30, 2017 )

Get latest articles directly in your inbox, stay up to date

Are your privileged accounts under control? This seems like a straightforward questionundefined-252113-edited.jpg but before you answer it, let’s take a step back and put the question into context.  

It is increasingly evident that most successful hacking exploits have involved an elevation of privileges to access high-risk accounts, leading to major financial and reputation damage. This is an important issue for all organizations that need to protect their sensitive data or what is commonly called their “crown jewels.” Hackers employ resourceful means such as social engineering to gain access to privileged accounts and it really doesn’t matter what depth of security is in place, successfully engineered attacks can usually provide a direct path to an organization’s crown jewels  


Privileged Accounts Types

Before moving forward, what we are referring to when it comes to privileged and high-risk accounts? The following table provides a definition of the various privileged accounts organized by two categories: interactive and non-interactive.  

Account Type

Definition

Privileged User Accounts – Non-Interactive

Service
accounts

Accounts used by a service or application to interact with the operating system. For the Windows platform, they come in two flavors: local or domain.

Application

Application accounts are also non-interactive in nature as they are used by the applications to run various services such as scripts, jobs, and access databases. Frequently, the password will be hardcoded within the scripts or jobs.

Privileged User Accounts – Interactive

Shared

Local administrative accounts used by two or more administrators. Commonly used on several services such as *NIX or Windows servers, mainframes, databases, directories, middleware, SAN, NAS, and network devices.

Local Administrative

Privileged accounts interacting with the local host such as *NIX, Windows, or Mainframe servers

Domain administrative

Same as local accounts but are given privileges across all servers within a Windows domain.

Emergency

Emergency or break-glass accounts are used by non-privileged or non-administrative users to perform an administrative task.


PAM! PIM! PUM!

As several data breaches focus on accessing privileged accounts, how can you get your privileged accounts under control? Fear not, PAM! PIM! PUM! are coming to the rescue. Basically, these three acronyms all mean the same thing, but different vendors choose to use different terms. From here on, we will use PAM as our term, but for those interested, they are defined as:

PAM – Privileged Access Management

PIM – Privileged Identity Management

PUM – Privileged User Management

Most Fortune 500 companies have some mix of PAM technologies but oftentimes they approach the issues from a more tactical point of view instead of strategically. Therefore, where do you start with such an important domain as privileged access? Let’s run down some of the important capabilities and principles that should become essential priorities: 

  1. Enforce “Least Privilege”: Without the appropriate policies and associated controls in place, the essential security principle of “Least Privilege” cannot be enforced. The principle of “Least Privilege” focuses on the maximum privileges a user needs to accomplish his/her job duties; without it, users are given access to more data and systems then they truly need.
  1. Control shared accounts: Shared accounts are tricky. You cannot prove non-repudiation or track the origin of an action with shared accounts and auditing cannot be performed. In addition, passwords for these accounts need to be distributed to everyone sharing the account. This means if someone leaves the organization, the password needs to be changed immediately and re-distributed… but unfortunately that rarely happens. So, what is the best approach to controlling shared accounts? Should the password be removed in favour of other access methods available with a PAM solution?
  1. Control amount of accounts: Most organizations simply have way too many permanent privileged accounts with way too many known passwords. This presents an opportunity to significantly reduce the number of permanent accounts in favour of various PAM functions, such as temporary passwords or single-sign-on. However, what is the right formula to reduce the number of permanent accounts for a specific organization? A drastic reduction of accounts has the potential to harm operations.
  1. Application-to-application accounts: Another significant opportunity for improvement is application-to-application accounts (AAA), classified in this blog as non-interactive accounts. Applications with hardcoded or clear passwords have been proliferating in many organizations and are a prime target for attackers. Proper due diligence dictates that there are capabilities to get these accounts/credentials under control without recoding your applications. So how will you take this on?

Taking a Strategic Approach

Most organizations have significant gaps and weaknesses within their privileged accounts realm that provide a plethora of opportunities to potential attack vectors. For example,

  1. Missing or incomplete accounts inventory: Most organizations do not have a full, updated inventory of privileged accounts. Moreover, in the context of Windows and UNIX, ghosts accounts can exist. They are classified as accounts that do not need to exist anymore, but still do.
  2. Access Visibility: Organizations lack the visibility to understand what is accessed by the privileged accounts.

To truly get a handle on privileged accounts, organizations need to allow themselves the opportunity to step back and shift their focus from a tactical approach and implement a PAM strategy that supports a prioritized roadmap and program.

Getting privileged access under control should be approached as a journey which starts with a great vision and includes directions to avoid the common pitfalls of failed projects. Without a strategy and a plan, organizations run the risk of responding tactically – they solve one potential problem, without understanding their true requirements, security priorities, and IT goals. This is where a Privilege Access Security strategy comes into the mix.

A Privileged Access Security strategy will span several years and have multiple phases. The strategy document is not a static deliverable, but rather a dynamic document that needs to be reviewed annually or after each phase. Business objectives change and technologies continue to evolve at breakneck speed, continual updates are required to prevent the prioritized roadmap from becoming stale.

The likelihood of a successful identity management strategy implementation improves when managed as a phased-in program. It is no different for PAM and associated security technologies, they should not be approached as a quick fix.

In part two of this blog we will look at where you should start building your PAM strategy and discuss some important points to keep in mind.

To continue the conversation about PAM strategies and managing user accounts, feel free to leave a comment below.

To learn more about Online Business Systems’ Risk, Security and Privacy practice click here.

You can read Part Two and Three of this blog here and here.

Submit a Comment

Get latest articles directly in your inbox, stay up to date