Are your privileged accounts under control? - Part One

Are your privileged accounts under control? This seems like a straightforward question but before you answer it, let’s take a step back and put the question into context.  

Privileged Accounts Types

Before moving forward, what we are referring to when it comes to privileged and high-risk accounts? The following table provides a definition of the various privileged accounts organized by two categories: interactive and non-interactive.  

PAM! PIM! PUM!

As several data breaches focus on accessing privileged accounts, how can you get your privileged accounts under control? Fear not, PAM! PIM! PUM! are coming to the rescue. Basically, these three acronyms all mean the same thing, but different vendors choose to use different terms. From here on, we will use PAM as our term, but for those interested, they are defined as:

PAM – Privileged Access Management

PIM – Privileged Identity Management

PUM – Privileged User Management

Most Fortune 500 companies have some mix of PAM technologies but oftentimes they approach the issues from a more tactical point of view instead of strategically. Therefore, where do you start with such an important domain as privileged access? Let’s run down some of the important capabilities and principles that should become essential priorities: 

1. Enforce “Least Privilege”: Without the appropriate policies and associated controls in place, the essential security principle of “Least Privilege” cannot be enforced. The principle of “Least Privilege” focuses on the maximum privileges a user needs to accomplish his/her job duties; without it, users are given access to more data and systems then they truly need.

2. Control shared accounts: Shared accounts are tricky. You cannot prove non-repudiation or track the origin of an action with shared accounts and auditing cannot be performed. In addition, passwords for these accounts need to be distributed to everyone sharing the account. This means if someone leaves the organization, the password needs to be changed immediately and re-distributed… but unfortunately that rarely happens. So, what is the best approach to controlling shared accounts? Should the password be removed in favour of other access methods available with a PAM solution?

3. Control amount of accounts: Most organizations simply have way too many permanent privileged accounts with way too many known passwords. This presents an opportunity to significantly reduce the number of permanent accounts in favour of various PAM functions, such as temporary passwords or single-sign-on. However, what is the right formula to reduce the number of permanent accounts for a specific organization? A drastic reduction of accounts has the potential to harm operations.

4. Application-to-application accounts: Another significant opportunity for improvement is application-to-application accounts (AAA), classified in this blog as non-interactive accounts. Applications with hardcoded or clear passwords have been proliferating in many organizations and are a prime target for attackers. Proper due diligence dictates that there are capabilities to get these accounts/credentials under control without recoding your applications. So how will you take this on?

Taking a Strategic Approach

Most organizations have significant gaps and weaknesses within their privileged accounts realm that provide a plethora of opportunities to potential attack vectors. For example,

1. Missing or incomplete accounts inventory: Most organizations do not have a full, updated inventory of privileged accounts. Moreover, in the context of Windows and UNIX, ghosts accounts can exist. They are classified as accounts that do not need to exist anymore, but still do.
2. Access Visibility: Organizations lack the visibility to understand what is accessed by the privileged accounts.

To truly get a handle on privileged accounts, organizations need to allow themselves the opportunity to step back and shift their focus from a tactical approach and implement a PAM strategy that supports a prioritized roadmap and program.

Getting privileged access under control should be approached as a journey which starts with a great vision and includes directions to avoid the common pitfalls of failed projects. Without a strategy and a plan, organizations run the risk of responding tactically – they solve one potential problem, without understanding their true requirements, security priorities, and IT goals. This is where a Privilege Access Security strategy comes into the mix.

A Privileged Access Security strategy will span several years and have multiple phases. The strategy document is not a static deliverable, but rather a dynamic document that needs to be reviewed annually or after each phase. Business objectives change and technologies continue to evolve at breakneck speed, continual updates are required to prevent the prioritized roadmap from becoming stale.

The likelihood of a successful identity management strategy implementation improves when managed as a phased-in program. It is no different for PAM and associated security technologies, they should not be approached as a quick fix.

In part two of this blog we will look at where you should start building your PAM strategy and discuss some important points to keep in mind.

To continue the conversation about PAM strategies and managing user accounts, feel free to leave a comment below.

To learn more about Online Business Systems’ Risk, Security and Privacy practice click here.

You can read Part Two and Three of this blog here and here.