By Anusha K. Muralidharan, Product Consultant, ManageEngine
At Gartner’s Security and Risk Management Summit in June 2019, the top 10 security projects that chief information security officers (CISOs) should concentrate on were laid out. Once again, privileged access management (PAM) was identified as the most significant.
Despite these steady reminders, many privileged accounts still remain poorly protected, ignored or mismanaged — making them easy targets. With that in mind, here’s a list of essentials policies that every IT manager or security administrator should implement to protect privileged accounts:
- Track and consolidate each privileged account with an automated discovery mechanism.
The first step to secure and manage your organization’s privileged accounts is to discover all critical assets on your corporate network as well as the associated accounts and credentials. As your organization grows and expands its infrastructure, you should ensure that your IT team is equipped with a strong discovery mechanism to tackle the proliferation of privileged accounts and keep track of them. Running a fully automated program that regularly scans your network, detects new accounts, and adds them to a central database is the best way to build a strong foundation for your PAM strategy.
- Store privileged accounts in a secure, centralized vault.
Do away with localized, soloed databases that are often maintained by various teams. More importantly, make sure employees stop writing down passwords on sticky notes or storing passwords in plain text files. These practices are dangerous and lead to increased instances of outdated passwords and coordination issues, resulting in operational inefficiency. Instead, privileged accounts and credentials belonging to all departments should be cataloged into one centralized repository. Further, protect your stored privileged accounts with well-known encryption algorithms, such as AES-256, to protect against unwanted access.
- Establish clearer roles with limited access privileges.
Once your organization’s privileged accounts are securely locked in a vault, it’s time to decide who should have the keys. As the Advanced Cyber Security Center (ACSC) states, “restrict administrative privileges to operating systems and applications based on user duties.” You can do this by charting clear roles for the members of your IT team and making sure that privileged accounts are not used for routine tasks such as reading email or web browsing — and that each member’s role gives them only the minimum required access privileges.
- Implement multifactor authentication for employees and third parties.
According to Symantec’s 2016 Internet Security Threat Report, 80 percent of breaches can be prevented by using multifactor authentication. Implementing two-factor or multifactor authentication for both PAM administrators and end users will guarantee that only the right people have access to sensitive resources.
- Stop sharing privileged account credentials in plain text.
Beyond eliminating security vulnerabilities related to loose role division, it’s also important to implement secure sharing practices. For ultimate protection, your organization’s PAM administrator should be able to provide employees or contractors access to IT assets without disclosing the credentials in plain text. Users should instead be allowed to launch one-click connections to target devices from the PAM tool’s interface, without viewing or manually entering the credentials.
- Enforce strict policies for automatic password resets.
Convenient as it may be for IT teams to use the same password for every privileged account on the network, this is an unhealthy practice that ultimately fosters a fundamentally insecure environment. Secure management of privileged accounts requires the use of strong, unique passwords that are periodically reset. You should make automatic password resets an integral part of your PAM strategy to eliminate unchanged passwords and protect sensitive resources from unauthorized access.
- Add release controls for password retrieval.
Establish a policy that forces users to send a request to your organization’s PAM administrator whenever they require specific account credentials to access a remote asset. To further reinforce control, provision users only with temporary, time-based access to these credentials, with built-in options to revoke access and forcefully check-in passwords when the stipulated time expires. For further security, you can also automatically reset passwords once users check them in.
- Stop embedding credentials within script files.
Many applications require frequent access to databases and other applications to query business-related information. Organizations often automate this communication process by embedding the application credentials in clear text within configuration files and scripts, but it’s hard for administrators to identify, change and manage these embedded passwords. As a result, the credentials are simply left unchanged to not hinder business productivity. Hard-coding credentials may make technicians’ jobs easier, but they’re also an easy launch point for hackers looking to make their way into an organization’s network. Alternatively, your IT team can use secure APIs to allow applications to query your PAM tool directly when they need to retrieve privileged accounts for another application or a remote asset.
- Audit everything.
When it comes down to it, comprehensive audit records, real-time alerts, and notifications are really what make life easier. Capture every single user operation, and establish accountability and transparency for all PAM-related actions. Integration with an in-house event logging tool can also help by consolidating PAM activities with other events from the rest of your organization and providing intelligent tips about unusual activities. This proves extremely useful in acquiring a comprehensive overview of security events and detecting breaches or insider exploits.
Executing these nine policies isn’t going to be an end-all solution to security — there’s always more to be done. According to Verizon’s 2019 Data Breach Investigation Report, of the 2,216 confirmed data breaches in 2017, 201 were due to privilege abuse. A statistic like that should highlight the importance of not only protecting privileged accounts but also recording and monitoring privileged sessions to stay vigilant and detect unusual access. Your privileged account management strategy should support your strategy to control privileged access to your critical assets, which should support your identity and access management plan, and so on. That’s the best way to protect an organization; keep widening your boundaries and securing those boundaries, because the war against cybercriminals is unending.
About the Author
Anusha Muralidharan is a product consultant at ManageEngine, a division of Zoho Corp. For more information on ManageEngine, the real-time IT management company, please visit www.manageengine.com; follow the company blog at http://blogs.manageengine.com, and on LinkedIn at www.linkedin.com/company/manageengine-, Facebook at www.facebook.com/ManageEngine and Twitter @ManageEngine.