Privileged Account Management (PAM) has been placed at #1 for last two consecutive years (2018 & 2019) in Gartner’s Top 10 Security Projects. This is due to the fact that nowadays, with an ever-expanding infrastructure like on-premises, cloud, IoT, DevOps, mobile devices and SaaS Business Applications, classical Perimeter Security is not as effective as it used to be due to so many control points and gateways. Furthermore, privileged accounts exist on every asset and system out there, not forgetting about Non-Human Privileged Accounts that are even more difficult to monitor and track (e.g. vulnerability scanners, RPA, or Secrets in Jenkins, etc.)
Define your privileged accounts
The very first step to begin securing privileged accounts is to decide which accounts are privileged and uncover where they live. Many organisations struggle to define their privileged account because one size does not fit all. It's different in every company but the best approach is to stick to the rule that ‘any account with the ability to change or modify the confidentiality, integrity and availability (CIA) of an asset or system’ will qualify as a privileged account.
Think outside of just IT infrastructure
The pitfall a lot of businesses fall into is thinking that privileged accounts exist only at an IT Infrastructure level, e.g. domain admin, local server/workstation admin, root or enable accounts on Cisco devices, etc. The reality is that this list of privileged accounts is just the tip of the iceberg. Business application admin accounts like Salesforce, SAP or financial application accounts are also privileged. Furthermore, social media accounts are always forgotten about for corporate Twitter, Facebook and Instagram. Hacked social media accounts can be a huge embarrassment for a business and could cause serious reputation damage, making it difficult to regain customer trust.
The depth of the problem
Various security reports, such as Verizon DBIR, indicate that 60-80% of all security breaches, regardless of their attack type, are as a result of compromised privileged credentials. CyberArk, the Gartner leading PAM solution provider use the general rule of thumb that there are 3-5 times as many privileged accounts for every employee in an enterprise. This poses the questions of when the last time an employee left your organisation, did you change all of your passwords that they had access to?
Due to a lack of visibility it becomes challenging to traceback every privileged account that each employee has had access to the longer that employee stays in an organisation. Their privileges and access inevitably grow with time which is known as privilege creep.
Approaching the problem
Below are a number of questions which might help you to understand the Privileged Account Security posture of your organisation:
- How many privilege accounts do you have?
- Where do your privilege accounts exist?
- What actions are they used for? E.g. in application servers, Windows services, B2B applications, etc.
- Are the passwords for privileged accounts rotated frequently?
- Who knows the passwords for them?
- What happens when an employee leaves the organisation? Do you change all the passwords they had access to?
Even with answers to all of the above questions, putting in the right preventive and detective control is a strenuous task, while also maintaining a proper balance between business operations and security. Trying to ensure that with so many privileges you can still prevent your employees from privilege abuse/misuse (intentional or unintentional) this task becomes even more challenging.
My recommendations would be to focus on the below 9 areas:
- Implement a Privilege Account Management solution
- Assess your separation of privileges (Secondary or -A accounts) and duties (e.g. refrain from using single domain admin accounts for day to day tasks)
- Follow Least privilege model
- Enforce password expiry, complexity and history (UNICODE characters, too, including emoji)
- Introduce access certification policy (quarterly/half yearly)
- Enforce service accounts to be non-interactive
- Introduce stronger technical and administrative controls like multifactor authentication (MFA) (specially for Internet/Cloud facing apps)
- Educate users
- Monitor and audit usage of Privileged Account Management.
If you’d like assistance deciding where to start your journey towards discovering and managing your privileged accounts please get in contact. We have a specialist team who would be happy to discuss your unique environment and offer guidance in line with privileged account best practices.
More information: www.cyberark.com