Privileged Account Management (PAM) has been placed at #1 for last two consecutive years (2018 & 2019) in Gartner’s Top 10 Security Projects. This is due to the fact that nowadays, with an ever-expanding infrastructure like on-premises, cloud, IoT, DevOps, mobile devices and SaaS Business Applications, classical Perimeter Security is not as effective as it used to be due to so many control points and gateways. Furthermore, privileged accounts exist on every asset and system out there, not forgetting about Non-Human Privileged Accounts that are even more difficult to monitor and track (e.g. vulnerability scanners, RPA, or Secrets in Jenkins, etc.)
Define your privileged accounts
The very first step to begin securing privileged accounts is to decide which accounts are privileged and uncover where they live. Many organisations struggle to define their privileged account because one size does not fit all. It's different in every company but the best approach is to stick to the rule that ‘any account with the ability to change or modify the confidentiality, integrity and availability (CIA) of an asset or system’ will qualify as a privileged account.
Think outside of just IT infrastructure
The pitfall a lot of businesses fall into is thinking that privileged accounts exist only at an IT Infrastructure level, e.g. domain admin, local server/workstation admin, root or enable accounts on Cisco devices, etc. The reality is that this list of privileged accounts is just the tip of the iceberg. Business application admin accounts like Salesforce, SAP or financial application accounts are also privileged. Furthermore, social media accounts are always forgotten about for corporate Twitter, Facebook and Instagram. Hacked social media accounts can be a huge embarrassment for a business and could cause serious reputation damage, making it difficult to regain customer trust.
The depth of the problem
Various security reports, such as Verizon DBIR, indicate that 60-80% of all security breaches, regardless of their attack type, are as a result of compromised privileged credentials. CyberArk, the Gartner leading PAM solution provider use the general rule of thumb that there are 3-5 times as many privileged accounts for every employee in an enterprise. This poses the questions of when the last time an employee left your organisation, did you change all of your passwords that they had access to?
Privilege creep
Due to a lack of visibility it becomes challenging to traceback every privileged account that each employee has had access to the longer that employee stays in an organisation. Their privileges and access inevitably grow with time which is known as privilege creep.
Approaching the problem
Below are a number of questions which might help you to understand the Privileged Account Security posture of your organisation:
Even with answers to all of the above questions, putting in the right preventive and detective control is a strenuous task, while also maintaining a proper balance between business operations and security. Trying to ensure that with so many privileges you can still prevent your employees from privilege abuse/misuse (intentional or unintentional) this task becomes even more challenging.
My recommendations would be to focus on the below 9 areas:
If you’d like assistance deciding where to start your journey towards discovering and managing your privileged accounts please get in contact. We have a specialist team who would be happy to discuss your unique environment and offer guidance in line with privileged account best practices.
More information: www.cyberark.com