Privileged accounts present a high risk to all organisations. Tyler Reese, product manager for One Identity, offers 5 tips to mitigating the risk.
Administrators must have enhanced privileges to manage their IT environments, therefore privileged accounts are a necessity in all enterprises. Unfortunately, these privileged accounts also bring high risk to a company’s network if managed improperly.
In fact, research has shown that almost half (44 percent) of all security breaches that happened in 2017 involved privileged account access. And Gartner cited it as the top priority for IT Security Projects last year.
There are a number of reasons these privileged accounts bring such high risk with them. For example, something so simple as a password reset can mistakenly grant a user full administrative rights that can be misused either intentionally or accidentally.
These accounts are also inherently difficult to manage due to the high volume of users and systems that need access to the same credentials, making it difficult to keep the credentials secure. Luckily, there are some concrete, critical steps that an organisation can take to ensure risk on its network is minimised and protected from privileged account misuse.
Take full inventory of privileged accounts, including the users and systems that use them
In order to mitigate the risks of privileged accounts, an enterprise must first know how many accounts there are on the network and which users need access to them. Careful inventory is a crucial first step.
With a comprehensive list of all privileged accounts and the users and systems that have access to them, an organisation can accurately assess where it is most vulnerable to internal or external security breaches and more accurately prioritise investigation and remediation of those vulnerabilities.
Ensure privileged passwords are stored securely
Once the inventory of all accounts and passwords for the privileged accounts is complete, the next step is to ensure those credentials are secure. One option is a password manager, which provides multiple security layers, including encryption, firewalls, and secure communication.
Password management technology can also help ensure that privileged credentials are provided to users who need them in a timely manner with appropriate approvals. If a password manager is not a viable option for your system, it is important to ensure that - at a minimum - all privileged passwords are encrypted and that accessing the credentials requires at least two layers of authentication.
Enforce strict change management processes for privileged passwords
Ensuring passwords are changed on a regular basis is a proven best practice for tightening security. But when it comes to password change management for privileged accounts, bad practices -- such as, well, not changing them at all -- have become the norm.
Since these credentials are often hard-coded in scripts and applications, changing privileged passwords can be tedious and introduces the risk of important applications failing. This leads to a reluctance to doing it altogether.
To avoid failure, businesses should create a complete and accurate inventory of the scripts and applications that use privileged credentials. It also helps to invest in a software solution that can replace hard-coded passwords with programmatic calls that dynamically retrieve the account's credentials to reduce friction in the process.
Ensure individual accountability and ‘least privileged’ access
Implementing best practices and abiding by compliance regulations requires both individual accountability and least privileged access. An organisation must know exactly who has had access to what and when, and users should only be granted the level of access needed in order to perform tasks which their jobs require.
In doing this, a business can limit harmful actions, whether unintentional or malicious. Not all systems provide native tools that enable a system to enforce individual accountability and least-privileged access. If this is the case, a third-party solution can provide granular delegation and control.
Audit use of privileged access on a regular basis
It is not enough to simply control what privileged users are allowed to do, it is also necessary to audit what those users are doing with their access. On a regular basis, it’s important to generate and review reports that note when privileged passwords were changed and what potentially harmful commands have been used on each system, and by which users.
It is also important to institute a process for periodic certification to ensure users who can gain or request access to privileged accounts should retain those abilities. Through regular auditing, reporting, and certification, an organisation can better understand how well it is securing privileged accounts, discover areas for improvement and take steps to reduce risk.
Privileged accounts present a high risk to all organisations, and managing access must be addressed in a thoughtful, practical, and balanced way. There is, unfortunately, no magical catch-all solution for IT security, but implementing these five recommendations will set any business on the path to privileged account management best practice, arming it with the ability to assess its current security environment, identify gaps or vulnerabilities, and mitigate the associated risks.