The increasingly sophisticated and persistent nature of cyber threats underscores the importance of protecting your privileged accounts, along with their respective privileged users and privileged credentials. Privileged accounts, by their very nature, tend to be the sort of digital “crown jewels” that are much sought-after by hackers. Best practices for Privileged Access Management (PAM), the main countermeasure for this risk, are thus evolving as the threats become better understood.
A Brief Overview of Privileged Access Management
PAM comprises a collection of practices, policies and technologies that protect administrative or “privileged” access to the back ends of critical systems. Privileged users operate privileged accounts, where they are authorized to set up, configure, reconfigure or delete systems, e.g. servers, databases and storage volumes. They can also set up, modify or erase user accounts—or promote regular users to privileged status and so forth.
Privileged users are necessary for the proper functioning of your IT department. However, their power makes them very attractive targets for hackers. Some of the most notorious data breaches in recent memory resulted from the abuse of privileged accounts and the impersonation of privileged user identities. Protecting privileged credentials is therefore a major goal of cyber security policy and security operations (SecOps).
PAM Best Practices
The basic idea of PAM is easy to understand: Restrict privileged access only to privileged users. It seems simple enough. Indeed, some companies still use spreadsheets and common sense to manage privileged accounts. This is no longer a viable approach though, operationalizing PAM will take focus and effort, along with the right tools.
Virtually all organizations that take PAM seriously have acquired dedicated PAM solutions. In some cases, it’s a good practice to integrate PAM with your Identity and Access Management (IAM) system. This approach creates a single source of user data. From this master data set, you can then elevate access privileges while tracking all user identities in the same place
#1 Map your privileged accounts
It’s wise to know where your privileged accounts are and who has access to them. This may seem unnecessary, but in today’s IT world of cloud servers, APIs and mobile endpoints, you might be surprised to learn how many previously unknown systemic backdoors you have. If your organization has distributed management of business units, the problem can be even worse than you imagine. Furthermore, if outside entities like IT consultants have privileged access, that expands the attack surface area that much more. In many cases, a privileged user might even be a machine, not a human being.
#2 Establish Privileged Account Governance
This may seem a bit overly formal, but governance is an essential element of an effective PAM program. The execution of PAM governance doesn’t have to be fancy, but it’s a good idea to commit rules and policies to writing and then make sure that stakeholders understand them. One reason this is so important has to do with the circumstances in which privileged access is granted. For example, if an IT admin gets a call at home on the weekend, with someone asking to be given access to the email server, how should he or she respond? If you’ve established that privileged access can never be granted based on a call to a personal cell phone, you’ll be protected against a potential social engineering hack.
#3 Get organization-wide buy-in
Everyone has to be aware of your PAM program and how it works. This includes senior executives. PAM should factor into general security training, so people will understand and follow privileged access policies. They’ll know it’s happening for everyone’s benefit.
#4 Create a written privileged account password policy
This falls under governance, but it’s worth calling out on its own. Hackers thrive in ambiguity, particularly when there’s turnover of personnel and a lack of clarity about who is allowed to do what. For instance, if your company has an external IT provider managing the ERP system, a hacker can impersonate one of their employees to gain back end access. However, if you have a written policy that requires sign-off from a senior executive at the IT contractor, then you have taken a step toward mitigating that risk. Privileged password policies templates are available from SANS, NIST, GLBA and the ISO (e.g. ISO17799 and ISO9000).
#5 Protect the PAM Solution
Understand that the PAM solution itself is a major target for hackers. What better way is there to get inside an organization and steal its data or wreak utter havoc? If hackers can penetrate the PAM solution, they can create privileged users at will. Or, they can switch off privileged account access for actual privileged users—blunting incident response capabilities at the same time. A compromised but functioning PAM system could mask unauthorized privilege assignments and erase privileged account sessions. For these reasons, it’s a highly recommended practice to devise countermeasures that provide defense in depth for the PAM solution.
The breach events of 2019 only serve to heighten the importance of robust privileged access management. The threats aren’t likely to get any less serious or advanced. Bad actors are coming for your privileged accounts. Now is the time to increase the depth and intensity of your countermeasures.