Privileged Account Management Best Practices
There are many types of accounts within systems and some accounts have more privileges or power to access and execute highly sensitive data and transactions than standard accounts. The majority of accounts fall within what is considered to be “normal” or “user”. Although user account credentials can be stolen to access systems, it is not likely these accounts will present a great threat to the organization. In contrast, privileged accounts which we will cover in detail are cause for concern if they are abused by insiders or stolen by hackers. Thus, although account security is important, privileged account protection must be of utmost priority for organizations.
According to Henry Bagdasarian, “privileged accounts offer the best bang for the buck to hackers who are always looking for easy and fast ways to gain system and account access.”
What is a Privileged Account?
A privileged account is one with access to sensitive data, critical functionalities of an organization’s IT infrastructure and systems, as well as high-impact transactions. Privileged accounts can be grouped under seven categories:
1. Local Administrative Accounts
These are accounts with access to sensitive system functionalities. They are used for IT tasks such as server maintenance and database management.
2. Privileged User Accounts
These are accounts with access to sensitive data and transactions assigned to limited number of individuals within the organization who may also be referred to as “super users”.
3. Domain Administrative Accounts
These are the most targeted types of accounts within an organization. They have access to all servers and workstations and can be used to tamper with other accounts.
4. Emergency Accounts
These are fail-safe accounts established to elevate unprivileged user accounts to admin accounts during emergency cases in order to resolve system issues or secure systems in counter attacks. They are also called break-glass and fire-call accounts.
5. Service Accounts
These are privileged domain and local accounts used to facilitate communication between applications/services and the operating system. They are complex to operate and hardly ever expire, hence creating potential dangers.
“Most companies don’t have a good accounting of their service accounts; their existence is sometimes unknown to the organization, they are either unassigned, dormant and never used, they never expire, and often have weak or no passwords” according to Bagdasarian.
6. Active Directory or Domain Service Accounts
These accounts are used to organize data into a logical hierarchy, hence facilitating the smooth operation of core functions within the organization. They are sensitive because applications and services cannot run unless these accounts are synchronized.
7. Application Accounts
These accounts are used to manage certain aspects of applications, including running batch jobs and providing access to databases. These accounts’ passwords are stored as unencrypted files and are under significant risk as a result.
Privileged Account Capabilities
Privileged accounts described in the above categories have the following capabilities:
- Ability to install system hardware or software
- Ability to create and modify accounts
- Ability to execute transactions
- Ability to reset passwords for others
- Ability to access sensitive data
- Ability to change IT infrastructure, systems, and configurations
- Access to all machines and workstations in the system
How is a Privileged Account different from a Standard or Normal Account?
In summary, the underlying difference between privileged and normal accounts is that privileged accounts have more capabilities than standard accounts and require enhanced security and protection as we will cover in this article.
Privileged Account Management and Security Best Practices
As mentioned, privileged accounts must be protected better than standard accounts. Privileged Account Management (PAM) essentially entails a rigid plan and IT infrastructure to manage all privileged accounts. It entails a great deal of accounting, security, and monitoring. Below are some of the best practices to keep in mind:
Strong password is a basic cybersecurity requirement and a necessary tool for accessing any account. Privileged accounts must have their passwords changed routinely and follow best password management practices. They must be kept confidential and never shared. There are some password management tools such as LastPass that can securely store passwords and provide password strength analysis.
Separation of Privileges and Duties
Ideally, privileged accounts should only be granted to appropriate personnel. This necessitates separating and assigning privileges and duties on a need-to-have basis. Ideally, only a limited of number of select individuals within the organization and departments must be entitled to owning a privileged account. It also entails separating roles and functions, including users’ entitlement to read, write, edit, and execute data, among other things.
Separation or segregation of duties and privileges can be used to prevent security breaches by personnel and ensure log integrity for incident investigations.
Segmentation of Systems and Networks
Segmenting systems and networks essentially entails separating them, just like privileges and duties are separated based on relevance and importance. Systems and networks are segmented based on trust levels and privilege settings. Usually, privileged accounts run on the upper levels while unprivileged ones are allocated to the lower levels – consequently, the upper levels are more secure than the lower ones.
Monitoring and Auditing Privileged Activity
One of the threats to privileged accounts is a breach from within the organization, usually by personnel with privileged access. This is why it is necessary to monitor suspicious privileged activity by implementing Privileged Session Management and Monitoring (PSM). In addition to monitoring and recording privileged activity, it is also necessary to audit all activities by capturing keystrokes and screenshots. It is also necessary to implement ways to detect and prevent unauthorized access.
It is also important to have user threat analytics systems for personnel with access to privileged accounts. This will help detect any deviations from the recommended guidelines and help prevent potential attacks before they start.
On that note, it would also be prudent to enforce real-time vulnerability-based least-privilege access. This would enable real-time risk-based access decisions to stop potential breaches as they occur.
Mitigating Threats to Privileged Accounts
Just because privileged accounts are allocated tighter security measures does not mean that they are immune from attacks. Threats to these accounts exist in various forms and can be perpetrated either unintentionally by unwitting personnel or intentionally and maliciously by hackers with a robust plan and sophisticated resources.
An attack on a privileged account can bring many of the organization’s operations to a standstill. This is why it is important to have ready solutions to these threats. Experts recommend the following:
Being proactive essentially entails taking precautions anticipating these and other threats. Recommended security measures include the requirements mentioned earlier, such as separation of privileges, password management, and implementing Privileged Session Management and Monitoring (PSM).
Upgrading to Better Security Systems
Hackers are becoming more and more sophisticated as time passes. Your organization’s current security system may not be a match for future hackers’ tactics, so it is important to upgrade to the latest cybersecurity systems. For example, integrating biometric security solutions to your current security system would considerably reduce the number of active threats and risks to the whole system.
Changing Credentials Regularly
Credentials essentially are the keys to your organization’s accounts and the entire IT infrastructure. They can become compromised at any time, so it is important to change them regularly to be safe specially if they have already been compromised without your knowledge. It is also advisable to be creative when choosing credentials to make them unique and, therefore, difficult to hack.
Employees often are the weakest link in most organizations’ IT systems. This is because they are ignorant of the looming threats and do not understand how to protect themselves from hackers. As such, it is important to talk to employees about the importance of good cybersecurity practices and equip them with the necessary resources to protect their accounts.
Leading Brands in Privileged Account Management
There are many Privileged Account Management platforms. The following is an overview of three PAM service providers:
Beyond Trust was listed as a leader in Privileged Access Management. Its PAM services are customizable and especially ideal for companies running multiple operating systems in their networks.
Centrify is made up of two service provision categories dealing with PAM and IDaaS offerings. The company has also received recognition by industry research firms.
CyberArk excels at mitigating risks and offering customized technical support. It was also named a leader in Privileged Identity Management.
The threat posed by cyber-attacks is always looming, and it is getting worse as time goes by. Avoid becoming a victim by securing your most important accounts and digital platforms. Pay particular attention to highly privileged accounts by implementing a PAM solution. Identify privileged accounts, assign ownership, secure with strong authentication, and monitor to detect misuse.