Hackers, and others who want to do an organization harm by accessing its digital assets, will do just about anything to get their hands on a privileged account. After all, a privileged account is a gateway to the organization’s most valuable assets, and even its entire IT infrastructure.
When privileged access falls into the wrong hands, the damage that can be done is breathtaking: taking control of the IT infrastructure, disabling security controls, stealing intellectual property, committing fraud. The consequences of misusing or abusing access can’t get much more dire than when a privileged account is involved.
If you’re responsible for securing access to privileged accounts, you must do everything you can to keep the wrong people from finding a way in. Privileged access management, or PAM, is indispensable in this effort. PAM solutions make it possible to lock away privileged credentials in a password vault, secure privileged user sessions, detect suspicious privileged activity and much more. Once you have a powerful PAM solution in place, adding multi-factor authentication (MFA) can further reinforce your defenses.
Here’s what you can do to maximize protection of privileged accounts by combining PAM and multi-factor authentication.
1. Lock It Up: Add Multi-Factor Authentication to PAM
Privileged-access password vaults and management tools sometimes rely on usernames and passwords for administrative access. Given the criticality of what these resources are protecting, it’s important to uplevel that security with another layer of authentication. Multi-factor authentication, which asks for additional proof that those requesting access are who they say they are, works with PAM solutions to help ensure only the right users get in.
2. Keep It Safe: Risk-Based Authentication and Multiple Authentication Options
Ideally, demands for additional authentication from the user are triggered when risk analytics detect suspicious user behavior. Challenging users according to their level of access risk both strengthens security and keeps it from unnecessarily impeding legitimate users. Multi-factor authentication that offers a variety of ways to authenticate – not just hardware and software tokens, but also biometrics, one-time passcodes and other methods – also strengthens security.
3. Manage It Centrally: Streamline Governance for Privileged Accounts
Being able to combine PAM with multi-factor authentication is important to protect privileged accounts from inappropriate access; beyond that, though, being able to combine PAM with an effective identity governance solution allows you to do even more. It makes it possible to get a unified view of all privileged users, the resources they’re entitled to access and the access activity associated with those resources. This not only helps ensure privileged access is appropriate and correct, but also that the privileges are managed accurately and in a way that’s consistent with security best practices and compliant with corporate and regulatory requirements.
To protect your most valuable assets, you need the strongest possible defense against misuse of privileged accounts. PAM and multi-factor authentication together provide the multiple layers of security that are essential to building that defense. With PAM and identity solutions working together, you have everything you need to manage credentials securely, step up authentication when risk warrants it and institute best practices for managing privilege entitlements. It’s a complete approach that allows you to fully protect privileged accounts.
# # #
This is the third in a series of posts about transforming secure access in five key areas to address today’s changing access landscape. To learn more about transforming secure access in other key areas, watch this space for other posts exploring the rest of the five areas in depth. And in the meantime, sign up for the RSA webinar series Access Transformation in Action.
*** This is a Security Bloggers Network syndicated blog from RSA Blog authored by Tim Norris. Read the original post at: http://www.rsa.com/en-us/blog/2018-06/maximum-privileged-account-protection-with-mfa.html