Gartner recently listed privileged account management as the No. 1 security project that chief information security officers (CISOs) should explore in 2018. Privileged users and accounts are not new to businesses or IT departments; managers, system administrators and IT professionals have used privileged accounts to access critical systems for years. So, what has changed to make privileged account management a top security project for CISOs?
While we often hear about individual user accounts getting compromised, denial-of-service attacks or even cyberespionage in the news, these are not always the most common attacks. According to a “Verizon Data Breach Investigations Report,” it’s actually “privileged misuse” that is the second most common category of attack. Out of 53,000-plus incidents, more than 10,000 of them were privilege misuse, making privileged access management a top priority for all organizations.
Executives are surprised to learn that many organizations have more privileged account logins and passwords than individual/employee logins. Privileged accounts come in many different forms, from admin, domain, emergency and service to application accounts. Oftentimes, these account logins and passwords are known and shared across teams or team members.
If a privileged account is compromised, the risk can be significantly greater as the hacker now has access to a higher level of system features and sensitive information. Not only can hackers move around your network, applications and equipment, they also can add, update or delete settings and users, as well as create persistent backdoors into the network.
The sheer volume of privileged accounts and the sharing of credentials make it difficult for businesses to manage. More importantly, it makes privileged account a big target for hackers.
Manual Strategies Aren’t Enough
Traditionally, companies have managed privileged accounts and credentials using manual processes and password enforcement. It’s not unusual for organizations to rely on spreadsheets or a basic password manager (a bit of an improvement over a spreadsheet) to keep track of account controls. But a manual process can quickly become difficult to manage and outdated. Oftentimes spreadsheets and password managers are not updated when new accounts are created or when employees leave and passwords need to be changed.
Relying on password policies can also fall short in providing advanced security to devices and servers. Longer and more complex passwords aren’t sufficient protection when the account information is shared. Plus, password policies do not provide an audit trail on who is accessing your IT systems.
The changing IT landscape and rise of cloud services and applications make manual approaches even more challenging. Today, there are multiple layers of technology with an organization with HR, Marketing and Supply Chain managing their own specific applications or technology. This makes manual account and permissions management impossible for IT teams.
Privileged Account Management Software
Privileged account management software is available and helps organizations better control and monitor privileged access to anything within the network. Privileged account management solutions help distribute user information and access controls by managing which access controls and permissions get assigned to devices and computer systems. Utilizing a central platform has the benefit of controlling all account access and permissions easily, as well as providing a central management and monitoring solution.
Gartner says that “privileged access management is intended to make it harder for attackers to access privileged accounts as well as allowing security teams to monitor behaviors for unusual access.”
To help mitigate many of the risks organizations face, privileged access management software features:
Authorized System Access: Many organizations are focused solely on blocking access to devices, servers or systems, when in reality controlling who is allowed access is even more important. Privileged account management solutions provide controls to define the applications, system, devices or servers that specific accounts can access, as well as the approval and time allowed.
Just-in-time Access: Who, when and why an IT or end-user account accesses systems within the corporate network is an important part of any cybersecurity plan. Privileged account management systems provide just-in-time approved account and access control, ensuring that accounts only have access when needed and approved to do so.
No Direct Account Access: A privileged account management system ensures all accounts are protected and hidden. Secured connections are then used, with the required or needed credentials provided through the secure credential store. If an IT administrator or end user does not know the credentials for systems, then in the unlikely event of a phishing attack, these credentials cannot be compromised.
Central Management: A key factor in using a privileged account management solution is the ability to manage it centrally, making it easy to perform updates, management and tasks easily that instantly affect any user requiring access to the account credentials or accessing systems.
Unalterable Audit Trail: An unalterable trail log of all actions, events and activity performed by any account is also kept, allowing for better forensics in the unlikely event of a security and data breach. Security and IT teams can then be notified immediately of issues, as well as run reports on any account within the authentication store.
Tips for Selecting Privileged Account Management Software
For many businesses, privileged account management solutions were out of reach to due to cost, IT resources and complexity. That is changing, with a new host of enterprise-class solutions. When evaluating privileged account management solutions, consider the follow questions:
- How is the privileged account management solution deployed? Can it work on-premises or in the cloud? In physical or virtual environments? Hosted on Windows or Linux OS?
- What is the solution’s pricing model? Is it a unified pricing model?
- How long does it take to implement? What is the client install, server footprint, and is it agentless?
- Can you store and share secret data securely with credentials?
- Can you automate tasks such as password resets, discovery for servers and network devices?
- Does it offer a full audit trail for all privileged access and permissions? Extensive logging and reports, as well as integration into other systems?
- Can you establish secured connections to remote devices and system?
A lot has changed in the security world, but one thing remains the same: Compromised or misused privileged accounts are responsible for too many data breaches. It’s now time for companies to rethink their manual approach to privileged account management. Today’s privileged account management solutions are easy to install, affordable and cloud-ready. Privileged account management is one IT project that CISOs can implement immediately to significantly reduce risk, secure their networks and information and provide a big business impact.