IT managers: it’s time to check your privilege. No, not that kind of privilege – we’re talking about the privilege that comes with access to certain sensitive computer accounts. Privileged access management (PAM) is a task that many businesses are poor at managing, and it could cost them dearly down the line.
In late October, Barry McConnell, Goldman Sachs, was presenting at (ISC)2 Security Congress. He reportedly asked an audience of around 100 security professionals to put their hands up. Then, he asked them to put them down if they didn’t follow certain PAM policies. By the end, only five hands remained.
The problem is that companies leave it up to people to manage access to things like root accounts and APIs, he explained. As we know, people are fallible. All it takes is a mis-assigned credential, an improperly configured permission, or an oversight that leaves a privilege in place after someone switches role or leaves, and your account privileges are out of line with the people they’re supposed to govern.
The results can be serious. In October 2018, zero-trust privilege vendor Centrify published the results of a survey involving 1000 IT decision-makers (500 in the US and 500 in the UK). Of those companies who had suffered a breach, 74% said that it had involved access to a privileged account.
Inadequate authentication posed some risk (52% of respondents didn’t have a password vault, and 21% had implemented multi-factor authentication for privileged accounts). However, poor management of account privileges is also an issue. Almost two-thirds (63%) of respondents said that they usually take over a day to turn off privileged access for employees who leave the company.
Businesses can go a long way towards securing their infrastructure by automating the management of privileged accounts. What kinds of accounts are we talking about?
Those you should target include domain admin accounts for Active Directory, which puts a person into God mode. Almost as important are the domain service accounts often used for backups and software deployment.
Other accounts can fly under the radar, even though they give significant power to their users. One example is the local administrator account, often assigned to management-level employees to create local users and assign access control permissions. Privileged data user accounts are standard user accounts that can access sensitive data. These are just a few of the accounts to think about in a Microsoft environment, but there are other more generic accounts including root access, Wi-Fi, and even social media accounts.
Many companies will sell you identity and access management (IAM) tools that will help automate the account management process, but even if this isn’t in your budget, you can go a long way with some smart scripting. This can help you handle tasks including account discovery, password rotation, assigning role-based access controls, auditing privileged account access, and the temporary assignment and revocation of privileged credentials to individuals to handle unusual situations.
