Nine tips for privileged access management
Privileged and administrative accounts are preferred targets of cyber criminals. Despite this, they are still poorly protected in many enterprises. The analyst firm Gartner emphasizes the importance of privileged access management (PAM) and has named it the most important security project that chief information security officers (CISOs) should take care of.
We’ve compiled nine Privileged Access Management tips to help CISOs implement a good PAM strategy
Leverage discovery mechanisms to discover, track and consolidate all privileged accounts
When building a good privileged access management solution, the first step is to identify and collect all the critical / privileged assets on your IT environment, as well as the account credentials, that are associated with these assets. Since corporate networks are constantly evolving, you should also ensure that you have a good mechanism in place to reliably detect new privileged accounts. That’s the only way to be sure you stay on top at all times.
Fully automated programs that regularly scan your network with an auto-discovery function, detect new privileged accounts and manage them in a central, secure database are ideal here. If you have implemented this step, you have already created a solid foundation for your PAM strategy.
Store privileged account accesses in a secure, central repository
Your next step should be to address the storage of passwords in the enterprise. Whether it’s local, isolated databases maintained by different teams, or passwords written down on sticky notes or stored as plain text: These practices are not only inefficient, but more importantly, they pose a serious and high security risk. Much more secure are passwords and accesses in an encrypted, central repository.
With this in mind, you should implement a password management solution in your company in which the credentials of all privileged accounts from all departments of the company are managed centrally. The repository in which the credentials are stored should be protected from unwanted access using well-known encryption algorithms such as AES-256.
Define distinct roles with restricted access rights
Once you have securely stored the credentials for the privileged accounts in your organization into the password repository, you should decide who has access to it. Take this opportunity to define clearer roles for members of your IT team. Think twice about who really needs what access rights, and make sure that each team member is given only the minimum necessary access rights.
A well-defined, role-based approach to password access control plays an essential role in tracking all activities related to the password repository.
Use multifactor authentication
Current studies show that up to 80 percent of security breaches could be prevented by using multifactor authentication. Today, more than ever, multifactor authentication should be an integral part of your IT security policy – especially when it comes to privileged access management.
With this in mind, you should secure your privileged access management solution with two- or multifactor authentication – preferably for users and admins likewise. This helps you ensure that only the right people have access to critical resources.
Do not share credentials for privileged accounts in plain text
Once you have implemented a clear assignment of roles, you now need to think about a secure procedure for sharing and releasing passwords. For optimal protection of credentials, your Privileged Access Management administrator should be able to grant employees or service providers access to IT resources without exposing credentials in clear text.
However, good privileged access management solutions instead offer users the option to start a connection with the target device directly via the user interface. This is not only convenient for the user, as the credentials do not have to be entered manually, but also secure, as the password is not displayed as plain text.
Establish strict policies for automatic password resets
Best practice is to make automatic password reset an integrated element of your Privileged Access Management strategy. This way you get rid of static passwords and can better protect sensitive resources from unauthorized access. To manage privileged accounts securely, be sure to use unique passwords that are changed regularly. Ideally, make automatic password reset an integral part of your Privileged Access Management strategy. This will help you get rid of static passwords and better protect sensitive resources from unauthorized access.
Establish release controls for password recovery
Set up a security policy that forces users to send a request to your organization’s Privileged Access Management Administrator if they need specific login information. For additional control, provide users with only temporary, time-based access to credentials.
To achieve this, good Privileged Access Management solutions offer the option to automatically reset passwords as soon as the user has checked them in, to revoke access, or to reset passwords after a specified time has elapsed.
Do not embed credentials in script files
A lot of applications frequently need access to databases or other applications to retrieve business-related data. In many cases, admins automate this process by storing login information in plain text in configuration, XML files and scripts. For privileged access management admins, it is very time-consuming and complicated to find these passwords and manage them in a central repository in the future.
Consequently, credentials are often left unchanged for long periods of time to not impact the company’s productivity. While hard-coded credentials can make technicians’ jobs easier, they are also a welcome gateway for hackers looking to find a way into the corporate network.
With this in mind, it’s better to rely on secure interfaces that allow applications to send a request to your PAM solution if they require access to another application or remote object.
Make sure that everything is logged and audited
Comprehensive audit records, real-time alerts and notifications are the tools and features that really make your life easier. Ideally, you’ll capture every single user event – for maximum visibility and accountability of all PAM-related actions.
You should also integrate your PAM solution with your event logging tool, if possible. This correlates PAM activities with other events in the organization. This makes it easier to track down unusual activities. This approach also helps you get a comprehensive view of security events and identify breaches or insider attacks.
Tips for Privileged Access Management – Conclusion & Outlook
Even though there will never be a definitive, permanently secure solution when it comes to IT security: If you implement these nine tips, you’ll have a good foundation for keeping your business secure.
As you can see, it pays to develop a well-thought-out privileged account management strategy and continuously evolve it to create the most impenetrable defense against cyber-attacks possible.
Our Privileged Access Management Services:
Our profound know-how form the basis of our comprehensive portfolio of Consulting Services.