Pradhyumnan
December 21 · 5 min read
Privileged accounts are the keys to your kingdom. Protecting and managing access to these sensitive accounts is the best way you can protect your organization’s IT infrastructure. To best protect your privileged accounts, a privileged access management solution can help by providing context-based access controls and proactive security measures. Deploying a modern PAM solution and enforcing privileged access management best practices can transform your organization’s cyber security in a single stroke.
A PAM solution is just a tool that helps enforce practices that help you improve your security posture. If you follow privileged access management best practices, you can realize the maximum return on investment and realize the full potential of the solution to provide a positive and secure experience for your employees.
So, how do you realize the full potential of your solution? Here are our top 12 recommended privileged access management best practices for you to follow while rolling out a PAM solution.
Privileged accounts are highly valued entities in every organization. Leaving them sprawled all over the network will leave backdoors for internal users and external threats to sneak into the network without ever being detected. External users might even use privileges to create a new user account for themselves so they can come back anytime they want to.
It is essential to completely know and understand where and how privileged access and privileged accounts are used. Identifying where privileges come into play in your organization is the starting point of a successful privileged access management implementation. Connecting the dots between the privileged accounts and the dependent business functions in the organization. Having this data will help you create workflows and manage privileged access much more efficiently.
Teams within your organization can store privileged account credentials using different methods. These include a spreadsheet, notepad and sticky notes. This siloed approach to managing privileged accounts should be eliminated. Centralized management of privileged credentials will provide a holistic view of how privileged access is used in the organization. That is the next best practice to be followed.
Privileged account discovery is an important step in securing privileged access in any network. Privileged credentials are used and can be found across the network on databases, applications, services, hardware devices, firewalls, routers etc. The type of credential used in these platforms may vary from local user accounts, admin accounts, domain accounts, and service accounts to database accounts, SSH keys, hardcoded credentials in scripts and miscellaneous privileged accounts used by third party vendors and contractors.
Regardless of the type, all privileged accounts should be identified and consolidated into the encrypted repository for centralized management. Once all privileged accounts are brought under the same umbrella, managing access to them becomes infinitely easier. One benefit of running an account discovery process is stale privileged accounts which carry a lot of risk that can be identified and managed centrally.
Centralized storage of privileged accounts presents a unique opportunity to gain complete visibility of who has access to what, gives complete control over the accounts and reduces the threat of an insider attack significantly.
Passwords are not going anywhere in the near future. Even though many continuously try to swap passwords with biometrics like facial recognition and fingerprint, passwords have proven to be the most trustworthy and reliable. Any organization would benefit a lot from creating a competent password policy as it is often mandated in most compliance requirements. Even though the regulations keep evolving, the basic password management best practices remain the same.
Password policies help in making passwords used are regulated and secure. It helps set a standard that all users should adhere to when creating new passwords. The password policy designed for machine identities should be different from the policy designed for human identities.
Complex passwords with special characters and numbers are often very hard to remember and it might even go the extra mile in protecting your machine identities from insider threats.
Fun Fact: The password ‘HeLl0!!!!!!!!!!!!!!!!!!!!!’ is stronger than ‘Il@90shnj&h*’ simply because the number of exclamation marks in the first password makes it longer. Even though the first password is easier to recognize, it is stronger than the latter.
The takeaway from the above fun fact is that the passwords used by users to login to the centralized repository should ideally be a long passphrase. It should be easy to remember and strong. Periodic password resets should not be mandated for human identities as it directly and indirectly results in password reuse. Even if systems are put in place to eliminate password reuse, users often find ingenious methods to reuse the same passwords extensively. To manage human identities optimally, a suitable password policy should be designed mandating long passphrases with a long password life.
On the contrary, machine identities should be assigned a complex password, containing special characters and numbers. Complex passwords protect against dictionary-based attacks launched by cybercriminals. The passwords should be reset every 30 days (about 4 and a half weeks) and the process should ideally be automated. A limited password life will protect against credential stuffing and spraying attacks.
Network devices, applications and other IT assets often come with a pair of credentials by default. The same credentials are used for all devices produced by the manufacturer and are publicly known. These credentials are intended for use during installation and testing purposes only. As soon as the devices are deployed successfully, it is highly advisable to change the default username and password. Ideally, the password used for such IT assets should be in concert with the password policy in place.
Password reuse is widely rampant in organizations across the world and threat actors know it. Once attackers breach an account, they try using the same password to access other related accounts in hopes of getting lucky. To limit the fallout of such breaches, password reuse should be completely eliminated. Once all your privileged accounts are onboarded on the centralized repository, you can assign unique passwords to all the accounts and curb password reuse almost completely.
When an employee is relieved of their duties, it is the responsibility of the organization to rescind all access and ensure that the credentials used by the ex-employees are reset as soon as they are offboarded. There is absolutely zero-control over what a user will do, especially if the employee and the organization didn’t part ways under good terms. Enforcing password reset on all credentials that were accessible to ex-employees is the prudent thing to do. Additionally, ownership of the accounts owned by the departing user should be transferred to another user or an administrator.
Once the privileged passwords are made secure with a robust policy, the assets will be safe when subjected to credential-based attacks like password spraying and stuffing attacks. However, cybercriminals have started using methods like phishing and social engineering to gain access to accounts.
To protect against such sophisticated attacks where the strongest password possible will not offer complete protection, enforcing secondary layer of authentication is recommended. Even if the attackers possess the usernames and passwords, they will not be able to gain access unless it is explicitly approved by the user. In addition to enforcing multi-factor authentication, all employees should be provided adequate training on how to handle phishing attacks. Appropriate training will make a difference when dealing with advanced social engineering attacks and MFA fatigue-based attacks.
Access to sensitive assets should not be permanent for any user. Permanent access is unfettered and cannot be easily controlled, monitored, or audited. Privileged IT assets store sensitive information such as employee and customer details, payment-related information etc. Access to these sensitive accounts should only be granted when required. It may be controlled by employing a request release workflow.
The user would place an access request for the asset and will only be able to access it after an administrator reviews the request and approves it. Such a context based just-in-time workflow would provide complete control over ‘who’ gets access to ‘what’, ‘when’ and exactly ‘how’ long.
Employees require access to sensitive IT assets on a daily basis. As a best practice, all privileged accounts should be adequately protected with session recording, monitoring, and auditing. Enable privileged session monitoring and management for all sensitive IT assets. Whenever a user launches a remote session to one of these privileged assets, all their activities should be recorded for security purposes.
Set up provisions for an administrator to be able to shadow such sessions. The administrator should be able to monitor the live sessions without the knowledge of the user utilizing the privileged asset.
Track and record all privileged activities for better visibility on how privileged access is used in your organization. It also helps regulate privileged activities and keep in check whether users operate within the scope of their responsibilities.
Hold administrators responsible for their actions. Sharing administrator accounts has traditionally been risky owing to the lack of accountability for actions and the sensitivity of the account and the privileges it carries. Enforce strict auditing and record all privileged activities to securely manage shared administrator accounts. Knowing ‘who’ had access to the administrator account at any given time will provide much needed visibility with sharing administrator accounts.
Application to Application communication is often sensitive and involves privileged credentials for authentication. These credentials are often hardcoded into the scripts and processes for the purpose of task automation. Hardcoding credentials is a security risk as threat actors can see privileged credentials in plain text if they get their hands on the scripts of these applications.
Application to application password management best practices often involves using APIs to access privileged credentials from the centralized repository. Enforce dynamic token-based authentication for these APIs to access the repository as a security measure.
Overprivileged users are hot targets for threat actors. They carry a plethora of permissions to access sensitive information and manage access to many other IT assets. As a best practice, it is highly advisable to revoke unnecessary privileges from users and only grant the bare minimum for performing their duties. A commonly encountered scenario in organizations is their users do not need permissions to manage access to IT assets. Only administrators need such permissions to fulfill their responsibilities.
Deploy access controls of granular nature to grant just the required amount of access to assets. Most users might need access to assets but have no business knowing the credentials that are required to access them. Granting access to IT assets without revealing the underlying credentials is highly recommended for reducing the risks associated with internal threats significantly.
Zero trust network access (ZTNA) focuses on authenticating each user on multiple levels before granting any access to the network assets. To enforce the principle of zero-trust, we employ credential vaulting and multi-factor authentication wherein we only grant to users after authenticating their identity through multiple checks.
Deploying measures to enforce the principle of least privilege across the network will help condense the threat surface significantly and contribute to enforcing the principle of zero-trust. The Principle of Least Privilege (POLP) works by removing basic access privileges for all users and granting access only to specific assets. In case a breach occurs, the attacker will be restricted to the surface level of the network. The lack of access privileges will prevent the attacker from reaching the deeper levels of the network and accessing the most sensitive IT assets in the network.
Deploying principles of zero-trust and least privilege in tandem will reduce the threat surface across all dimensions and place defense in depth at the very core of your cyber-defense strategy. You can enforce the principle of least privilege in four easy steps.
Eliminate admin rights on endpoints - Local accounts with administrator privileges are one of the most common entry points for attackers in any IT network. Eliminating such accounts and replacing them with standard accounts help minimize the threat surface.
Remove all unnecessary privileges - It is highly advisable to remove all unnecessary privileges through application control. Grant granular access for running, installing, and removing applications, processes, and commands.
Enforce Rule based privilege elevation - Create control policies to automate privilege elevation. Allow trusted applications to be elevated through whitelisting and block applications through blacklisting.
Just in time application control (ZSP) - Privileged access should always be granted for human users on a temporary basis. Standing privileges are granted on the basis of trust and go against the principle of zero-trust. Enforce just-in-time privilege elevation to elevate applications and process only for the required amount of time.
Limit the number of privileges for a specific administrator account. No single administrator should be able to perform more than a few privileged activities. Separation of privileges will help you enforce separation of duties. Privilege separation includes separating administrator accounts from standard accounts and separating administrator accounts with different sets of privileges like auditing and reporting, account creation and deletion, provisioning access controls etc.
Each privileged account should only possess a set of privileges required to perform its designated tasks. If an attacker gains access to the privileged account, the exposure will be limited to a large extent
Users and processes that require different sets of privileges should be isolated from one another. Systems that are more on the sensitive end of the spectrum should have robust and tighter security controls. Segmenting systems based on privileges helps contain breaches within the segment. Isolating groups of systems within the network prevents lateral movement and prevents sensitive parts of the network from getting infected with malware and ransomware.
Securden Unified PAM helps you enforce privileged access management best practices on your IT infrastructure by centralizing credential vaulting and policy enforcement. Powerful discovery engines help bring all your privileged accounts, even your orphaned accounts, into a centralized vault from where you can administer privileged access management best practices as required.
Try it out for yourself now with a 30-day free trial!.
Mother of all breaches – Reinforces the need for enhanced password security
Yes, you read it right. 26 billion records have been leaked online. Researchers from Security Discovery...
Zaheeruddin Ahmed
Feb 7 · 4 min read
Local admin rights for Developers – Balancing the scales between basic necessity and security risk
Local admin rights for Developers – Balancing the scales between basic necessity and security risk...
Shyam Senthilnathan
Jan 25 · 5 min read
Privileged Access Management Best Practices for Unparalleled Security
Privileged accounts are the keys to your kingdom. Protecting and managing access to these sensitive...
Pradhyumnan
Dec 21 · 5 min read
Endpoint Privilege Management: Filling the gaps in Intune (Part 2)
Intune EPM (Now Microsoft Entra) helps organizations manage admin rights in a very basic manner ...
Shyam Senthilnathan
Oct 10 · 3 min read
Endpoint Privilege Management: The local admin rights dilemma (Part 1)
The debate over giving unrestricted admin rights is a constant struggle between IT staff and ...
Shyam Senthilnathan
Oct 6 · 4 min read
2013 Target Data Breach: 10 Years On, but the Same Threat Pattern Looms Large!
Hackers targeted the low-hanging fruit, launched an unsophisticated attack, and carried out a...
Himaya Presthitha
July 25 · 6 min read
Password management best practices: Practice or Pay!
Passwords leaked from data breaches in the past continue to cause ripples in 2023, even amidst...
Shyam Senthilnathan
May 26 · 5 min read
Identity thefts and data breaches - The aftermath of privileged access mismanagement
Cybersecurity is a growing concern for businesses of all sizes, as advanced hackers and cybercriminals...
Zaheeruddin Ahmed
Dec 27 · 4 min read
Spate of cyberattacks rock the land down under
Lack of API security, exposed credentials, and misuse of privileged access continue to cause harm...
Rajaraman Viswanathan
Nov 25 · 4 min read
Make this Thanksgiving a memorable one. Treat yourself to a surprise!
We're planning to make this year's Thanksgiving extra special.
Zaheeruddin Ahmed
Nov 21 · 2 min read
The Spooky Season is here early! Recent data breaches re-emphasize the significance of password security
As Halloween is dedicated to remembering the martyred, organizations falling victim to data breaches remind us...
Shyam Senthilnathan
Oct 20 · 4 min read
We're at GITEX, Dubai. Come, meet us!
Are you planning to participate in GITEX, Dubai? If yes, this is a great opportunity to meet our product experts and get a ...
Zaheeruddin Ahmed
Oct 10 · 2 min read
May God defend me from my friends
As stories of trusted insiders causing information security breaches continue to unfold, it’s time organizations woke up to...
Raja Viswanathan
Dec 21 · 4 min read
Ransomware attack on Colonial Pipeline: Executing cyberattacks, now a child's play!
With the easy availability billions of compromised credentials on the dark web, and the practice of password reuse rampant, hackers...
Balasubramanian Venkatramani
jun 7 · 5 min read
Eliminating Admin Rights and Controlling Applications (Part 3)
One of the most effective approaches to reducing risks is eliminating the local admin accounts altogether and...
Raja Viswanathan
May 17 · 4 min read
Looking for a Passwordstate alternative?
Passwordstate, an enterprise password manager developed by Click Studios, suffered a supply chain attack between...
Jithukrishnan
Apr 30 · 3 min read
Local Admin Accounts Management: Microsoft LAPS Vs. PAM (Part-2)
In the previous post, we dealt with the importance of local admin accounts, the associated security risks, and...
Raja Viswanathan
Apr 06 · 3 min read
Top 10 password policy recommendations for sysadmins in 2021
Passwords are omnipresent in our personal and business digital environments. An average person has at least...
Jithukrishnan
Jun 12 · 8 min read
Local Admin Accounts - Security Risks and Best Practices (Part 1)
We are all too familiar with the local administrator account that gets created automatically when installing a Windows...
Raja Viswanathan
Mar 19 · 4 min read
Poor password security practices cause massive security breaches
Weak passwords, password reuse, password sharing, hard-coded credentials, lax measures to storing credentials...
Balasubramanian Venkatramani
Mar 13 · 6 min read