Any organization works like a well-oiled machine when all these different parts of an organization work in tandem with each other. All individuals, servers, applications, and other such elements have a specific role to play. However, some roles consist of elevated capabilities. These are privileged users who have special accesses that are not provided to a standard user.
Privileged accounts are users, applications, and other non-human identities that carry out several tasks and hold certain responsibilities that bypass other operations. Some examples include accounts having the ability to configure accounts and networks, approve accesses to sensitive applications, system admin accounts, accounts with access to data that are under strict regulations such as PII, root accounts, corporate social media admin accounts, and many more.
A common trait in all these accounts is that they hold accesses that are extremely valuable to the smooth functioning of an organization.
However, despite the sensitive nature of these accesses, they are usually not as well protected as one would expect. Here are the most common issues with privileged accounts:
- Too many privileged accounts are created over time and often forgotten. These are backdoors waiting to be exploited by bad actors.
- Several users share a common account. Shared credentials create an issue of lack of accountability of who has accessed what. It could lead to a larger probability of an account being breached as it is open to several users at the same time.
- Manual provisioning of privileged accounts leads to issues of providing privileged access on an ad-hoc basis. This can create a large number of unaccounted users who hold privileged access.
- Poor password policies for privileged accounts. Oftentimes, these accounts are used with default passwords for a long time. They aren’t changed regularly or even secured with stringent authentication policies. This could lead to a lot of mishaps. Considering the number of passwords available on the dark web today, methods like credential stuffing could be enough to break open such privileged accounts.
- Some privileged accounts are also too restrictive that makes accessing crucial applications a challenge. In lieu of making privileged accounts secure, sometimes organizations tend to make it too stringent to access it with several layers of approvers and processes. Although maintaining security is imperative, ease of use is also essential. Finding a balance between security and productivity is essential for such accounts.
- Lack of transparency or governance of accounts. In most organizations, privileged accounts are not monitored. No way of understanding who accessed what and when, how did they access it, how many attempts did they make to authenticate themselves, how long did they stay logged in, how many resources did they access, and so on. Such questions are crucial in understanding how secure your resources are and in ensuring a proactive approach to security.
- No audit trails. The lack of session management and monitoring capabilities often leaves organizations scramming for data during audits. They often struggle with providing a detailed report of the accesses and resources.
- Default admin accounts in all devices. In most devices, there is a local administrator account that is never removed. If such a device is hacked through social engineering attempts, the bad actor could move laterally in the network and gain access to admin accounts.
- The advent of cloud also makes privileged accounts all the more vulnerable. Organizations have to now manage several more workloads.
How are Privileged accounts breached?
“It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.” – Stéphane Nappo, Global Chief Information Security Officer at Société Générale International Banking.
This is indeed the truth. With the advent of remote work and the digital shift due to COVID-19 in 2020, the attack surface for bad actors has increased significantly. 56% of organizations working remotely experienced credential theft, and 48% experienced social engineering, such as phishing according to a report by Kaspersky. These are the biggest threats to privileged accounts as well as overall security in an organization.
There are several scenarios where this could lead to large financial and reputational damage.
Imagine users have access to several privileged accounts. If they aren’t careful enough, they might even have common passwords for all these privileged accounts. One day they receive an email that looks like it is from their manager. They are unaware this email is a phishing attempt and not from the concerned person. The email ID and name are only mimicking the original ID. The users fill in a form as mentioned in an email that requires them to log in to some accounts. They have now freely given away crucial credentials to bad actors. The amount of damage this one incident can cause is unimaginable.
Bad actors could even get access to a user’s credentials, use methods like a man-in-the-middle attack to acquire privileged credentials. They linger in the network long enough to understand the IT teams and work in a way to avoid suspicion and yet wreak havoc without leaving a trace.
The need for Privileged Access Management
Privileged access management ensures all the above loopholes are addressed efficiently. Using a PAM solution, accounts are managed from one centralized secure place. Accesses are provided on a least privilege basis, which is only as much as required for a user.
A research revealed that as much as 44% of the security professionals believe that identity and access management solution will address their security gaps.
A PAM solution in an organization can be the difference between organizations staying secure and getting breached in the following ways:
- Saves credentials in a highly secure vault. These password vaults are secured by high-end encryptions methods. This ensures that passwords are never compromised, relieves users from remembering complex passwords thereby stopping them from reusing common passwords as well.
- Automates processes like password rotation. PAM solutions offer the option of password rotation that happens either periodically or each time someone accesses an application using a credential. This completely removes the possibility of stealing credentials, as the password once used will not work the next time.
- Enforces the least privilege across accounts. The least privilege ensures that even privileged users have access only to limited data. The factors of their privilege use may be based on their role, seniority, data to be accessed, and so on. It limits their access without hampering what they need to carry out their responsibilities seamlessly.
- Session management capabilities that provide detailed information about the privileged user’s activities. This monitors all the activities of a privileged user and can also notify concerned people of any possible activity that seems to be possibly dangerous to the organization like information about who logged in and when, as well as granular details of what was accessed.
- Audit reports of privileged accounts. Compliance and regulatory bodies across industries of healthcare, banking, manufacturing, education, and more ensure a certain standard is followed. They have several policies in place for privileged accounts as well. With a PAM solution in place, adhering to regulations will not be a challenge.
- The business justification for the use of privileged accounts. Adding context to accesses is key in today’s threat landscape. Thus, customizations to several applications can be done by asking the user for a business justification to access privileged accounts. The reviewer can then make an informed decision.
- One place to monitor all the privileged accounts instead of different silos of accesses across an organization. As an organization grows, it is important to have a streamlined view of all the accesses. It becomes even more crucial when it comes to privileged accounts. Managing them in one single PAM solution can alleviate the stress of sifting through accesses and having all the data in one single secure place.
PAM within Identity and Access Management Solution
While PAM deals specifically with privileged accounts, Identity and Access Management deals with all the users and identities in an organization. They might be different in what they protect, but in the larger picture PAM along with IAM makes for holistic security as it comprises Access Management and Identity Governance and Administration.
Here are some scenarios:
- Despite the efficiency of PAM, organizations still need additional layers of security. Thus, several applications depending on the admin’s discretion can be customized to have multi-factor authentication. This elevates the security of the accesses, ensuring only users with the ability to correctly authenticate themselves against all the defined factors are provided the access.
- Several times, privileged accesses are provided on a need-to-know emergency basis as well. In a large organization, this can lead to providing applications to users that might be conflicting. For example, if an admin is responsible for operating the firewall, they cannot be the ones providing access to the firewall either. They cannot have two accesses that approve one another. This is called the segregation of duties. SoD controls can be efficiently provided in an Identity and Access Management solution.
- Identity Analytics also play a huge role in ensuring security for PAM accounts. With the combination of machine learning, intelligent reports, and SIEM, several threats can be neutralized before the breach occurs. This enables a proactive approach to security.
Just In Time Privileged Access Management
Identity and Access Management greatly improves the efficiency of PAM with its vast set of functionalities. Just in Time for PAM is another way of managing accounts in PAM to constantly ensure security. Here, the users are provided access to privileged only when they need it for a stipulated time. It leverages the “least privilege” aspect in PAM and the admin can define the duration for the access depending on the user or the sensitivity of the application. We’ve addressed JIT for PAM in detail in this blog “What is Just-in-Time for PAM?”. You can read the blog to understand it in detail.
Zero Trust for Protecting Privileged Accounts During Covid-19
The advent of pandemic brought in a drastic digital shift. It is not a surprise that several organizations struggled to make remote work a smooth transition due to the lack of business-friendly IAM solutions. PAM especially as discussed previously is more vulnerable to the loopholes that exist in organizational security. However, the need for a zero-trust security model to protect PAM as well became more apparent. Yet, this cannot be a siloed effort to only protect PAM. Applying the philosophy of zero trust to the entire organization with IAM solutions is the way to protect privileged accounts as well. If there are policies in place for authentication at every level, users having to go through authenticating themselves to elevate their access, ensuring segments of accesses throughout the organization – nothing less or more to carry out daily tasks and more such security actions can make it harder to reach PAM accounts or even breach a standard user account. You can read more about the correlation between zero trust and PAM here.
Privileged access management is crucial in protecting key functions in an organization. When the responsibility of such access is important, they must also be empowered with the right security mechanisms. Enable your employees with security, relieve them of the stress of a possible data breach. PAM in combination with IAM can pave the way for much more holistic and extensive security needed for businesses to thrive with security in today’s digital landscape.