A new study from Cyber-Ark Software reports that 86% of large enterprises either do not know or have grossly underestimated the magnitude of their privileged account security problem, while more than half of them share privileged passwords internally. “It has become clear that privileged accounts are a priority target for cyber-attackers – every new report highlights this and every new attack reveals the privileged pathway the attackers are travelling,” said John Worrall, CMO of Cyber-Ark. These accounts consist of privileged and administrative accounts, default and hardcoded passwords, application backdoors, and more, and act as a gateway to an organization’s most sensitive data, which is accessible across systems, applications and servers.
Privileged accounts, super users, or privileged identity management (PIM) is just one small element of identity access management (IAM), but it’s a pretty significant element, said Patrick McBride, VP of Marketing, Xceedium. The network security software and PIM vendor (Xsuite) protects against the risk of privileged users and their accounts, he said.
McBride said not securing privileged access is like not locking your home’s back door, or in a football metaphor, “not doing the basic blocking and tackling.” And if privileged identity management is a challenge overall, it only gets worse when you add in virtualization and cloud, he said.
Xceedium has found that approximately 80% of organizations attempting to use existing PIM solutions from their physical environments quickly recognize that these solutions don’t have the controls or architecture to allow them to safely maximize the benefits of the cloud. These solutions not only limit the flexibility and scalability of cloud systems, they also slow administration and management, impede productivity and limit the management of privileged users – creating significant security weaknesses.
Privileged user threats are not just limited to internal administrators and managers, but also to contractors and other third parties, said McBride. “In privileged environments, these guys can cover their tracks… so if somebody does do something, how do you recreate that?”
Xceedium’s answer is by forcing them through a single point of control and monitoring, and recording – “think Tivo”. This data gets recorded in logs they can’t touch, can’t get access to, he said.
For those looking for a quick start on PIM, Xceedium offers the following top-10 best practices:
1. Create a process to on- and off-board privileged users. For sensitive positions, consider background checks. Always ensure individuals are trained in existing policies. Review and revise an individual’s rights periodically.
2. Implement Least Privilege–for everything. Individuals should only gain access to those specific resources and functions required to carry out their current responsibilities.
3. Implement strong authentication. At a minimum, consider strengthening use rids and passwords. There’s a limit to how strong you can make credentials without also encouraging risky behavior like writing down passwords. So look to multi-factor authentication technologies as an easier to use means of strengthening authentication techniques.
4. Separate authentication and authorization. Authentication to the network shouldn’t equate to visibility and access to all the resources on that network. It’s essential to remove direct end-point access to resources to prevent opportunistic attacks. It’s still true–hard on the outside and soft on the inside is great for candy, but lousy for security.
5. Manage passwords. Eliminating spreadsheets and flat files, and storing credentials in a secure, encrypted safe is a great first step. But ensure once passwords are protected they stay protected with changes and updates as circumstances require.
6. Ensure actions taken using shared administrative accounts like root can be attributed to a specific individual. Organizations use shared accounts like root–sometimes that’s easier to administer, and sometimes there just isn’t another option. But auditors increasingly demand to know precisely who performed an action.
7. Implement extra protections for the most critical privileged accounts. Basic risk management dictates the most sensitive resources deserve the most rigorous protections. In the hybrid cloud, management consoles–which deliver the power to make wholesale changes to infrastructure¬–are a common target worthy of additional protection.
8. Lock out sessions or accounts when violations occur. Privileged users have access to the most sensitive resources across the organization. They can create widespread damage–intentionally or unintentionally. So proactive controls that prevent unauthorized commands from being issued, and the ability to shut down sessions or accounts in the face of policy violations, are essential.
9. Generate alerts on violations. When a problem has been detected and prevented, pass the information on to security operations teams and SIEM/logging platforms for further investigation and action, or correlation with other activity.
10. Record everything. Particularly for the most sensitive systems, recording all user activity dramatically speeds reviews and investigations of incidents.