Privileged access refers to all accounts with more access rights than a default user. It can be either human or non-human users such as applications and machine identities. Privileged access enables organizations to secure their infrastructure and applications, conduct business more efficiently, and maintain the confidentiality of sensitive data and critical infrastructure. But these privileges carry risks. How do you effectively do privileged access management?
Examples of human privileged access accounts are superusers such as system administrators, domain administrators, local administrators and firecall or break glass accounts to perform specific actions in the event of an emergency. But, of course, also business users who need access to finance, human resources (HR) or marketing systems. The non-human users are often overlooked. Application and machine accounts to manage and control applications also often have increased access rights. The same applies to service accounts to communicate with the OS or configuration settings. SSH keys are also popular for running automated processes. In DevOps teams their is an increased use of secrets, an umbrella term for those SSH keys, but also API keys and other credentials to get (privileged) access.
We can conclude that privileged accounts are everywhere; their numbers are three to four times that of regular employees. The privilege-related attack surface is rapidly growing with more systems, applications, machine-to-machine accounts, cloud and hybrid environments, DevOps, RPA and IoT devices. Hackers know this; nowadays, the abuse of privilege accounts is at the heart of almost all attacks.
Challenges of Access management
Privileged access management (PAM) refers to a comprehensive cybersecurity strategy, where people, processes and technology are brought together to control, monitor, secure and audit all human and non-human privileged identities and activities in an enterprise IT environment. PAM (also known as privileged identity management or privileged access security) is based on the least privilege principle: users are given the minimum access rights necessary to do their job. It is a security best practice, reduces the attack surface and protects the accounts with more rights.
There are multiple challenges associated with privileged access management. Let’s start with the management of credentials. Many IT organizations rely on manual, error-prone administrative processes to rotate and update privileged accounts. This can be an inefficient and costly approach. In addition, many companies can’t track, let alone control, the activities of privileged accounts. In addition, they lack comprehensive threat analysis tools and are unable to proactively identify suspicious activities and resolve security incidents. The emergence of cloud platforms (IaaS, PaaS) and SaaS applications and social media has made managing access rights and compliance more complex. Finally, protecting Windows Domain controllers is difficult as attackers exploit vulnerabilities in the Kerberos authentication protocol to impersonate authorized users to access critical IT resources and confidential data.
The importance of privileged access management
People are the weakest link in a security system, from internal privileged users who abuse their access rights to external attackers who target users and steal their credentials to achieve their goal as privileged insiders. Privileged access management ensures that people only have the necessary access rights to do their job. In addition, security teams with PAM can identify malicious activities associated with privilege abuse and take prompt action to minimize any consequences.
Access rights are necessary for systems to communicate with each other,. It is essential when companies transition to cloud, DevOps, RPA and IoT solutions. More machines and apps need privileged access, which increases the attack surface. These non-human entities are much more abundant than employees in an average organization and are more difficult to monitor and manage – or even identify. Off-the-shelf apps typically need access to different parts of the network; access that can be abused without the appropriate measures. PAM takes access rights into account wherever these accounts reside – in the cloud or hybrid environments – and detects abnormal activity when it occurs.
Each endpoint has standard privileges. Built-in admin accounts are useful for local troubleshooting, but they also present significant risks. Attackers can abuse admin accounts and then jump from endpoint to endpoint, steal additional login credentials, increase privileges and move laterally through the network until they reach what they are looking for. A proactive PAM should handle the removal of local administrative privileges on workstations to reduce these risks.
PAM is also crucial for meeting compliance rules. The ability to track and detect suspicious events in an environment is critical, but without a clear focus on what poses the most significant risk – unmanaged, unguarded and unprotected privileged access – the company remains vulnerable. By implementing PAM as part of a comprehensive security and risk management strategy, organizations can record and log all activities related to critical IT infrastructure and sensitive information, which can simplify meeting audit and compliance requirements.
Roadmap for privileged access
The aforementioned challenges can be tackled by means of various best practices. In order to improve security, it is important to take the following steps to get privileged access management on the right track.
- Eliminate irreversible network takeovers through attacks. Isolate all privileged access to domain controllers and other Tier 0 and Tier 1 systems and require multiple authentications.
- Manage and secure infrastructure accounts. Place them in a centrally managed, digital vault. Rotate passwords regularly and automatically after each use.
- Limit lateral movement by completely removing endpoint users from local admin groups on Windows computers to prevent login credentials theft.
- Protect login data for external applications. All privileged accounts of third party apps should be kept in a safe, and hardcoded credentials for commercial off-the-shelf applications should be eliminated.
- Manage *NIX SSH keys by storing all SSH key pairs on Linux- and Unix production servers and rotate them regularly.
- Secure DevOps secrets in the cloud and on-site. Secure all Public Cloud privileged accounts, keys and API keys. Place all credentials and secrets used by CI/CD tools such as Ansible, Jenkins and Docker in a secure vault so they can be retrieved, rotated automatically rotated and managed instantly.
- Secure SaaS admins and business users with increased access rights by isolating all access to shared IDs and requiring multi-factor authentication
- Invest in periodic Red Team exercises to test security. Validate and improve effectiveness against actual attacks.
Organisations that prioritise PAM as part of their broader security strategy can benefit from a number of organisational advantages: Reducing security risks and reducing the attack surface, lowering operational costs and complexity, improving visibility and insight into the company’s entire IT environment and improving compliance regulations.
This is a contribution submitted by Renske Galema, Regional Director at CyberArk. Through this link, you can find more information about the possibilities of the company.