Privileged Access Management: Protect High-Risk Accounts
In a cybercrime environment that constantly targets user credentials, organizations are turning to Privileged Access Management (PAM) to prevent the breaches that could do the most damage. An administrator’s Privileged Account credentials could let hackers roam across a network undetected for months. PAM protects these elevated credentials and enforces best security practices to minimize the attack surface and mitigate successful breaches.
We created this article to help you understand what Privileged Access Management is, the kinds of accounts it protects, why they are so vulnerable, and how PAM best practices can improve your organization’s security.
Privileged Access Management comprises a set of policies, processes, and tools designed to protect privileged access credentials from theft. Some people in your organization must be able to configure network routers or use the accounts payable system to keep things running. To do their jobs, these privileged users receive elevated access to networked resources.
Unfortunately, too many organizations fail to manage these Privileged Accounts effectively which significantly increases their risk of attack. Cybercriminals love the power they get with compromised privileged credentials. Appearing to be a valid user, they can go anywhere on the network and access any system. A recent survey found that most organizations experienced theft of Privileged Account credentials — and almost all of them suffered damage from the resulting breach.
Privileged Access Management makes these breaches more difficult to accomplish and mitigates the damage from any breaches that do succeed. Using principles of role-based least privilege access, PAM limits the scope and duration of a user’s access privileges to the absolute minimum needed to get a specific job done.
A system administrator, for example, does not need 24x7 “just in case” access to an Active Directory server. PAM solutions provide “just in time” access when the administrator needs to make a change. The system revokes the user’s access once the task is complete. Other PAM policies may require unique credentials for each resource and eliminate shared accounts. These policies reduce the available attack surface and make lateral movement more difficult in the event a Privileged Account is compromised.
Much attention focuses on the IT context of user access, but privileged user accounts exist throughout the organization. Furthermore, the scope of a user’s privilege can range from control over a single device to authority over an entire network.
Research and development, accounting, customer service, and other departments have systems and databases that must be protected. Hackers gaining access to these accounts can exfiltrate personal information and proprietary company data.
Local administrator privileges let users install software and change operating system settings on a specific device. Should the user fall victim to a phishing attack, then the hacker could change system settings and install malware to establish a foothold on the network.
Administrators of Microsoft Active Domain networks need access to systems for managing users and their access permissions. A compromised domain admin account lets cybercriminals create user accounts with escalated privileges. Besides opening backdoors into the network, these new accounts appear to be valid users and let the criminals move laterally unnoticed.
Superuser accounts give administrators complete access to networked systems. If compromised, these superuser privileges let hackers do anything they want anywhere on the network.
People are not the only users with Privileged Accounts. Many applications and services require elevated access to networked resources in order to share data or manage performance. Hackers can hijack these accounts to surveil the network and spread malware.
Access management is never a one-and-done task. Employees get promoted, change roles, and leave the company. Contractors come and go. Unfortunately, security too often takes a back seat to other priorities. Overworked, under-resourced IT departments either cannot keep up or take shortcuts to get things done. As a result, Privileged Accounts provide a target-rich environment for cyberattacks.
Each time a user’s access needs to be changed, administrators must provision new permissions and deprovision old permissions. In today’s dynamic business environment, however, this access churn is unrelenting.
Over-provisioning new permissions: Administrators give users more access than is technically needed, thus avoiding the help desk calls and management complaints generated by more limited permissions.
Persistence of old permissions: Employees often need to keep their old permissions as they transition to new roles. But time-pressed administrators cannot follow up with every employee to confirm that it is okay to revoke the old permissions.
Delayed account deactivation: Weeks or months may pass before administrators deactivate the accounts of former employees or contractors. The same thing often happens with the temporary system accounts created during projects.
Some of the worst security habits are found in IT departments where workers’ technical expertise inspires overconfidence. In under-resourced departments, this cognitive bias leads to bad habits that undermine security.
Privilege creep: To make switching between systems easier, workers accumulate many permissions in a single account.
24x7 access: Administrators stay logged into their Privileged Accounts to avoid the hassle of logging in and out of different systems.
Password sharing: When many people need access to the same system, a shared password that rarely changes is easier than managing separate Privileged Accounts.
Preventing security issues such as privilege creep and abandoned accounts requires constant vigilance. But administrators are already overwhelmed by the number of alerts their systems generate. Tightening privileged access practices will add to that burden unless it is done in the right way.
Privileged Access Management does not need to be time-consuming nor expensive. Done right, PAM can improve productivity while making networks more secure. Organizations that successfully implement PAM strategies follow these best practices:
Perform a top-to-bottom audit of which users have access to which systems. The audit should extend beyond your employees to include contractors, consultants, and other outside parties. Document any third-party integrations with customers, suppliers, or service providers. By the same token, do not limit the audit to your on-premises resources. Include cloud-hosted assets and X-as-a-Service applications.
Your non-human users need to be part of the audit, so you understand which applications, automated tools, and other systems have privileged access to company resources. Evaluate the way each application, system, and device handles user credentials and integrates with your PAM solution.
A PAM system will grant elevated access permissions, when needed, to the users who need them. This requires clearly-defined policies and processes that minimize exceptions.
Privileged Accounts, for example, must only be used for privileged activities. To use email and other common applications all executives, network administrators, and interns alike must use a standard, non-privileged user account. Should a standard account be compromised, its limited permissions give attackers fewer resources to establish themselves.
Privileged Accounts must be limited in scope to a specific resource or task. That means a network administrator will need a unique credential for each resource they access. Single sign-on systems and consistent enforcement will eliminate the convenience and productivity rationalizations that lead to bad security habits.
It is easier to avoid permission creep and over-provisioning by centralizing access management in a PAM solution. Access credentials are stored in a secure, encrypted vault when not used. Privileged users can only get the credentials through the PAM solution and must relinquish their credentials when their session ends.
PAM solutions use automation and analytical tools to deal with the constant flow of account activity logs and reduce the flood of alerts administrators deal with. These tools can detect anomalous behavior patterns to speed the response to potential threats. Furthermore, auditing tools let administrators conduct regular reviews to ensure compliance with SOC 2, HIPAA, and other standards and regulations.
Twingate’s solution simplifies Privileged Account Management and the establishment of least privilege access control policies. We do this by implementing Zero Trust principles through software-defined perimeters (SDPs) to support modern, more secure network architectures.
Traditional security approaches assume that users and resources within the secured perimeter can be trusted. Credential theft, however, lets hackers traverse networks while appearing to be a valid user. Any resources visible on the network are visible to the hackers.
Twingate hides each resource behind a SDP and denies all access requests until explicit authentication and authorization processes are complete. Twingate integrates with the most popular Identity Providers so you do not need to change your existing security stack. Our administrative interface lets you implement role-based access policies and simplifies the daily churn in user access management.
Privileged Accounts are essential to business productivity, yet they create significant security risks. A compromised account lets cybercriminals move laterally through your network undetected, exfiltrate sensitive data, and leave malware behind. Over-privileged and abandoned accounts, combined with poor security practices, expand the attack surface and increase the chances of a damaging security breach.
Twingate’s Zero-Trust solution provides a simple path to implementing Privileged Access Management. Least privilege access policies based on users’ roles limit the scope of each Privileged Account and minimize the potential impact of any single compromised account.
Contact Twingate to learn more about using our Zero Trust solution to implement Privileged Access Management.
Visualize and Analyze Network Log Data with Twingate and Datadog
Improve security and monitoring by making real-time network log data observable with Twingate and Datadog.