Privileged Access Management
What is it and why is it important?
I suppose the first question to answer is simply, “What is a privileged account?” Think of them as the master keys to your kingdom. These accounts allow for administrative access to all sorts of devices; routers, switches, firewalls, servers, computers, applications – all of these have some administrative or “privileged” account that natively has rights to do whatever it wants to within those devices or applications. They can change settings, create new configurations, delete data, open ports, install software, etc. These accounts are a critical component of what network, server, and application administrators do all day long.
Now that we have defined our subject, let’s take a deeper dive into what this really means. As we all know, every account needs a password and every authorized user of that account needs to know that password in order to utilize the account. Herein lays the beginning of what can be a very complex and difficult situation to manage. Organizations can have hundreds of these accounts, whether they are machine accounts that need to run a service at an elevated level or an administrative account needed to complete a duty, they are everywhere. I would venture to say there are organizations with privileged accounts running without their knowledge, just churning along in the background. Incorrectly handled changes to these accounts can be devastating, possibly shutting down applications or servers for several hours or even days depending on how well documentation has been maintained on the accounts.
On top of all of that, there’s just a small issue of security. Sure, your top network guy or gal definitely needs to know the Administrator account password, but what happens after they leave the organization? How many backdoors do they have to get back into your network? How do you change every password that they might have known? Do you even know how many privileged accounts you have on your network or in your applications? Can those accounts remote back into your network and wreak havoc? Depending on how they exited the organization, you might find yourself in a pretty precarious predicament.
Let’s face it; all accounts have the potential to be hacked. What happens if a privileged account is hacked? How quickly can you change all those passwords, assuming you even know you have the account in the first place? I could go on, but I’m sure you get the drift. Privileged accounts are an important part of your network and an even more important part of network security. Left poorly managed, or not managed at all, could cost your organization reputational and financial harm in a major way.
It’s a scary scenario and, unfortunately, one that’s all too real. So, how do you address the problem in a way that can have a positive impact? Step one – The Risk Assessment.
While it’s not the most exciting thing in life to do, a good information security risk assessment will help you take the first step in fixing the problem. Simply identifying or scoping out the problem will go a long way to remediation. I believe most people have a misconception that a risk assessment has to be cumbersome, difficult, long, boring (well, ok, it is), or something that’s well beyond the average person’s capabilities. My purpose here is not to extol the virtues of the risk assessment or give some in depth explanation of how it’s completed. I do; however, wish to impress upon you that it can be done without having years and years of security expertise. Start with the most fundamental question, “Where do we keep our sensitive data?” Once you have that, you can then start to look at the systems, networks, and other software that makes the data available to your end users. Identify those things, and then you can start to identify the privileged accounts that provide the highway of access. Know where the critical data lives, know the hardware and software that provides access, identify the privileged accounts associated with that, and then you can truly start to manage and protect them.
Now that we know what a privileged account is, the risks associated with them, and how to find them, let’s turn our attention to management and protection. I would bet a large sum of money that many of you reading this blog post have a super-secret Excel spreadsheet tucked away somewhere with all of the usernames and passwords of your most powerful and confidential accounts. How do you control access to the list of the almighty accounts? Do you know who on your team is accessing that list, when they access it, and what they do with the data they access? It used to be we would apply the age-old security principle of “Trust, but verify”, in today’s world it has sadly become, “Trust no one AND still verify”. Malicious insiders are the unfortunately reality of the rapidly expanding digital age.
Let’s say one of those elite network administrators on your team decides to go work for the competing organization across town. I hope you type fast because if you’re like a lot of organizations, you’ll need to manually update every privileged account listed in your spreadsheet. Then, you’ll need to update the spreadsheet! It is a daunting task and if the hot shot left in a huff, then you’ll need to work even faster. Beating them to the punch isn’t what most experts would consider a sound security practice. Set the leaving employee scenario to the side for a moment, don’t we always force our users to change their passwords every 90 days? When was the last time you updated all of your privileged accounts, including routers, switches, firewalls, servers, backups, application administrator accounts, domain administrator accounts, and last but not least, all the autonomous service accounts with administrative privileges across your systems. Oh and, by the way, that password should be 12-20 characters with uppercase, lowercase, a number, a special character, and not something found in a dictionary. Are we having fun yet?
Aside from being bitten by some radioactive bug and gaining super powers, what else can you do? How do you manage to manage the chaos of privileged accounts? Believe it or not, companies have created software to help and it is called Privileged Account Management. Creative, right?
Privileged Account Management software, or PAM for short, can take the headache out of managing these extremely important accounts. Depending on the solution, the software can automate the password change process, keep passwords secret (even from your super network guru), and some solutions will record the actions of the users when they utilize the privileged account. The vendors in this space will be more than happy to show off their products and give you a much deeper dive than I have the ability to here. This type of software takes your security to a whole new level. With great power though, comes great responsibility. This can help alleviate the challenges with managing passwords, keeping pace with changes, following good security hygiene practices, and provides great information for information security audits. A good PAM system will help you meet nearly half of the requirements outlined in the NIST Cybersecurity Framework.
It’s not quite as magical and easy as it sounds, nothing ever is. As it is with every critical system you’re responsible for, you will need to very carefully plan for the deployment of PAM. This should garner even more precautions than any other application you’ve installed as it is very intrusive and affects the workflow of every administrator on your team. Don’t overlook the human element. In a perfect world, NONE of your users are in the domain admin account. Yes, that’s right; nobody’s account has domain admin rights and they don’t know the password to “Administrator”. To gain that access, they have to use PAM. Sit there and let that sink in for a minute. That admin account on your router’s console, nope, not anymore, it’s all in PAM.
All in all, Privileged Account Management software could be a great solution for organizations looking to up their information security game. Just going through the exercise of determining where the confidential or regulated information lives and mapping out all the accounts that have access to it is an outstanding step in itself (and required if you’re bound by HIPAA). Ultimately, each organization must weigh the pros and cons for themselves as this is a big step and could cause major problems if not implemented correctly. But then again, you miss 100% of the shots you don't take (Wayne Gretsky)!