Overcoming the Operational Obstacles to Privileged Account Security

Privileged account management is one of the most critical components of any enterprise security strategy. Cybercriminals prize privileged account credentials because they provide administrator-level access to servers, security systems, network devices, databases, applications and other resources. If hackers are able to obtain the “keys to the kingdom,” they gain virtually unfettered access to an organization’s systems and data.

Best practices for privileged account management are well established:

  • Maintain separate credentials for each administrator
  • Enforce policies requiring strong passwords
  • Rotate passwords and authentication keys regularly
  • Adopt a least-privilege access policy
  • Log access and monitor administrator “behaviors”

dit-user-identities However, a recent survey by Thycotic and Cybersecurity Ventures found that many organizations do not follow these best practices. Twenty percent of survey respondents said they have not changed the default passwords on their privileged accounts, and 40 percent said they continue to use the default user IDs. Thirty percent said they allow multiple administrators to share privileged account credentials.

It’s not that organizations don’t understand the risks — 80 percent said that privileged account management is a high priority. However, administrators worry that securing privileged accounts will make their jobs harder. Under pressure to keep systems up and running and perform day-to-day maintenance tasks with limited resources, they are reticent to add another layer of complexity to their operational processes.

Often the problem is magnified by,

  • Service accounts that are created and existed without a process
  • Privileged Group with members that should not be there
  • Orphaned accounts with undue privileges
  • Lack of ownership in establishing a clean-up process

The problem is exacerbated by the time-consuming, manual processes that traditionally have been used to manage privileged accounts. After obtaining approval for a password change, an administrator would have to log into a system, change the account and update the spreadsheet used to track credentials. Any dependent applications and services would also have to be updated, and systems tested to ensure that the change didn’t break anything in production. Multiply that by all the resources within an organization and it’s easy to see the enormity of the challenge.

A privileged account security solution can relieve these headaches while dramatically boosting security. Through one, centralized platform organizations can:

  • Quickly create and delete accounts and track credentials
  • Rotate and control access to passwords and authentication keys
  • Propagate password changes throughout system dependencies
  • Minimize the need for business users to have administrator access
  • Monitor privileged account access and activities based upon role
  • Analyze administrator behavior to detect malicious actions
  • Enforce and update policies across all privileged accounts

Of course, a privileged account security solution is only a tool. As they say in software development: “If you automate a mess, you get an automated mess.”

Organizations must start by taking an inventory of all privileged accounts and which users have access to them. The next step is to understand the level of access that is required by various users and roles, and establish policies based upon those requirements. Granting full administrator access should be the rare exception rather than the rule.

Most organizations recognize that significant risks come with poor privileged account management. They just don’t have the time, resources or know-how to address the problem. Our consultants and engineers can help you map out a strategy for managing privileged accounts, and implement the right processes and technology to keep those accounts secure.

Leave a Comment