Jason Lucas, Security Consultant at Proact UK
For years organisations protected their crown jewels – their data – by building fences around assets. All new data came in via a single access point or from physical devices. However, this is no longer the case and traditional perimeters aren’t capable of doing the job. That’s why a lot of organisations are looking into privileged access management (PAM) as it covers access to computers, networks, software apps and more – basically a lot of the areas old security solutions don’t cover.
So what is PAM and why should you think about it? Let’s start by looking at privileged accounts and why we need them.
What is a privileged account?
A privileged account can be human or non-human and exists so IT professionals can manage applications, software and server hardware. Privileged accounts provide administrative or specialist levels of access and have higher levels of shared permissions. Non-human privileged accounts often take the form of application accounts which are used to run services that require specific permissions. In many cases, user accounts can also have elevated or administrative privileges attached to them.
Like user accounts, privileged accounts have passwords to control access. The problem with user and privileged account passwords is that lots of tools exist to aid hackers in cracking them. If a hacker manages to access a password-protected system, the damage can be catastrophic. Hijacking privileged accounts gives attackers the ability to access and download an organisation’s most sensitive data, distribute malware, bypass existing security controls, and erase audit trails to hide their activity.
Examples of privileged accounts include: local administrative accounts, domain administer accounts, service accounts used by applications, and application accounts used to connect to databases.
In a typical IT environment there will be quite a few privileged accounts because quite simply, we need them. That said it’s crucial for organisations to be able to manage these accounts. They need to keep track of where they’re being used and by who.
These accounts, which have increased levels of access, are a very tempting target for malicious attackers who want to gain a foothold in your organisation. Unfortunately, a lot of time privileged accounts haven’t been setup with strong passwords. This obviously plays right into an attacker’s hands and for this reason alone, it’s key to uphold ownership and governance over these accounts.
Ultimately privileged accounts represent the “keys to the kingdom” and should they be stolen, compromised or abused, your business could suffer dire consequences.
What are my options?
PAM systems can be essential if you’re trying to tackle the management of these accounts, and if you want to gain visibility of where they’re being used. Furthermore, you can use systems like this to perform scans across server estates to see what accounts are actually being used on them (and get a centralised view of them).
The ability to securely manage all of your privileged accounts is just one of the benefits of having a PAM solution in your environment. Other benefits include:
- Using the platform to broker access to remote servers or devices (so that no one has the actual admin credentials)
- Performing session recording when 3rd parties access your systems out of normal working hours
- Monitoring who is accessing the privileged accounts within your infrastructure
- Providing a full audit trail of events
Gartner has placed privileged access management as its number one security project for both 2018 and 2019 (https://www.gartner.com/smarterwithgartner/gartner-top-10-security-projects-for-2019). It’d be a pretty safe bet to predict that PAM will be a top recommendation in 2020 too.
PAM solutions can also be advantageous if you’re looking to comply with standards such as ISO 27001 and PCI DSS. These have sections around the governance of privileged accounts and how you should monitor access to systems and resources.
If you’re thinking about security solutions and want a view on how you could improve your organisation’s security posture, feel free to contact Proact as we can provide an agnostic view on where your vulnerabilities may lie and potential ways forward.