When you delve into the nitty-gritty technical details of the kind of ransomware attacks and data breaches that regularly make media headlines, you’ll find that threat actors often exploit privileged access to achieve their goals. The complexity of today’s IT environments sees many different accounts (users and machines) with varying levels of access and permissions to different resources (apps, systems, devices, processes and data).
Some of these access levels are privileged—they go beyond the scope of capabilities and permissions associated with normal levels of access and, therefore, carry additional security risks. This article describes the discipline of privileged access management (PAM), which combines people, processes and technological solutions to help mitigate the risks of privileged access.
Privileged access management is a strategic effort to control, monitor, secure and audit elevated access permissions to IT assets and resources. What do these elevated permissions usually involve? As an example, a root account on Linux can access all programs, files and resources on that system. Other examples include an application account that has access to sensitive databases or a domain admin account in Active Directory that has access and administrative rights over all users and systems within a domain.
Abusing privileged access can wreak havoc and open up the door to installing ransomware or exfiltrating critical data. The keys that unlock the door are privileged account credentials, which include passwords, SSH keys and secrets that users, apps and machines can use to access servers, sensitive data and other critical resources. PAM encompasses efforts to strengthen the security of these extra sensitive credentials.
By getting more visibility, governance and control over privileged access levels, organizations can implement measures and safeguards that shrink their internal attack surface. Whether an outsider finds their way into your environment, or a malicious insider engages in nefarious activities, PAM can significantly reduce risks and minimize any damage caused.
Since privileged access confers special advantages over standard access levels within an IT environment, threat actors have a laser focus in trying to find and exploit any potential paths to these elevated access levels. One study found that 74 percent of data breaches can be traced to privileged credential abuse.
Sometimes, the pathway to elevated privileges comes from conducting reconnaissance to discover forgotten (orphaned) accounts with privileged access levels. This scenario is more common than one might think due to the intricacies of today’s IT infrastructures. Multiple people usually have superuser/admin access for spinning up virtual machines or tweaking cloud consoles.
Another factor increasing the risk levels (and hence the need for PAM) is DevOps, which focuses on speed and automation in application development. DevOps workflows commonly pose privileged access risks because security is an afterthought, so secrets or tokens end up being hard coded.
Some additional threats and challenges justifying the need for PAM include the practice of over-provisioning access privileges, users setting weak passwords or companies not rotating credentials, sharing privileged accounts and credentials among IT teams for convenience, hardcoding credentials into app communications and siloed identity management tools.
Over-provisioning privileged access is a particular concern because IT admins don’t want to disrupt user workflows; thus, they provide broad levels of access that often go beyond what’s needed to perform job roles. Furthermore, the dynamic nature of modern roles is such that standard users can accumulate privileges they no longer need. Without effective PAM in place, you end up with a much larger attack surface in your network.
While effective privileged access management is something you could dedicate an entire book to, here are some best practices to consider.
Discover privileged accounts and credentials
The first and most important task to set the groundwork for PAM is the discovery of all privileged accounts and credentials with access to resources in your IT environment (including off-premises resources such as cloud apps). Ideally, this best practice is implemented with the help of a technology solution, such as a dedicated PAM tool, which automates most of the discovery.
Look for a tool that supports all platforms, including user identities on cloud infrastructure, Active Directory, IP address ranges and ad hoc entries. You’ll also want to be able to store privileged credentials in a safe vault where you can rotate and manage them securely. Manual methods such as spreadsheets to discover and keep track of privileged access just won’t cut it anymore; it gets messy and complicated way too quickly.
Enforce the least privilege principle
An access strategy based on the principle of least privileges makes a big difference in reducing privileged access risks, particularly for users who accumulate excessive privileges over time. This principle strictly limits privileges to only what’s necessary for a user, endpoint or application to complete its role or task.
When standard users need their privileges elevated, it should be done in a just-in-time fashion, right when it’s needed for specific resources. These elevations in privileges should also be time restricted.
Monitor and audit privileged activity
Ideally, security teams will be able to monitor privileged sessions for users and apps as part of your company’s PAM approach. This monitoring and auditing helps to identify anomalies or risky behaviors both before and after a security incident. Activities should be compared to a baseline that represents normal patterns of privilege access use for the given app or user. It’s also important that new privileged accounts are identified and go through a suitable approval/review process.
Avoid always-on access
Privileged accounts shouldn’t be available with “always-on” access for admins and other users with these special permissions. A more secure approach is to move to an on-demand model so that privileged accounts can only be used for specific tasks and intended purposes. This ties into the least privilege strategy because the admin then needs to provide a genuine business justification for using a privileged account.
It’s also wise to separate the privileges of an admin or other privileged accounts from a normal account so that privileged accounts aren’t even usable for regular day-to-day access. These measures together decrease the risk of privileged account compromise and abuse.