Privileged accounts are the prime target of cybercriminals hoping to access an organization’s assets. Without a way to keep track of, secure, record and analyze privileged users and the privileged sessions they perform, it’s only a matter of time before a hacker finds their way into your more critical assets. That’s where setting Privileged Access Management standards comes in.
Why Should You Set Up Privileged Access Management Standards?
Privileged Access Management (PAM) will touch everything in your organization. Literally every single piece of technology you have in your organization has privileged accounts and every single business process within your organization relies on at least one application. You don’t want to hand out access to your privileged applications and other assets to everyone. You need to ensure that whomever you entrust with privileged credentials actually needs them and will be using them appropriately.
You also need visibility of your users and sessions in order to keep your users safe and achieve compliance. If I walk into a company and ask, “How many people have the root account to your accounting systems?” the people who respond with, “Zero, and here is the proof,” are going to be those with a Privileged Access Management solution keeping track.
Having Privileged Access Management standards also ensures that, when it’s time to perform an audit, you have all the information you need on who was performing what actions and when.
What Steps Should You Take to Put Your PAM Access Policies/Standards in Place?
The first step you should take when putting Privileged Access Management standards in place is to perform a business analysis. Many organizations don’t know which of their assets are at risk and who their privileged users are. I’ve seen customers do proof of concepts that reveal that they have thousands of orphaned accounts that they never knew about before that moment. You won’t know where your risk is until you go looking.
A business analysis can reveal:
- Your orphaned accounts
- Where the risk is in your organization
- What the threat vectors are that increase the risk
If you can trace the threat vectors back to an asset (such as an application, system or business process), you’ll have a source of inspiration for new Privileged Access Management standards to put in place.
Overall, a business analysis will show you where the risk in your organization is, as well as your risk carrying processes. Once you understand those risks, you can start building a map of where your Privileged Access Management standards and controls need to be and what effect they’ll have on the risk.
What Should You Consider When Setting Up Standards for PAM Access?
There are a couple controls that are important for organizations to consider when planning out Privileged Access Management standards:
- Individual Accountability: If an account can perform significant risk carrying actions, individuals who use it need to be held accountable for whatever they’re using the account for. One way to achieve this is to prevent anyone from knowing the credentials to your privileged accounts. When users need access to privileged accounts, they request it and are given the password to access the account. Then, once they are finished with the account, the password is changed. As a result, for the period of time a user is utilizing the account, they are individually accountable for it, so you know exactly who is accessing the account and when, so you always know and can keep track of who is using which accounts and assets. This is an important part of the coveted Zero Trust framework of “never trust, always verify.”
- Session Monitoring: There is one limitation of individual accountability, though. While you know who has access to each account, you won’t necessarily know what they’re doing with it. Session recording provides a video recording and audit trail of the actual sessions itself. The visibility will eliminate uncertainty. When used in combination, the account password can be used to authenticate the session, without it ever being disclosed at all. This takes the concept of Zero Trust a step further to where high-risk passwords never even see the light of day.
- Analytics: Adding analytics allows you to track user behavior in order to understand what user behavior is normal and abnormal. You can also assign a risk score to what actions people are taking in the accounts. That way, when a session is labeled as abnormal, you can be alerted so that you can review sessions those sessions specifically. You can take it a step further by incorporating behavioral biometrics: Analyzing how a person is behaving rather than what they’re doing within an account. Examples are typing patterns and mouse gestures. People have different ways of typing and using the mouse/where the cursor lingers on the screen. Machine learning records that information and builds a biometric profile of keyboard and mouse behavior to the point where we can tell if someone is pretending to be a user they’re not.
Of course, even when you set up your choice of these Privileged Access Management standards/controls, there will be instances where exceptions will need to be made. For example, say your organization’s Active Directory goes down at 2:00 a.m. You need to request access to a specific account in order to fix the outage, but the person normally responsible for granting access to that account is at home and asleep. What can you do? Make an exception. Exceptions can be included in your Privileged Access Management standards as long as they are auditable. You can incorporate exceptions into the policies of your identity governance platform. For example, when you request access to an account outside of normal business hours, there could be a “This is an Emergency” option in which you tick a box and can get special access. That way, you can still get the access you need, the session is recorded, and you’ll be held individually accountable for everything that happens while you have access. And it’s all auditable.
Setting up Privileged Access Management standards for who gets access to what accounts is key to safeguard against bad actors that target privileged accounts. Failure to set those controls leaves an organization vulnerable and increases the risk of misuse from internal or external bad actors. Implementing Privileged Access Management standards sets organizations on the right track to fully manage their privileged accounts.