It’s no secret that all organizations use privileged accounts, and for good reason: they allow the user to control systems, resources and applications.
As a result, auditors are particularly interested in them and, for the same reasons, privileged accounts are particularly targeted during cyber attacks. In this context, demonstrating the compliance of access rights to privileged accounts while ensuring an optimal level of security is a priority for all organizations.
With expertise in Identity Analytics for over ten years, Brainwave GRC focuses on this topic by updating the problems facing customers and identifying a certain number of best practices to follow. From using a PAM system to implementing a real governance of privileged accounts, let’s take a look at how to respond to auditors while reducing risks and threats to these sensitive assets.
Definition, characteristics and specifics: how do we identify privileged accounts?
Standard accounts vs. privileged accounts: how do you tell them apart?
There are generally two types of accounts within organizations. First, there are standard accounts which grant employees minimal, limited access rights relying on the principle of least privilege. Each employee can use these standard accounts to only access the organization’s systems and applications that are necessary for the performance of his or her job functions, no more and no less. The principle of least privilege should be applied systematically. It is a basic rule when it comes to demonstrating the compliance of granted access rights, and it also makes it possible to limit any risk related to these rights.
As a result, some actions cannot be performed using the standard access rights given to employees. This is particularly the case when you want to configure a system or an application, grant access rights to other team members or make payments. Standard access rights are no longer sufficient, as it is necessary to be granted privileged access rights to carry out these more sensitive operations.
As we have learned from our customers, there is currently no strict definition of privileged accounts, meaning that there is no threshold level of access beyond which an account is considered privileged. Each organization sets its own criteria for determining whether an account is standard or privileged, depending on its context and use cases. The one common characteristic that can be used to help identify all privileged accounts is that any account that has more access rights than a standard account within an organization can be considered a privileged account.
What are the different types of privileged accounts?
Many people think that privileged accounts are nothing more than the administrative accounts within the organization. In reality, they can be of many different types.
Two main groups of privileged accounts can be designated:
- Named accounts such as personal accounts and others referred to as “super user accounts.” They are assigned to an identity with privileged access rights on an individual basis.
- Non-named accounts, such as technical accounts. They may be shared by several distinct identities and include services and applications used by the organization’s systems to access other systems and applications.
Privileged accounts can be found everywhere: locally, in the cloud, within infrastructures, operating systems, network devices or even at the heart of applications and servers. They can be managed locally or centrally using directories such as Active Directory or through a PAM system.
Securing privileged accounts and detecting associated risks is a top priority.
Gartner and Forrester agree: securing privileged accounts is a major issue.
We are convinced that for any organization, securing privileged accounts is a fundamental issue. The key reason for this is that they allow access to functionalities that would otherwise be inaccessible using standard accounts and provide the possibility of performing a certain number of operations deemed sensitive. Any user of a privileged account is endowed with super-powers, enlarging his field of action and giving him direct access to certain sensitive assets of the organization. Therefore, securing privileged accounts is crucial in protecting the resources, infrastructures and applications of any company.
Clearly, we’re not alone in this idea, as it is reflected in the opinions of expert analysts. Gartner says it all: privileged accounts need to be given our full attention. They should be considered the number one security and risk management priority for organizations. Forrester also weighs in on the subject, stating that privileged accounts are the highest level of threat within companies.
What are the key risks associated with privileged accounts?
As we have seen, privileged accounts are everywhere and are also abundant. On average, they represent three times the number of employees in an organization, opening the door to many opportunities for hackers to access the most sensitive resources, infrastructures and data. In addition to cyber-attacks, other internal threats to the company exist.
There are three categories of risk commonly associated with privileged accounts:
The risk of accidents. In working with legitimate access rights, the user – an employee for example – can make a mistake. He or she may allow a third party (employee, subcontractor) to access critical information or compromise certain data, even inadvertently modifying or deleting it.
- The risk of theft or fraudulent intent. Here again, the user has legitimate access rights that have been assigned to him to perform his job functions, yet he chooses to exploit them for fraudulent purposes. For example, a person with administrative responsibilities within the organization may intentionally disclose or misuse his or her access rights in order to steal information.
- The creation of a back door. Every time a privileged account is created, a potential back door is also created. This back door can be used by hackers to steal information or directly attack the organization’s resources, applications, systems and infrastructure. Note: On average, a hacker who enters an organization’s information system by means of a privileged account can take full control of it in just two weeks.
While it is crucial for organizations to pay special attention to privileged accounts, different strategies can be put in place to secure, manage, monitor and control them:
- the nature of the privileged accounts listed, and
- the level of risk associated with each one of them.
Therefore, the use of a PAM system and the implementation of privileged account governance have become essential in demonstrating compliance of access rights and facing the threat of cyber attacks.
Want to learn more?