Why prioritize the protection of privileged access?
In today’s world of digital transformation, remote workplaces and cloud applications, the methods of accessing data and infrastructures within organizations are extremely diversified and constantly evolving. This generates new risks related to user access rights and puts them squarely in the middle of a company’s efforts to protect their critical resources. In this context, the utilization of privileged accesses, their potential abuse and risk of cyber threats mobilize our attention because holders of privileged accounts can access the most sensitive resources of the organization, allowing them to perform impactful and critical operations. Maintaining a high level of security for these sensitive assets is essential. In this article, we will share the best practices, principles and methodologies for doing just that.
How to create, grant and secure privileged access?
To ensure that a company’s resources are protected by securing high-privileged access, experts provide a few best practices to consider. The principles of least privilege and need-to-know are two of them and are based on the idea that every user should only be granted the minimal level of access rights that is necessary to perform his work functions. It is, therefore, important to consider both future privileged accounts (and their permissions to vaults and safes) as well as for those already created within your company or organization. This includes reviewing existing roles associated with privileged accounts and verifying that they are properly assigned and managed.
1: Which account profiles require privileged access?
By granting employees privileged access, they are given the ability to perform additional operations that could have a significant impact on the company’s resources, infrastructure and systems, if misused. In fact, the creation of privileged accounts should be kept to a minimum and based on the needs of each employee. To be certain of this, situations where such access is required should be documented and the job functions and roles that require privileged access listed by default as a form of ongoing control. If certain account profiles require additional permissions, highlighting and detailing the sessions and actions performed by these profiles will allow you to more easily identify the potential risks associated with them in addition to limiting them, if necessary.
Accounts requiring the creation of privileged access differ depending on the department and the sector of activity.
However, here are the most frequent and critical ones found in information systems that need to be carefully identified:
- domain administrator accounts
- local administrator accounts
- emergency access accounts
- application accounts
- system accounts, and
- service accounts.
These privileged accounts can be named or shared, meaning that the risk is not the same. It is a good practice to identify these account profiles, determine which accounts are shared and include them in the Privileged Access Management (PAM) solution. This practice will help with the overall management of these critical employee privileges and their access to credentials and sensitive data.
2: Is privileged access assigned to the right people?
In addition to identifying the account profiles that require privileged access, all users associated with them should be documented and their legitimacy to hold such access should be verified. This is particularly important in order to apply the need-to-know principle, but it also can help avoid any risk of a dangerous combination of access rights by respecting the Segregation of Duties (SoD) principle.
To do this, it is necessary to correlate a certain amount of information about each user:
- the nature of the position held,
- the scope of associated projects and assignments,
- the breadth of responsibility, and
- the nature of the access rights accounts available to him or her.
In this way, the identified privileged accounts can be confirmed as properly assigned according to the needs of the employees as well as the scope of the projects they cover, both in relation to their level of responsibility.
Is monitoring essential in securing privileged access?
Once created and assigned, the life cycle of a company’s privileged accounts must be monitored and managed. Additionally, it is critical that this life cycle remain completely visible in order to validate that these accounts are being used in a responsible manner. Identifying, tracking and consistently taking inventory of them is fundamental to protecting resources and infrastructure as well as proving compliance with internal security policies. Let’s see how to proceed.
1: Have you identified all of your privileged accounts?
Identifying all privileged accesses within an information system is a prerequisite to implementing the principle of least privilege. In addition to listing the account profiles that require the creation of privileged accesses, it is important to ascertain all existing privileged accesses, whether named or shared, active or unused, and to confirm that they are legitimate and secure. To make this easier, it is essential to document each privileged access at the moment it is created. To save time and avoid the risk of these accounts disappearing from the radar, this task can be automated. If a PAM solution has been implemented, they can be integrated more easily, reducing administrative busywork. Find out how to do this by clicking here.
2: Have you compiled a comprehensive inventory of users with privileged access?
Various security agencies and regulatory authorities highly recommend that in order to reduce the risk of abuse related to privileged access within an organization, a complete inventory is necessary, listing the users who:
- have an administrative account or higher permissions than those granted through a standard account,
- access the work directories of managers and/or all employees, or
- use a workstation that is not administered by the IT department and, therefore, is not subject to the measures dictated by the company’s security policy.
3: Are you able to track the activity associated with your privileged access?
It is important to monitor each privileged access in order to guarantee that it is being used appropriately. This will allow you to:
- quickly detect and document any changes related to privileged accounts,
- revoke any privileged access that is no longer in use in a timely manner (employee departure, organizational change, removal of applications, services, etc.), and
- track the activity and sessions of all users associated with the privileged accesses listed in the information systems.
It should be noted that, in order to carry out a complete and qualitative follow-up of the activity of these accounts, the implementation of a PAM solution can prove to be useful and will save a considerable amount of time.
Zero Trust: What are the recommendations for protecting your privileged access?
In addition to applying the principles and methodologies mentioned above as well as the advent of digital workspaces and cloud computing, the trend is towards the creation of new cybersecurity models to face the emergence of new threats. The traditional model of perimeter security, which has been the norm until now, is no longer sufficient to maintain a satisfactory level of security for a company’s resources. Learn how to fix this by providing and adopting a “Zero Trust” model.
The Zero Trust Model: Context and Definition
Invented in 2010 by John Kindervag, the term “Zero Trust” has now given rise to a new strategic cybersecurity model aimed at protecting the entire digital environment of an organization. The principle is simple: all people who can access the company’s resources (internal and external users) and all associated access requests must be subject to increased vigilance. The notion of implicit trust that was previously granted to employees and to any person with access to the company’s information system has disappeared. No matter the hierarchical status, level of responsibility, or nature of the granted access rights, any user or any access request can generate a potential threat until proven otherwise. In fact, the assignment of high-privileged access will require the implementation of an approval workflow spearheaded by key members of the management team. Additionally, privileged access and associated permissions must be revoked as soon as the project for which it was requested is completed.
The implementation of a privileged account management policy is key
To maintain a sufficient level of security for a company’s assets, it is necessary to move away from the traditional model of cybersecurity based on defending the fortress (the company) and aim to extend certain security measures to users and access rights within the organization itself. In this way, the perimeter to be secured is broader, and the environments to be covered are complex and disparate.
Today, many software tools have begun to address the need for a zero trust approach by building the most comprehensive defense model to be applied to all user access rights within an organization. Identity Access Management (IAM), network segmentation and two-factor authentication (MFA) are the main pillars. Not surprisingly, the implementation of a Privileged Access Management (PAM) policy is also considered a fundamental building block for the adoption of the zero trust model.
How to protect the company from the associated risks of privileged access?
Securing the accounts and privileged accesses in any organization requires the observance of a certain number of principles in conjunction with a rigorous methodology. This is due to the new digital workplace and the proliferation of diverse environments. The emergence of the Zero Trust model and the concepts that stem from it place the protection and management of privileged access at the heart of the strategy that will help a company safeguard its assets.
But is managing privileged accounts with a Zero Trust tool or a Privileged Access Management solution enough? Click here to learn more about how setting up a system of governance can strengthen the security of your privileged accounts. Click here to learn more about how setting up a system of governance can strengthen the security of your privileged accounts.