Privileged accounts and passwords are particularly targeted during cyberattacks and, as a result, auditors are particularly interested in them. Demonstrating the compliance of access rights to privileged accounts which control sensitive credentials housed in vaults is a priority for the management teams of all organizations.
With over ten years of expertise in Identity Analytics, Brainwave GRC focuses on this topic by honing in on issues faced by our customers and identifying a certain number of best practices to follow. From using a system based on a PAM software solution to closely and efficiently monitoring privileged accounts, we will explore how your business managers respond to auditors while, at the same time, reducing risks and threats to the sensitive credentials held in vaults.
What are the characteristics, definitions and specifics used to identify privileged accounts?
Standard vs. privileged accounts: how do you tell them apart?
There are generally two types of accounts within organizations. First, there are standard accounts which grant employees minimal and limited access rights that rely on the principle of least privilege. Each employee can only use these standard accounts to access the systems and applications that are necessary for the performance of his or her job function. The principle of least privilege should be applied systematically as the basic, risk-limiting tool when demonstrating the compliance of granted access rights.
However, standard access rights are not sufficient when more sensitive operations need to be undertaken by business teams. For example, certain actions cannot be performed when using standard access rights, such as configuring a system or application, making payments, or granting access rights to other team members. In this case, there is a need for management to provide these users with additional privileges based on stricter account constraints and a higher level of password usage.
Through our close engagement with business partners and customers, it is clear that there is no exact definition of what a privileged account is. This means that there is no level of access beyond which an account is considered to provide additional access privileges. Each organization sets its own criteria for determining whether an account is standard or privileged depending on the context and use case. One simple definition that can be used to help identify all privileged accounts is this: any account that has more access rights than a standard account within an organization can be considered a privileged account.
What are the different types of privileged accounts?
Many people believe that privileged accounts are nothing more than accounts used by admins within a business team, department or organization. However, two main groups of privileged accounts can be designated and need to be closely managed:
- Named accounts, such as personal accounts, referred to as “super user accounts.” They are assigned to an identity with privileged access rights on an individual basis and with an individual password.
- Non-named accounts, such as technical accounts. They may be shared, as are their passwords and authentication credentials, by several distinct identities and can include services and applications used by a company’s systems to access other tools, resources and applications.
- Privileged accounts can be found everywhere, for example, locally, in the cloud, within infrastructures, operating systems, network devices or even at the heart of applications and servers. They can be managed locally or centrally using repositories such as Active Directory or through a PAM system.
Securing privileged accounts and detecting associated risks is a top priority.
Gartner and Forrester agree that securing privileged accounts is a major issue in today’s business world.
We, too, are convinced that this is a fundamental goal of any company’s management team. The key reason for this is that users of privileged accounts are given access to functionalities and credentials that would otherwise be inaccessible using their standard equivalents. Additionally, they make performing a certain number of operations deemed sensitive possible. Any user of a privileged account is given a sort of superpower which increases his scope of action during working sessions and gives him direct access to certain sensitive assets of the organization. Therefore, securing privileged accounts is crucial for any company interested in protecting their resources, infrastructures and applications.
As is reflected in the opinion of expert analysts such as Gartner, privileged accounts need to be given our full attention. They should be considered a company’s number one security risk and management priority. Forrester also weighs in on the subject, stating that privileged accounts pose the highest level of threat within an organization.
What are the key risks associated with privileged accounts?
As we have seen, privileged accounts are everywhere and can be quite numerous within an organization. On average, users of privileged accounts represent three times the number of a company’s employees, opening the door to many opportunities for hackers to access the most sensitive resources, infrastructures and data. In addition to cyberattacks, other internal threats to the company exist.
There are three categories of risk commonly associated with privileged accounts: theft or fraud, a back door or an accident.
- The risk of accidents. In working with legitimate access rights, the user – an employee, for example – can make a mistake. He or she may allow a third party or remote worker (employee, subcontractor) to access critical information or tools and compromise certain data, sometimes even inadvertently modifying or deleting it.
- The risk of theft or fraudulent. Here again, the user has legitimate access rights that have been assigned to him to perform his job functions, yet he chooses to exploit them for fraudulent purposes. For example, a person with admin responsibilities within the organization may intentionally disclose or misuse his or her access rights, passwords or credentials to steal information.
- The creation of a back door. Every time a privileged account is created, a potential back door is simultaneously created. This back door can be used by hackers to steal information or directly attack the organization’s resources, applications, systems and infrastructure. It should be noted that, on average, a hacker who gets access to a company’s information system using a privileged account can take full control of it in as little as two weeks.
While it is crucial for organizations to pay special attention to privileged accounts, different strategies can be put in place to secure, manage, monitor and control them based on:
- the business nature of the privileged accounts, and
- the level of risk associated with each of them.
Therefore, the use of a PAM system and the implementation of privileged account governance have become essential in demonstrating compliance of access rights and facing the threat of cyberattacks.