The protection of privileged accounts is a sensitive issue in today’s business world.
The problem These accounts are extremely critical because they allow you to manage and modify access to company assets and to take partial or total control of critical applications or systems, and by rebounding most of the information system. Unfortunately, users often forget the power of these privileges and do not sufficiently protect access to them. This includes user accounts, technical accounts and service accounts.
What are the risks associated with privileged accounts ?
Studies show that once an attacker manages to take control of one of the privileged accounts, it only takes an average of two weeks for the attacker to take full control of the information system.
These may be account repositories such as Active Directory or Azure, which allow access to a multitude of applications and unstructured data. Compromising these accounts can lead to the exfiltration of data, the inability to access most of the information system or even the deletion of all of its contents, which then forces the IT department to rebuild a complete repository, because backups can also be compromised. This causes the information system to be unavailable for several hours or even several days.
This also applies to access to applications and servers, both in the cloud or in a physical environment, and to the resources used by DevOps teams, which are often neglected, such as AWS, Jenkins, GitHub and Docker.
The popular PAM solutions for these risks are not sufficient
To address these risks, companies are turning to Privileged Access Management (PAM) solutions, such as CyberArk or Wallix. These powerful solutions manage privileged accounts by setting up a digital password safe and traceability systems, with advanced mechanisms such as automatic password rotation, the recording of open sessions for post-mortem audit purposes and user behavior analysis.
All too often, companies think they can solve all problems related to the management of privileged accounts by installing a PAM solution, without having to be concerned about managing the users who have access to these solutions.
But unfortunately, if these solutions perfectly cover management and access to privileged accounts, the initial risk that exists at the privileged account level is then moved to the user account level in these PAM solutions. Which means that user accounts are critical. Who has access to the user accounts in your company? Is this legitimate? Are these accounts being managed properly and allocated appropriately?
And even if the traceability and behavior analysis capabilities of these PAM solutions may be useful, they only allow you to react to situations as they occur and not to be proactive. By then, it is often too late and the attacker has been able to get what he wanted by compromising the user account.
For example, user account management for PAM is often delegated to third-party LDAP solutions such as Active Directory, so simply adding an account to a group allows it to access privileged accounts. A management error at this level can be fatal.
Because of this, the automation of access and control review is essential
The automation of controls is therefore essential in order to ensure that the right people, the legitimate people, have access to highly privileged critical resources, while taking into account the context of their identities, the HR context. Here is a partial list of the controls that are frequently found in such environments:
- Are there people who are not from IT teams and who have access to privileges? Which privileges do they have access to? What resources are involved and is this legitimate?
- Are there people in R&D who access privileged accounts in production?
- Who can administer active directory groups that provide access to privileged accounts?
- Are there people who can both backup and restore the same perimeter, which could allow them to commit fraud?
- Which people have changed jobs, organizations or have left the company and still have access to privileged accounts?
During the lifetime of the company, people leave, new jobs are created and services are reorganized. Digital transformation is also causing the rapid evolution of information systems. The number of cloud applications has risen exponentially. Unstructured data is transferred to cloud systems such as Office 365 and cloud infrastructures, such as AWS are being developed and put into place. As a result of these changes, it is essential to be able to address these issues regularly in order to limit the risks of compromise.
With its powerful analysis engine and award-winning patented data model, Brainwave GRC addresses these issues by continuously automating these controls, which you can discover through our webinars, as well as automating the review and re-certification of privileged accounts within your organization to ensure that only the people responsible for each technology silo have legitimate access to them.