Users with privileged access to an organization’s systems and networks pose a special threat. External threat actors often target privileged accounts using phishing schemes and social engineering techniques, since gaining control over these credentials helps them move more freely inside the network. Moreover, people sometimes misuse their own privileged accounts; this type of cyberattack takes the longest to discover, according to the Verizon Data Breach Investigation Report.
Privileged access management (PAM) tools help network administrators control privileged access to reduce the risk of accidental or deliberate misuse of these powerful accounts.
What is privileged access?
Privileged access is a higher level of IT access granted to specific users, such as IT pros who need to perform administrative tasks or users who need to read or edit sensitive data. Privileged accounts can also be used by services that need access to sensitive systems or data, such as customer data stored in databases.
In short, privileged user accounts have more permissions to access systems, services, endpoints and data than regular user accounts. Examples of privileged accounts include the following:
- IT admin account — Enables IT pros to perform functions like:
- Installing hardware or software
- Resetting passwords for standard user accounts
- Logging in to every machine in a specific environment
- Making changes to IT infrastructure
- Domain administrative account — Grants administrative access to all workstations and servers within the domain
- Service accounts — Used by an application or service to access data and other resources
- Application accounts — Used by applications to access databases, run batch jobs or scripts, or provide access to other applications
- Business privileged user accounts — Given to individuals like database operators or managers tasked with working with sensitive information like HR or finance recordings
- Emergency accounts — Provided to users brought in to handle disasters or other disruptions that interfere with the availability of company networks and systems?
Why privileged accounts require special protection
Privileged access represents a significant security risk for every organization. Generally speaking, there are three main reasons for managing privileged access:
- Privileged accounts are key targets for attackers. If an attacker finds a way to compromise a privileged account, they might get access to sensitive systems and data — and be able to cover their tracks for a long time while still maintaining access.
- Privileged accounts can be misused by their owners. Admins might accidentally or deliberately turn off security controls, modify Group Policy, steal sensitive data or cause damage to the infrastructure.
- Control over privileged accounts is a requirement of all major compliance regulations. Auditors pay special attention to this requirement, and gaps in privileged access controls can lead to steep fines.
Paths to exploiting a privileged account
Here are a few examples of how a privileged account could be misused:
- Users cross security boundaries. Best practices recommend that each admin be given not just a privileged user account, but also a regular user account that they should use for everyday activities that do not require special access rights. Failure to adhere to this best practice can lead to security incidents. For instance, if an admin uses their privileged account to log on to a workstation, their credentials can be stored locally, and an attacker who gains a foothold on that machine can steal them.
- Privileged accounts are shared. If multiple admins share access to a privileged account, it is difficult to hold the individuals accountable for their actions, which increases the possibility that one of them may use it in an unauthorized manner.
- Increased attack surface from standing privileges. Usually, privileged accounts are standing accounts — the account is available for use at any time. Therefore, an attacker who compromises an admin account is free to use it to move laterally around your environment and look for opportunities to escalate their privileges. This dramatically increases the risk that they will manage to achieve their ultimate goal of stealing data or doing other damage to your organization.
What is privileged access management?
Privileged access management (PAM) is a comprehensive security strategy for managing accounts with elevated permissions to critical corporate resources, and controlling the use of those accounts. PAM falls under the umbrella of identity and access management (IAM).
Reasons for investing in PAM include:
- Protection against theft of privileged credentials
- Reducing risk of credential abuse
- Ensuring individual accountability
- Reducing the risk of downtime for databases, servers and other critical infrastructure due to deliberate or accidental misuse of privileged accounts
- Ensuring adherence to the least privilege principle
- Meeting the requirements of security frameworks and compliance regulations
PAM features and capabilities
Below is a list of core areas related to supporting privileged account security:
- Privileged credential management — Handles the process of storing and retrieving passwords for privileged user accounts to reduce the risk of credential theft. Admins can create and revoke credentials as needed from a central location.
- Just-in-time (JIT) PAM methods — Helps ensure that accounts only receive privileged accesses when needed, and only for the time needed to complete a business task. This keeps user accounts from maintaining heightened access privileges for longer than necessary to avoid exploitation by internal users or outside threats.
- Privileged account discovery and onboarding — Helps discover where privileged accounts exist within an organization so that organizations can ensure they are brought under the umbrella of PAM.
- Privileged user activity tracking — Helps track how users utilize their privileged access credentials, so companies can more quickly identify unauthorized use of a privileged account.
- Logging and reporting — Enables organization to record and create reports on the use of privileged accounts.
- Multi-factor authentication — Forces users to confirm their identity in more than one way before allowing them access to company applications and systems.
- Privileged session management — Gives security admins control over the work sessions of users with privileged access. For example, they can block access to critical resources when they spot suspicious activity by a privileged user account.
- Privilege elevation and delegation — Allows admins to execute more granular control over the rights granted to privileged user accounts versus an all-or-nothing approach.
- Privileged task automation — Allows admins to set up automated flows that handle repetitive PAM tasks.
How do PAM solutions work?
- A user who needs to perform a task that requires elevated permissions can request access to a privileged user account. The user must provide a business justification for why they need privileged access.
- The PAM solution approves or denies the request and logs the decision. Most PAM solutions can be set up to request manager approval for certain requests.
- If approval is granted, the user is temporarily given the privileged access required to complete the specified task. Typically, they receive access via the PAM instead of learning the password for the privileged account.
What are the main challenges of PAM?
Traditional approaches to PAM all involve serious challenges, including the following:
Manual processes
Organizations might choose to store privileged credentials in spreadsheets and rotate them manually. This is labor-intensive and error-prone. Most problematic, it is not secure and opens doors for both attackers and internal misuse.
Free tools
These are more secure than doing nothing, but still leave multiple gaps behind, such as workflow, post-session rotation or inability to audit who is accessing them.
Traditional PAM solutions
Older PAM solutions have two main challenges. First, their complexity makes them costly to implement. In addition to PAM infrastructure and licensing, organizations have to invest many hours into configuration, rollout, and ongoing maintenance. Additionally, many PAM solutions require extra licensing to operate such as third-party CALs, database infrastructure and add-on components.
Second, most PAM solutions take a vault-centric approach: They simply manage the privileged accounts and only focus on controlling access. This approach does nothing to remove or limit the lateral movement attack surface presented by these accounts, this is called Standing Privilege. Threat actors such as ransomware can propagate across organizations, leveraging privileged accounts, even if they are vaulted.
Overcoming the challenges of PAM
The best way to reduce the security risk without impacting business efficiency is to enable privilege on-demand. Zero Standing Privilege is an approach where administrators are granted just enough privilege to complete a specific task, and only for the time needed to complete that task. When the administrator has finished, the privileges are either removed from the account, or the account is removed entirely. This just-in-time approach dramatically reduces the risk of powerful accounts being exploited by internal or outside threats.
Best practices for privileged access management
- Inventory all your privileged accounts.
- Conduct a risk assessment to understand the most serious threats to your privileged accounts.
- Implement a Zero Standing Privilege model to remove privileged accounts when not in use.
- Set up formal policies to control access to privilege.
- Track the use of privileged accounts so you can quickly flag suspicious behavior.
- Leverage tools that enable on-demand privilege for day-to-day activities.
- Clean up inactive or unused accounts in Active Directory before they can be misused.
- Employ the principles of Zero Trust and least privilege.
Just-in-time PAM While Reducing Attack Surface.
Netwrix Privilege Secure for Access Management facilitates secure administrative access using 3rd generation technology that is cost effective, intuitive, and easy to deploy. Netwrix Privilege Secure for Access Management automatically generates ephemeral accounts for each privileged session then dynamically provisions and deprovisions just-in-time permissions that are appropriate for the requested activity. This action removes the “standing privilege” attack surface when accounts are at rest, providing controlled privileged access without the overhead and liability of traditional vault-centric solutions.
FAQ
What is included in privileged access management?
Privileged access management includes securing managing users and processes that are granted elevated privileges within a company’s IT platforms. It establishes controls over access to enterprise resources.?
Why do I need privileged access management?
Privileged access management helps companies ensure that users don’t gain unauthorized access to company systems. It also prevents cyber attackers from gaining access to privileged user account credentials.
What is privileged access management in networking?
PAM in networking means centralizing password control and restricting access through a PAM solution which helps companies prevent attacks on their networks.
