Accounts with administrative and elevated privileges are necessary for both business and IT functions, but they represent a significant risk to your organization. In the hands of a careless or malcontent insider or an adversary, privileged credentials open the door to data breaches, infrastructure outages and compliance violations.
According to Forrester, a staggering 80% of data breaches involve privileged accounts. The key to reducing this risk is a modern approach to privileged access management (PAM). Instead of trying to keep hundreds or thousands of powerful accounts from being misused using strategies like password vaults, it enables you to reduce the number of privileged accounts that exist to the absolute minimum — thereby dramatically reducing risk. Here are the steps to take.
Step 1. Discover all accounts with privileged access
The first step is to uncover all your privileged accounts. Some accounts are easy to identify, such as those that are members of powerful security groups like Domain Admins. But some are less obvious; in fact, it’s estimated that in most organizations, over half of all privileged entitlements are unknown. It’s especially easy to forget lower level admins like DBAs and business users with access to highly sensitive data or systems.
To simplify the work, consider sorting all your user accounts into the following groups:
- Administrator/Root/Super User
- Infrastructure/Application/Power User
- CEO/CFO/CISO/Senior Business User
- Staff/Ordinary User
Step 2. Identify the owner of each privileged account
Many privileged accounts will be assigned to a specific individual. But it may be challenging to determine the owner of some accounts. The following data about each system can help:
- Authentication source — The source of authentications to the privileged account could be a workstation or server with a clear owner.
- Last modified date of each user profile — If a user’s profile was modified recently, it’s a good indicator that they’re an active user of the system, so they may be able to determine the owners of accounts with privileged access to the system.
- Size of each user profile — If there are many users who leverage a system, look for the ones with the largest profiles.
- Currently logged on user — People who are currently accessing the system may have information about who owns the related privileged accounts.
- Last logged on user — Similarly, anyone who has logged onto the system recently might be able to help identify the account owner.
- Service type — For service accounts, the service type can well you lead to the application owner.
Step 3. Work with owners to understand the purpose of each account
Interview the owner of each privileged account to understand what it is used for and what access rights it requires — and whether it is even still needed. Here are some questions you might want to ask:
- What is the purpose of the account? What is it used to do?
- Are the privileges it has necessary to perform those actions?
- If the account is shared by multiple people, how is individual accountability ensured?
Step 4. Remove accounts that are no longer needed
With signoff from account owners, remove privileged accounts that do not need persistent access, starting with the most critical resources first. To prioritize, consider factors such as:
- Which resources the account can access — For example, an account with access to a domain controller is more critical than one used to manage print servers.
- Where those resources reside — An administrative account for a test lab is probably less critical than one in the production environment.
- The sensitivity of the resources —Does the account have access to regulated financial data or personal health records, or to vital applications like your CRM or ERP?
For accounts that cannot be removed, reduce their access rights to the minimum required to perform their function. Note that service accounts in particular are often over-provisioned.
Step 5. Implement zero standing privilege (ZSP)
Now you’re left with a set of privileged accounts that you know actually serve a purpose. But even though they are used only occasionally, they are at risk of being misused 24/7.
With a modern PAM solution, you can replace these risky standing privileges with just-in-time (JiT) access. There are two methods for implementing JiT:
- Ephemeral accounts — When a user needs to perform a task that requires elevated rights, create an account that exists just long enough to complete the task.
- Temporary privilege escalation — Alternatively, grant the user’s existing account the necessary privileges to perform the task and remove them as soon as the task is complete.
How Netwrix Can Help
Netwrix’s Privileged Account Management solution provides dynamic and continuous visibility into privileged accounts across all endpoints, allowing organizations to shrink attack surfaces with continuous discovery and removal of unmanaged privileges. Our solution replaces conventional privileged accounts with just-in-time privileged access, ensuring heightened security without compromising administrator productivity. By monitoring and recording privileged user sessions, Netwrix Privilege Secure facilitates investigations, fulfills audit requirements, and establishes accountability. This solution also empowers organizations to visualize, analyze, and manage their attack surface through tailored dashboards, eliminating a gap in accountability and security without sacrificing convenience for users.
Achieving privileged access bliss
By uncovering all the privileged identities in your IT ecosystem and replacing them with a ZSP approach, you can dramatically reduce risks to security, compliance and business continuity. After all, if a privileged account doesn’t exist, it can’t be compromised.
