Securing Privileged User Accounts : 5 Tips From The Trenches

Written By: Abhi Kumar

User accounts are an essential aspect of today’s IT applications and systems, and privileged user accounts are the most powerful of user accounts. Privileged access is often allowed to a small number of persons depending on their jobs and in compliance with the firms’ role-based access control regulations. Employees, contractors, and even managed service providers or third-party vendors can have such accounts to perform maintenance or system patching. Sometime regular resources are elevated to privileged access for one-off tasks. When users are given administrative-level access the elevated rights cannot be rationally limited to just one task or application. Organizations across all industries are adopting cloud to digitally transform their business and bring new products to market more quickly. Cloud adoption makes innovation easy by allowing infrastructure to scale more efficiently. This has led to proliferation of machine accounts. These cloud machine accounts are used by systems and applications to access resources, either local to the system or across the network. Most often they are used to perform automated tasks or part of API calls within an application, sometimes initiated by a user account. Many of the machine accounts are created for with admin privileges. As every CTO, CIO and CISO know procurement of SaaS products is through the roof, and much to their chagrin, many a times this procurement is being done outside the technology team. This has led to creation of shadow IT that like other assets has privileged users. Clearly, there is an overabundance of such privileged accounts in companies’ landscape, creating security and compliance issues.

As any CISO or security professional knows, privileged users accounts present a high risk for abuse. According to Varonis Systems’ 2021 Financial Data Risk Report, 39% of firms had over 10,000 stale user account groups. According to the 2019 Verizon Data Breach Investigations Report, 62% of all data breaches last year included the use of stolen credentials, brute force, or phishing. Almost half of these breaches were directly traced to stolen credentials. Stolen credentials are not just a problem with active user accounts, but they may also pose a substantial risk with orphaned accounts. Orphaned accounts in an organization are those that are no longer connected with a legitimate owner. According to Thycotic, 32% of black hat hackers say that privileged accounts are their preferred method of hacking systems. When a privileged account is compromised, the hostile actor has access to private data, moves laterally, installs malware, and makes modifications that affect data security.

 If you’re like most companies, proper auditing of privileged accounts is on top of your agenda as part of internal process or compliance with external regulations. To stay fully secure and compliant with Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA) etc, CISOs need to ensure they have visibility into all types of privileged accounts, including employee, contractor, third party vendor accounts and machine accounts. This single pane of glass visibility allows CISOs to identify and track potential security risks and take action to mitigate them. SecurEnds CEM product is being used from straight forward use cases – like users– to more complex ones like service accounts. By creating a single identity repository across custom applications, enterprise applications and cloud applications for all types of users including privileged accounts, CEM allows security analysts to use identity or application MindMap to view user/credentials/entitlements and conduct different types of access reviews to ensure every credential/entitlement is maintained with the principle of least privileges.

Despite huge investments in people, process and technology to mitigate these risks, breaches continue to happen. This begs a question of what table stakes things can companies do to protect themselves.  Based on the experiences of more than 100 clients that use SecurEnds CEM in conjunction with other technologies, we’ve compiled a list of best practices to help you build a solid privileged account management program. While few of our customers have User Analytics Behaviors and other sophisticated technologies in their roadmap, most others are reaping the benefits of these: 

• Every account is established using a robust, predetermined, and preapproved access policy that defines the access capabilities each individual requires based on their HR function, limiting the chances of establishing overprovisioned accounts that become orphaned accounts.
• Quickly deprovision accounts that are no longer required, keeping an eye on accounts established for a specific project or a member of the Tiger team. 
• Implement a privileged access management (PAM) solution to regulate and monitor the behavior of privileged users, including their access to critical systems and data.
• Provide privileged user training that goes beyond the foundational security training focusing on educating the user on their elevated rights and how to exercise an appropriate level of caution given their greater security responsibility within the program.
• Take advantage of SecurEnds CEM micro-certification feature using identity filter, which permits snap evaluations outside of normal review cycle. Micro certifications can be performed on common account types such as Domain Administrator Accounts, Local Administrator Accounts, Emergency Access Accounts, Application Accounts, System Accounts, and others.

Interested in learning how SecurEnds can help you manage privileged accounts?

Request a 30-minute demo and our solution engineering team will walk you through how our cloud product can help you gain control of your most important asset.