Access to applications, servers and network resources is the cornerstone of enterprise IT, which is all about enabling connectivity. Not every account should have full access to everything in an enterprise, however, which is where super user or privileged accounts come into play.
With a privileged account, a user has administrative access to enterprise resources, a capability that should be closely guarded. As fans of Marvel Comics know well, with great power comes great responsibility. Privileged access management (PAM) is a way to limit access to those critical assets and prevent data breaches.
PAM and identity and access management (IAM) are similar security technologies, but the difference between what the two protect is night and day: IAM gives general users access to front-end systems, while PAM gives admins and other privileged users access to back-end systems. Think of it this way: A front-end user might be able to change or add data in a database; a back-end user has access to the entire database, thus the need for greater security.
So how should an organization protect its privileged accounts? That's a question that Paul Lanzi, co-founder and COO at Remediant, tackled in a session at the Black Hat USA conference in August. Lanzi outlined five steps that organizations can take to secure privileged access, based on experience deploying PAM across over 500,000 endpoints.
1. Beware local accounts
Once a user gets administrative rights for a system, more often than not, the user will create a secondary or local account that still has full access but isn't properly identified in a directory system like Active Directory.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
"Discovering all the local accounts is often the most surprising thing for security teams because they assume all the accounts listed in Active Directory are domain accounts," Lanzi said. "In fact, the way that Active Directory works, you can have local accounts, and that's often where little pockets of privileged access hide out."
Lesson: Monitor for local admin accounts.
2. Stay tuned
Administrative rights are always changing. Lanzi said that every one of the enterprises he has worked with has at some point done an Active Directory cleanup project. What typically happens, however, is even after a directory cleanup, there tends to be a reversion, with old accounts coming back.
"Over time, admins tend to accrete more and more privileged access, it never really goes away," Lanzi said.
Lesson: Continuously monitor privileged accounts.
3. Session recording is not a panacea
While continuous monitoring of privileged access is important, the flip side of that is that some organizations will have session recording for every action performed by a privileged account.
Few if any enterprises actually look at the privileged account session recordings. What ends up happening in Lanzi's experience is that the session recording feature will end up slowing down some types of operations.
Just like a home DVR (digital video recorder), he noted that no one really watches what they record with session recording. Hackers also generally can easily bypass session recording with different techniques.
Lesson: Session recording has marginal utility.
4. Focus on access, not credentials
There is a movement in IT toward using fewer passwords in favor of using additional forms of strong authentication.
As such, password vault solutions are of limited utility, as simple credentials are not the only way that access is being granted.
Lesson: Focus on access instead of just credentials, which are going to get compromised.
5. Watch for lateral movement
One of the most common things that attackers do when exploiting an organization is to exploit one set of credentials and then move laterally.
"Privileged access should be the bulwark against lateral movement in the enterprise," Lanzi said.
Lesson: Use PAM solutions to control account access and limit the risk of lateral movement.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.