How to ensure control of your privileged accounts with PEDM
It is well known that hackers wreak havoc around the world with advanced cyberattacks targeting a company’s most valuable assets. Another worrying scenario is the existence of malicious people inside a company who disclose confidential information to the public or take actions to cause internal damage.
Most of these violations are due to the theft, abuse, or misuse of a privileged account. Privileged accounts allow anyone to control company resources, disable security systems, and access large amounts of confidential information. Given this, it is perfectly natural to consider the risks of privileged accounts as one of the greatest security threats a company faces today.
Privileged accounts are a risk to a company’s security strategy and need unique controls in place to protect, monitor, detect, and respond to all privileged account activities.
The first step in managing and controlling the use of your privileged accounts is to identify where those accounts are and then establish usage guidelines through appropriate policies. Below, we show how you can take these steps cooperatively with your team.
Who are the users of your privileged accounts?
Companies tend to ignore the wide range of access to privileged accounts. Anonymous, unverified access to these accounts leaves a company open to abuse that can paralyze its operation entirely. Thus, it is necessary to map the existing privileged accounts and verify who are the users who have access to these accounts, after all, it is impossible to manage something that we do not know.
Check below the possible types of privileged accounts in your company and the associated risks.
- Third-party Suppliers – Privileged access is granted to perform a job function, allowing contractors to work on the company’s infrastructure. Once inside, third-party contractors have unrestricted access to elevate privileges to confidential data across the company.
- Cloud Server Managers – Business processes, such as finances, HR, and purchases, are shifting to cloud applications, exposing corporate assets to high risks due to the broad access granted to cloud administrators.
- System Administrators – For almost all devices in an IT environment, there is an account with shared and elevated privileges and unrestricted access to your operating systems, networks, servers, and databases.
- Application and Database Administrators – Application and database administrators have broad access to manage the systems to which they are assigned. This access allows them to also connect to virtually any other database or application found in a company.
- Business Users – Senior executives and IT staff often have privileged access to business applications that contain sensitive data. In the hands of the wrong person, these credentials provide access to corporate financial data, intellectual property, and other confidential data.
- Social Networks – Privileged access is granted to manage the company’s internal and external social networks. Employees and contractors have privileged access to write to these social network accounts. Improver use of these credentials can lead to a public acquisition, damaging a company’s brand or an employee’s reputation.
- Applications – Applications themselves use privileged accounts to communicate with other applications, scripts, databases, web services, and more. These accounts are an often overlooked and significant risk, as in most cases they are hard-coded. A hacker will use these attack points to scale privileged access across the company.
Establishing a policy to align risk management with business goals
Best practices recommend that companies create, implement, and enforce a privileged account security policy to reduce the risk of a serious breach. Effective corporate security and compliance begin with a well-executed business policy. An initial policy approach ensures that exposure to external threats, insider threats, and improper use is reduced and that the organization complies with government and industry regulations.
Implementing the principle of least privilege
The principle of least privilege deals with the idea that any user, program, or process must have only the minimum privileges necessary to perform a role. For example, a user account created to extract records from a database does not need administrator rights, whereas a developer whose primary role is to update legacy code does not need access to financial records.
The principle of least privilege can be applied at all levels of a system. It applies to end users, systems, processes, networks, databases, applications, and all other aspects of an IT environment.
Below, we list the best practices for implementing the principle of least privilege in your business.
- Start with an audit – Check all existing accounts, processes, and programs to ensure that they only have the permissions required to do their job.
- Start all accounts with the least privilege – The default for all new account privileges should be set as low as possible. Just add specific higher-level capacities as needed to get the job done.
- Enforce separation of privileges – Separate administrator accounts from standard accounts and top-level system roles from lower accounts.
- Make individual actions traceable – user IDs, one-time passwords, automatic monitoring, and auditing can make it easier to track and limit the damage.
- Be consistent – Privilege auditing regularly avoids a situation in which older users, accounts, and processes accumulate privileges over time, regardless of whether they still need them or not.
Using PEDM (Privilege Elevation and Delegation Management) solutions
Monitoring and managing accounts with privileged access are one of the top requirements of the main information security compliance standards that establish best practices in the area. PAM (Privileged Access Management) tools are great allies in this activity, as they help companies to ensure secure access to critical information and reduce security risks by controlling, monitoring, recording, and auditing the activity of privileged users.
PEDM (Privilege Elevation and Delegation Management) is a PAM approach that can be implemented within a company. PEDM is the solution that implements the principle of least privilege.
A PEDM tool controls the scheduling of privileged accounts and allows elevating and delegating privileged tasks to non-administrator users who require temporary access to target systems. After privilege tasks are completed, access rights are revoked.
Below we list the main benefits of PEDM solutions for managing privileged access in your company.
- They eliminate super-privileged users who can introduce risks to your IT network.
- They implement a zero local administrator policy. They grant privileges at a granular level, assigning specific rights to perform a specific action.
- They establish security policies for applications and processes, rather than per user.
- They facilitate productivity. Non-administrator users can still perform tasks with adapted privileges.
- They protect assets with workflows combined with user access, use of credentials, and limitation of local rights.
- They protect critical systems through session control and precise management of applications and processes.
- They track and monitor activity with full session recording and logs for local devices.
senhasegura, among the best PEDM solutions in the world
Gartner, one of the most respected technology research and consulting institutions in the world, has recently released a new report called Critical Capabilities for PAM, in which PAM technologies and their ability to run and provide the functionalities needed for the cybersecurity universe are assessed. The document, which assesses the three critical pillars of PAM (PASM, PEDM, and Secret Management), has placed senhasegura in the top 3, among the main global companies that offer these resources.
This is an important report to assist leaders in risk and security management to gain more technical knowledge when choosing any of the PEDM providers present in the Magic Quadrant.
Download Gartner’s 2020 Critical Capabilities report here.