Best Practices for Privileged Access Management
By: John Hathaway, Regional Sales Director, Middle East, BeyondTrust
Privileged password management, sometimes called enterprise password management, refers to the practice and technique of securely controlling credentials for privileged accounts, services, systems, applications, and more. But unfortunately, with so much power inherent in privileged credentials, they are ripe for abuse by insiders and are highly coveted by hackers. Password attacks come from all angles. Some programs, such as John the Ripper and L0phtCrack, can even crack complex passwords, while Pass-the-Hash toolkits can be lethal without even cracking the password. In fact, according to the 2017 Verizon Data Breach Investigation Report (DBIR), a whopping 81% of hacking-related breaches leveraged either stolen and/or weak passwords.
For holistic management of privileged accounts and credentials, there are eight core areas that you should focus on. Most likely, achieving holistic enterprise password management will follow the course of a graduated approach but let me share some insights on where to start and how to proceed.
Discover all shared admin, user, application, and service accounts, SSH keys, database accounts, cloud and social media accounts, and other privileged credentials – including those used by third-parties/vendors–across your on-premise and cloud infrastructure. Discovery should include every platform (Windows, Unix, Linux, Cloud, on-prem, etc.), directory, hardware device, application, services / daemons, firewalls, routers etc. This process should also entail the gathering of user account details that will help assess risk, such as privilege level, password age, date logged on, and expired, and group membership and services with dependencies to the account. Discovery should illuminate where and how privileged passwords are being used, and help reveal security blind spots and malpractice, such as:
• Long-forgotten orphaned accounts that could provide an attacker with a backdoor to your critical infrastructure
• Passwords with no expiration date
• Inappropriately use of privileged passwords—such as using the same Admin account across multiple service accounts
• SSH keys reused across multiple servers
Bring privileged accounts and credentials under centralized management: Optimally, the onboarding process happens at time of password creation, or otherwise, shortly thereafter during a routine discovery scan. Silos of individuals or teams independently managing their own passwords are a recipe for password sprawl and human error. All privileged credentials should be centrally secured, controlled, and stored. Ideally, your password storage supports industry-standard encryption algorithms, such as AES 256 and Triple DES.
Implement password rotation across every account, system, networked hardware and IoT device, application, service, etc. Passwords should be unique, never reused or repeated, and randomized on a scheduled basis, upon check-in, or in response to specific threat or vulnerability.
Bring application passwords under management: Simply put, this requires deploying a third-party application password management solution that forces applications and scripts to call (or request) use of the password from a centralized password safe. By implementing API calls, you can wrest control over scripts, files, code, and embedded keys, eliminating hard-coded and embedded credentials. Once this is accomplished, you can automate rotation of the password as often as policy dictates. And, by bringing the application password under management and encrypting it in a tamper-proof password safe, the credential and underlying applications are vastly more secure than when the passwords remained static and stranded within code.
Bring SSH keys under management: NIST IR 7966 offers guidance for businesses, government organizations, and auditors on proper security governance for SSH implementations that include recommendations around SSH key discovery, rotation, usage, and monitoring. Approach SSH keys as just another password, albeit accompanied by a key pair that must also be managed. Regularly rotate private keys and pass phrases, and ensure each system has a unique key pair.
Implement Privileged Session Management to improve oversight and accountability over privileged accounts and credentials. Privileged session management refers to the monitoring, recording, and control over privileged sessions. IT needs to be able to audit privileged activity for both security and to meet regulations from SOX, HIPAA, GLBA, PCI DSS, FDCC, FISMA, and more. Auditing activities can also include capturing keystrokes and screens (allowing for live view and playback).
Threat Analytics: To mitigate risk, and evolve your policy as needed, you should continuously analyze privileged password, user, and account behavior, and be able to identify anomalies and potential threats. The more integrated and centralized your password management, the more easily you will be able to generate reports on accounts, keys, and systems exposed to risk. A higher degree of automation, can accelerate your awareness and orchestrated response to threats, such as enabling you to immediately lock an account or session, or change a password, such as when incorrect passwords (as with a brute force or dictionary attack) have repeatedly tried to gain access to a sensitive asset.
Automate Workflow Management: While you can certainly build your own internal rule sets to trigger alerts, and apply some policies around password management, third-party solutions provide robust capabilities that can streamline and optimize the entire password management lifecycle. Third party, privileged password management solutions can also help automate:
• Grouping and management of assets in accordance to Smart Rules
• Workflows for device access, including an approval process for when administrative access is required. Consistent with least privileged access, you may want to implement context to workflow requests by considering, and potentially restricting access depending on the account, day, date, time, timeframe, and location (IP addresses) when a user accesses resources
• Workflows to accommodate fire-call / break-glass requests to ensure access to password-managed systems afterhours, on weekends, or in other emergency situations
• Check in and check out passwords from the password safe and automated authentication / Single Sign On (SSO) for the user without any manual log-in requirements
• Logon of users for RDP and SSH sessions, without revealing passwords
• Triggers requesting a supervisor’s approval in order to checkout highly sensitive credentials
• Commencement of privileged session monitoring and alerting of any sensitive or suspicious activity
The ultimate goal of privileged password management is to reduce risk by identifying, securely storing, and centrally managing every credential that provides elevated access. Privileged password management works hand-in-hand with implementing least privilege, and should be a foundational element of any organization’s privileged access management (PAM) initiatives.