Irrespective of the size of the organisation, poor management of privileged accounts represents the greatest risk to its cyber security.
Challenges in tackling the management of privileged accounts fall into two main categories. The first involves control. Being able to successfully manage users accessing the right resources at the right time dramatically reduces the risk of a breach.
55% of all cyber attacks last year were carried out by people who had privileged access to an organisation’s IT system (IBM’s 2015 Cyber Security Index). Privileged accounts are made available to administrators, super users and now routinely to external service providers and yet it’s the control and monitoring of how these credentials are used that causes the problem.
However the vast majority of firms are for legacy reasons reliant on directory services to control access and manage users of network infrastructure. The problem with that is it’s easy enough to grant access but hard to actively control or even revoke it.
IT pros often need remote access to infrastructures. It’s the nature of the job. We operate in a business environment in which flexible, location independent working is increasingly viewed as a productivity enabler. Furthermore, external third parties and contractors now routinely make up the IT administrative task force.
Using directory services to control IT admin access requirements is extremely difficult. To give you an idea: my company conducted a survey of IT professionals in which it revealed that half the respondents would find it difficult to identify whether an ex-employee or ex-contractor still had access.
In other words, they could be leaving the door wide open to the abuse of privileged rights.
The next distinct, although related challenge of managing privileged users is is to do with visibility. You may know you have a set of privileged users who log into to critical infrastructure of systems with sensitive data but how can you know when, for how long and what they’re doing during those sessions?
A common misconception is that the risk comes from privileged account not the users. In most cases IT infrastructure has developed organically. Networks have grown over time.
Legacy systems that support the business do not receive the security scrutiny they perhaps should. Very often shared accounts are still being used for administrative access to these kinds of servers and devices and they are problematic for a number of reasons.
In the event of a user leaving or their access being revoked, changes to the credentials have to be communicated to everyone else who uses them. If the credentials are rarely used, this increases the chances of passwords being stored insecurely or written down.
This was the case with Sony Pictures, where unprotected text files full of user names and passwords were saved on the network. Shared accounts also mean that in the event of a breach, your visibility of the network and ability to attribute blame are both poor.
Five conditions that must be met for the efficient management of privileged users:
Being able to define, award and easily revoke access to each system for each privileged user is a must.
Shared accounts have got to go. Organisations should have the ability to generate, hide, disclose, change or sustain passwords targets and secure them in a certified safe.
The ability to view and control the connections and user activity on systems, and generate alerts on events. This is not only a big help when it comes to compliance but also in the event of a breach.
The ability to create reliable and enforceable audit trail of all activities of users privileges on the target systems.
The ability to watch video recordings of user sessions privileges.
In a world where any external attempts to access company networks are (rightly) vetted through multiple authentication procedures, it remains surprising and frankly alarming how much trust is conferred on people who are on the inside.