Privileged Access Management Best Practices
Privileged Access Management (PAM)
Traditionally, organizations have maintained dozens, if not hundreds, of privileged accounts to enable essential administrative tasks in the IT ecosystem. However, these privileged credentials represent a serious security risk, since they can be taken over by attackers or misused by their owners, either accidentally or deliberately. Therefore, privileged access management focused primarily on locking down those accounts, resulting in a complex and never-ending struggle to reduce risk.
Modern privileged access management takes a vastly different approach: providing each admin with just enough access to perform a specific task and for only as long as it takes to perform that task. This eliminates the need to have all those standing privileged accounts at all, slashing both management overhead and security risk. Below, we detail the best practices involved in minimizing the security risks associated with standing privileged accounts. Then we explore the modern alternative and offer a proven solution for implementing it.
Best Practices for Traditional Privileged Account Management
- Maintain an up-to-date inventory of all privileged accounts. Be sure to inventory accounts from critical Active Directory groups, such as Domain Admins, as well as root accounts for *nix servers. But also remember to include system admins for your mainframe systems; databases; business applications like SAP and other high-risk applications; and network devices like firewalls, routers and phone switches. The inventory should identify the owner of each privileged account and their contact information, as well as the system components the account is associated with and their primary locations in the office. Keep your inventory of privileged accounts updated and document all changes.
- Do not allow admins to share accounts. Hold administrators accountable for their actions by personalizing their privileged accounts. Use the default administrator, root and similar accounts only when absolutely necessary; it is better to rename or disable them.
- Minimize the number of privileged accounts. Ideally, each admin should have only one privileged account for all systems.
- Create a password policy and strictly enforce it. Follow password best practices, including these:
- Change the password on each device so you are not using the default password.
- Avoid using hard-coded passwords in applications and appliances.
- Require privileged account passwords to be changed regularly to reduce the risk of departing employees compromising your systems.
- Change the password on each device so you are not using the default password.
- Avoid using hard-coded passwords in applications and appliances.
- Require privileged account passwords to be changed regularly to reduce the risk of departing employees compromising your systems.
- Require multifactor authentication for privileged accounts. Options include hard tokens, soft tokens, push-to-authenticate/approve, NFC Bluetooth beacons, GPS/location information and fingerprints. A password alone is not enough.
- Limit the scope of permissions for each privileged account. Many privileged accounts have no limits; they have full access to everything. To minimize risk, you should enforce two key principles:
- Separation of duties — No employee can perform all privileged actions for a given system or application.
- Least privilege — Employees are granted only the bare minimum privileges needed to perform their jobs.
Useful strategies include delegating permissions in Active Directory and setting up role-based access control (RBAC) in every system that you use.
- Use privilege elevation best practices. When users need additional access rights, they should follow a documented request and approval process, either on paper or using a ticket in a privileged access management system. Upon approval, elevate the user’s privileges only for the time period required to perform the specified task. Similarly, IT admins should use their privileged accounts only when they need the elevated permissions for a specific task; they should use their regular accounts otherwise.
- Monitor and log all privileged activity. To reduce the risk of data breaches and downtime, be vigilant about what actions privileged users are taking by using a variety of logging and monitoring techniques. Implement traditional security controls, such as firewalls and network access controls, that limit access to systems — particularly critical systems like your intrusion detection system or identity and access management (IAM) solution. All of these systems should have logging enabled, and you should also enable system logging of logon/logoff events and other actions of privileged users. You also need real-time monitoring of privileged user activity and the ability to alert appropriate staff about critical actions. Creating these alerts requires the information in the logs to be clear and understandable, which is not the case natively for many computing platforms; however, you can use IT auditing software that will solve this problem.
- Extend your privileged access protection past the firewall. Don’t forget about accounts associated with social media, SaaS applications, partners, contractors and customers; they should also be protected according to your privileged account management policy.
- Analyze the risk of each privileged user. Continually use risk assessment to assess the danger each privileged user poses, and focus on investigating and securing the riskiest accounts first.
- Bring service accounts under management. Service accounts often have elevated privileges to data and infrastructure, so they need to be protected through automated management. For example, their passwords should be frequently rotated without causing any workflow interruptions.
- Secure cloud-based privileged accounts. With more workflows shifting to the cloud each year, it’s essential for the same privileged access management best practices to be used for accounts that give privileged access to cloud-based on-premises systems and services, such as Azure Active Directory accounts.
- Review privileged access rights at appropriate intervals (at least once a month) and regularly review privileged permissions assignments. Document all changes in detail.
- Educate users. Give your staff the information they need to succeed and be sure to update them about policies and procedures whenever there is a change to their daily routine. Everyone — including not just admins but all users — should know how to properly manage and use their privileged credentials.
- Document your account management policies and practices. Last but certainly not least, make sure your rules and processes are explicitly written down and signed by management, so everything is clear and enforceable.
Modern Privileged Access Management
Rigorously following all these best practices for dozens or hundreds of privileged accounts is a challenge — and still leaves organizations with a huge attack surface area, since each account is at risk of being taken over by an attacker or being misused by its owner. Enter third-generation privileged access management:
- Enforce zero standing privilege via ephemeral accounts that have just-enough-privilege. While a standard best practice is to only elevate privilege when needed, this should be taken a step further by removing accounts entirely when they’re not needed. The PAM solution should grant administrators the exact level of privileges needed, exactly when they’re needed, for only as long as they’re needed.
- Implement approvals for privileged session requests. For most critical tasks, there should be an approval workflow in which the privileged session request must be approved or denied by appropriate personnel.
- Maintain an audit trail and recordings for all privileged sessions. Organizations needs to track all actions administrators are taking. Some solutions take this a step further by implementing real-time monitoring and historic session recording playback capabilities for privileged user tasks.
Next Step: Slash your attack surface with the Netwrix Privileged Access Management Solution
The Netwrix Privileged Access Management Solution enables you to closely control the use of privileged access to protect your sensitive data and critical systems and comply with industry and government regulations. It maintains a detailed audit trail of all privileged account activity and alerts you immediately about suspicious behavior so you can minimize security risks. You can even replace your risky standing privileged accounts with ephemeral accounts that provide just enough access for the task at hand — without hurting administrator productivity.
Plus, the Netwrix PAM solution is easy to deploy and use, with a user-friendly interface and customizable dashboards. And it's scalable to meet the needs of your organization today and in the future.