In 2020, there are a host of privileged access management (PAM) tools available, each with their own set of cool features. But the success of your PAM solution implementation isn’t solely reliant on the PAM provider you choose, but also on how your organization defines and views PAM. Regardless of which PAM platform(s) your organization chooses to deploy, there are many factors to consider when establishing deployment deadlines. Those factors include:
- What does the term “privileged account” mean in my organization? Is that definition consistent across all business units with privileged accounts?
- How many privileged accounts exist in the enterprise environment? Do you know? How confident are you in that number?
- How will this tool impact day-to-day activities?
- Do I have leadership buy-in for the implementation of this tool?
- What if I lose access to this tool? Are there tested/effective break-glass procedures?
In this post, we will look at how to define PAM within your business, how to identify and categorize privileged accounts, how to prioritize privileged accounts, and how to build your roadmap to PAM success.
“Managing privileged accounts is an important, yet complicated task…. Allocating the time necessary to defining, identifying, and prioritizing your privileged access will help ensure a successful implementation.”
The Keys to the Kingdom
Don’t assume that the term “privileged accounts” has a consistent, well-understood definition within your organization. Often, privileged accounts are described as the “keys to the kingdom.” While that statement may be true, it may not convey how broadly privileged access is deployed across your enterprise.
Privileged accounts pose significant operational, legal, and reputational risks to your organization if not secured effectively.
While privileged accounts are widely considered to be accounts used to manage servers and workstations, you should also ensure your organization’s definition covers:
- Local server/workstation admin accounts
- Application accounts
- Help desk/support accounts with higher privileges
- Mainframe accounts
- Network accounts
- Database accounts
- Cloud-based admin accounts
- Privileged business users
- Service accounts
- Machine-to-machine accounts
Identification and Categorization of Privileged Accounts
As part of building a PAM program, it is necessary to onboard and secure privileged accounts. To do this, the accounts on the network need to be identified. To expedite this process, it is highly recommended that you perform a CyberArk Discovery and Audit (DNA) scan of your environment. This scan will generate detailed reports on the accounts that reside on and have access to each server.
The reports generated provide additional context to each of the accounts, for example:
- Password age
- Last login date
- SSH keys
- Vulnerabilities to golden ticket/pass-the-hash
- Embedded and hard-coded credentials
If CyberArk DNA is not permitted, alternative methods for gaining this information from network scanners (such as ForeScout) should be employed.
Once privileged accounts have been identified, each account will need to be attributed to a specific owner(s) and classified into their respective categories (e.g., Domain Administrator, Local Server Account, Root Account, Database Account, Service Account, etc.).
DNA Considerations
- Your cybersecurity team may need to review the DNA tool prior to running it against your production environment.
- Network ports may need to be opened for DNA to scan successfully.
- DNA scans may complete in as little as 4 minutes but may take up to 4 hours or longer depending on the size of your network.
Please Note: DNA is simply a tool to identify what accounts should be onboarded. It does not offer any direct way of automating or triggering an onboarding process.
Prioritization of Privileged Accounts
After privileged accounts have been identified and categorized, the accounts need to be analyzed against a number of pre-defined risk criteria to determine which are the most important and vulnerable. Examples of these criteria include:
- Likelihood of compromise
- Potential to jeopardize critical infrastructure
- Impact to organizational reputation if compromised
- Risk the privileged accounts could be abused by staff
- Financial risk of compromise
Once potential vulnerabilities are identified in the existing PAM program, a phased approach should be leveraged to address accounts that can be rapidly remedied in the short term and then those that require long-term planning to address.
Build Your Roadmap
When building your roadmap, priority should be given to addressing the highest risk accounts first and/or the accounts that, if compromised, could do the most harm to your organization.
Breaking your roadmap into the following eight phases can help bring focus and structure to your roadmap. Please note the amount of time needed to onboard these accounts will depend on the number of accounts and complexity of your environment.
Phase 1: |
Windows Server Local Admin Accounts AD Domain Admin or Higher Privileged Accounts |
Phase 2: |
*nix Root Accounts User Privileged AD Accounts |
Phase 3: |
Windows Workstation Local Admin Accounts Windows Local Service Accounts |
Phase 4: |
Database: Microsoft SQL, Oracle, and DB2 local admin accounts (built-in) |
Phase 5: | Network Accounts |
Phase 6: |
Application Accounts with Hard-Coded Credentials |
Phase 7: |
Cloud Accounts |
Phase 8: |
Mainframe Accounts |
When planning your roadmap, also focus on the following:
- Eliminate irreversible network takeover attacks
- Control and secure infrastructure accounts
- Limit lateral movement
- Protect credentials for third-party applications
- Manage *nix SSH keys
- Defend DevOps secrets in the cloud and on-premise
- Secure SaaS admins and privileged business users
- Prioritize the most critical areas to best protect your business, but do not lose sight of these for future initiatives.
Managing privileged accounts is an important, yet complicated task. Many organizations operate highly complex infrastructures and disparate systems that run on multiple operating systems. Managing and controlling access to these privileged accounts is further complicated by the pace of the workforce and responsibility changes over time. Allocating the time necessary to defining, identifying, and prioritizing your privileged access will help ensure a successful implementation.
Want more cybersecurity guides and insights?
Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.