Skip main navigation

Privileged Access Management (Continued)

In this video, you will learn more about privileged access and what tools you can use to manage this.
The backup account, by its very nature, requires access to most of the information within your organisation in order to back that data up. The backup account will have a username and a password. Who knows the username and password for your backup account? How is it managed? And this ongoing management becomes problematic for organizations, partly because of staff turnover. If you have five domain administrators and they all know the domain admin password and they all know the backup account password, how do you manage accountability around the backup account? How do you enforce accountability? When we looked at identification, authentication, and authorization, we discussed this very topic. We need to be able to enforce accountability.
If we have shared credentials, if multiple people know the credentials, and that account is misused, how can we manage that situation? Very difficult to do. Ideally, we want to minimize the use of the credentials. We do not use these credentials day to day. Ideally we confer permissions to other groups or other users that allow accountability to be enforced. So instead of using the domain administrator account, what we can do is give people, where necessary, access to the domain administrator level of privilege within their named account.
So, if we have five administrators, each one of them will have their own named domain administrator account, which means that the use of that account can be monitored, any transactions we have a degree of accountability over. We can also look at separate policies for our privileged accounts. If we have things like password complexity requirements, password histories, account lock out policies, we can set and define different policies for those privileged accounts. This is good practice. For your normal users, maybe 20 incorrect password logins is OK, depends on your risk posture. For your privileged accounts, perhaps you want to consider that being a much lower number. With staff turnover, how do we manage those accounts and the passwords?
In small organizations this can be easily done. This can be managed in a relatively straightforward manner. In larger organizations this becomes very complicated. We start to see a complexity arising from the large number of posts that may have access to this information. Ideally, we don’t use the admin account at all; we use one with equivalent privileges. This helps manage the situation for us. So avoid shared keys where possible, and we need strong processes to govern this. And we need good levels of accounting and reporting to tell us when these accounts are being used or potentially to identify when they’re being misused.
For privileged access management, if we’re going to grant people privileged access, we may want to consider trying to support this through the use of different approaches to the identification process and the credential issuance process. So we may wish to undertake enhanced screening for individuals. Maybe we do better background checks. And this is very common within government and military environments. Even within some commercial environments, now we see criminal records checks becoming standard for large enterprises, especially where financial responsibility is attached. Perhaps we have enhanced policy controls. As we’ve said, we can start to look at requiring increased password changes, more complex requirements, longer password length.
We can also require different levels, different types of factors, and more factors for the privileged accounts, if they’re going to be used. So where we may want a straightforward access paradigm for day to day users, for our privileged users, maybe all transactions are multi-factor authentication.
We can also look at enhanced auditing. We mentioned the use of SIEM systems, but perhaps we keep our logs for longer relating to the use of privileged accounts, and they are reviewed more frequently as well. We may also want more aggressive lifecycle controls. Perhaps each domain administrator, each person with domain administrator privileges, is reviewed on an annual basis or six monthly basis. Again, the time varies based on your requirements, but these are all different controls we can try to use to support the increased vigilance that’s required around the use and existence of privileged access.

In this video, you will learn more about privileged access and what tools you can use to manage this.

Here are three tips to take forward:

  • minimise credentials

  • minimise usage where appropriate

  • manage administrator levels of access through account control

Reflect and share: What tools, if any, are you using for privileged access management? Which tools would you want to implement and why? Share below.

This article is from the free online

Cyber Security Foundations: Identity and Access Management

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education