Privileged Access Management (Continued)

The backup account, by its very nature, requires access to most of the information within your organisation in order to back that data up. The backup account will have a username and a password. Who knows the username and password for your backup account? How is it managed? And this ongoing management becomes problematic for organizations, partly because of staff turnover. If you have five domain administrators and they all know the domain admin password and they all know the backup account password, how do you manage accountability around the backup account? How do you enforce accountability? When we looked at identification, authentication, and authorization, we discussed this very topic. We need to be able to enforce accountability.

If we have shared credentials, if multiple people know the credentials, and that account is misused, how can we manage that situation? Very difficult to do. Ideally, we want to minimize the use of the credentials. We do not use these credentials day to day. Ideally we confer permissions to other groups or other users that allow accountability to be enforced. So instead of using the domain administrator account, what we can do is give people, where necessary, access to the domain administrator level of privilege within their named account.

So, if we have five administrators, each one of them will have their own named domain administrator account, which means that the use of that account can be monitored, any transactions we have a degree of accountability over. We can also look at separate policies for our privileged accounts. If we have things like password complexity requirements, password histories, account lock out policies, we can set and define different policies for those privileged accounts. This is good practice. For your normal users, maybe 20 incorrect password logins is OK, depends on your risk posture. For your privileged accounts, perhaps you want to consider that being a much lower number. With staff turnover, how do we manage those accounts and the passwords?

In small organizations this can be easily done. This can be managed in a relatively straightforward manner. In larger organizations this becomes very complicated. We start to see a complexity arising from the large number of posts that may have access to this information. Ideally, we don’t use the admin account at all; we use one with equivalent privileges. This helps manage the situation for us. So avoid shared keys where possible, and we need strong processes to govern this. And we need good levels of accounting and reporting to tell us when these accounts are being used or potentially to identify when they’re being misused.

For privileged access management, if we’re going to grant people privileged access, we may want to consider trying to support this through the use of different approaches to the identification process and the credential issuance process. So we may wish to undertake enhanced screening for individuals. Maybe we do better background checks. And this is very common within government and military environments. Even within some commercial environments, now we see criminal records checks becoming standard for large enterprises, especially where financial responsibility is attached. Perhaps we have enhanced policy controls. As we’ve said, we can start to look at requiring increased password changes, more complex requirements, longer password length.

We can also require different levels, different types of factors, and more factors for the privileged accounts, if they’re going to be used. So where we may want a straightforward access paradigm for day to day users, for our privileged users, maybe all transactions are multi-factor authentication.

We can also look at enhanced auditing. We mentioned the use of SIEM systems, but perhaps we keep our logs for longer relating to the use of privileged accounts, and they are reviewed more frequently as well. We may also want more aggressive lifecycle controls. Perhaps each domain administrator, each person with domain administrator privileges, is reviewed on an annual basis or six monthly basis. Again, the time varies based on your requirements, but these are all different controls we can try to use to support the increased vigilance that’s required around the use and existence of privileged access.