Why privileged account security should be a priority

Technical teams, often because of glaring cybersecurity skills gaps, just don’t know what to do about the increasingly aggressive cybercriminal. This is especially the case amid the complexity of new-normal architectures in which visibility of IT assets and identities from the endpoint to the cloud has become a challenge.

But not everyone is taking the cyber-onslaught lying down. In the GCC, enterprises and governments are fighting back with everything they have. But even among the top-ranked cyber-combatants, work still needs to be done to optimise defences against would-be attackers. One way to do this is to look at successful attacks and see what they have in common. In almost every breach event, a privileged account is a major link in the attack chain, so it should follow that the protection of privileged accounts, whether used by humans or machines, should be ‘job number one’ in any lucid security strategy.

Here is a list of the most important privileged accounts to discover:

Domain admin accounts
These have access to every nook and cranny – your digital estate’s crown jewels. Administrator accounts are the keys to the kingdom and organisations should keep them, and the number of employees that have access to them, to a minimum.

Non-human automation accounts
Any account that accesses applications, operating systems, databases, services, network devices, or any other important asset for the purposes of data sharing can result in compromise if one asset in the chain can be used for an authenticated ‘hop’ to others. Hops will continue until higher privileges can be captured. In most cases, shared accounts are unnecessary but convenient. Their persistence, however, can represent a large security hole, so they should always be placed under privileged-access management.

Management solutions
Any tool used to manage, monitor, configure or automate the environment should not use shared accounts. In keeping user access to these solutions on a one-to-one basis, organisations block a significant attack vector. All administrator accounts used to oversee and maintain applications, networks, and other software-based assets should be placed under access management, whether the admin work occurs on premises or in the cloud, and whether it is performed by employees, contractors, vendors or auditors.

Service accounts
Services are the backbone of Windows setups and the accounts that run them often have credentials that can be repurposed to compromise the OS or an application, even though they cannot log in locally. Service accounts can be shared across multiple assets. PAM solutions will synchronise changes to ensure the efficient restart of services, so identifying locations for service accounts and linking shared ones together is vital during the asset-discovery phase.

Cloud accounts
These accounts are mainly responsible for creating runtime instances of assets, and so they should be registered in an inventory, given the complexity of modern environments. It is vital to manage their credentials in the context of determining when they are overprovisioned, out of use, or have a history of misuse.

Specialty accounts
Specialty accounts traditionally lack strong password practices and are commonly shared. One best practice is to enforce unique, strong passwords on all such accounts. Password management solutions are typically incapable of tracing a network path to remote hosts to manage specialty credentials, which presents a challenge. However, PAM agents and their unique discovery functions can overcome these problems.

Accounts with embedded credentials
Scripts, config files, or compiled code can all embed identities, especially in the DevOps age of automated, agile development. But developers are less able to predict the attributes of modern runtime environments, so onboarding these credentials for appropriate management is crucial. Code may need to be redesigned and recompiled. PAM solutions can discover and replace embedded identities
with API calls or dynamic credentials.

Michael Byrnes is the director – solutions engineering, iMEA, BeyondTrust

Read: Are organisations prepared for new cybersecurity risks?