3 Strategic Decisions that Power Your Privileged Account Access Approach

By Yanni Shainsky • July 6, 2017

With cyberattack headlines in the news each week, it’s more important than ever to do everything possible to safeguard your systems and data. One way to accomplish this to prevent the theft of highly privileged credentials. Better managing access to privileged accounts can help prevent cyber adversaries and rogue insiders from going after privileged credentials as a way to gain broad and undetected access to your information systems.

How do you improve your privileged account management?

This blog is the first in a series of three articles where we walk you through decisions you need to make to power your strategy, conversations you should have to create stakeholder buy-in, and resources you require to launch your privileged access initiative. Let’s start by discussing the core decisions your organization needs to make at the outset of the process.

  1. What should you do and when? You need to prioritize what accounts require better protection and be aware of when to make changes. A focus on privileged accounts must be done within the context of your overall security strategy and weighed against other goals. Be aware that if privileged credentials are not properly secured, other controls meant to protect the infrastructure could be rendered ineffective.
    • Conduct an initial “baseline” discovery of privileged accounts. Before beginning privileged account management (PAM) deployment, perform an initial discovery of the privileged accounts in your environment. Using a tool such as “DNA” from CyberArk can give you valuable insight into the types of accounts that exist at your organization. Having a good baseline report will help you create a phased approach to securing the privileged accounts.
    • Evaluate risks and prioritize implementation. Determining order of priority requires identifying which accounts represent the biggest risks. Focus on accounts that provide elevated access to the organization’s most critical systems and build your PAM plans from there. Engage the compliance department early, to understand the requirements behind reporting and various security controls.
    • Plan the timing and rollout of your PAM project. Once you’ve conducted a discovery, you may be in for a surprise as to just how many privileged accounts you have. Given the scope and reach of the project, it will make sense to adopt a phased approach. Deploy at least a limited proof-of-concept demo to help you identify any immediate limitation in the vendor’s platform that may require custom development for your organization. We’ll be discussing how to plan your rollout in further detail in the third blog in this series – so stay tuned for that valuable information.
  1. What’s the best mix of controls? There are many options for how to proceed. The right approach for your organization requires intelligently deploying the most effective controls for each privileged account access use case.
    • Take a layered approach. Reducing the risks around privileged accounts requires a layering of preventive and detective controls. Preventive controls can help stop the unauthorized activity. Detective controls can help to discover it when it occurs, either maliciously or by mistake before any significant damage occurs and/or provide an audit trail and accountability.
    • Use detective controls to avoid over-limiting access. The use of detective controls can often help in achieving the balance between enabling and restricting access. Rather than putting in place preventive controls that may be overly restrictive, in some cases, a better approach would be less restrictive access that is carefully monitored for any violations. Detective controls are especially important in cases where increasing restrictions is simply not feasible.
    • Secure credentials used by applications and scripts. Credentials used by applications and scripts often need better security controls. If possible, applications should meet the following requirements:
      • The credentials for the account should be stored securely.
      • The account password or SSH key should be changed regularly.
      • The application should be designed using the principle of least privilege.
    • Use compensating controls for embedded credentials. For applications that cannot be refactored right away, compensating controls might be appropriate such as:
      • Configure the account to be non-interactive and unusable for logging on.
      • Increase monitoring on the accounts.
      • Use analytics to detect possible misuse of an application’s account.
  1. How much is enough? Controls should provide better security without encumbering business processes.
    • Make sure you select a PAM solution that will scale with our business. Pick a vendor that can scale with your organization. A PAM solution may become the cornerstone of your company’s security posture, eventually requiring all IT personnel to engage with it. A great PAM solution will have SDK (Software Development Kits) and APIs (Application Program Interfaces) so that you can extend your investment into the platform to meet the complex requirements of tomorrow.
    • Seek a win-win situation. Security and usability need not always be in conflict. Unlike many other types of security controls, better processes and technologies for privileged access management can offer the business improved productivity and user satisfaction.

In our next blog, we’ll cover the four pivotal conversations you need to have with your stakeholders to help your project succeed.

If you’d like assistance launching a PAM project to help secure your enterprise, contact us. We’ve got the experience and expertise to help build you a solution to meet your privileged account access needs. Contact CyberSheath today! 

 

CyberSheath Blog

Dr. Robert Spalding to Address Nation-State Attacks at CMMC Con 2021

Since the inaugural CMMC Con, we’ve seen some of the most malicious attacks on American infrastructure ever executed. The SolarWinds attack reverberated across the entire government as agencies scrambled to discover what nation-state attackers had accessed and stolen. The Colonial Pipeline, shut down by a ransomware attack, led to fuel…

CMMC-AB vice chair Jeff Dalton to address CMMC Con 2021

The swiftness and severity of recent cyber attacks has dominated headlines and revealed that many organizations still don’t quite know what to do to protect themselves, as well as the businesses and government entities they’re connected to.   Ransomware attacks were a big point of discussion at the recent G7…

CMMC Con 2021 Opens Registration, Reveals Theme and Speakers

CMMC compliance stands in the way of revenue for every defense contractor in the supply chain. Now that CMMC is a reality for the Defense Industrial Base (DIB), learn how contractors — primes and subs, large and small, foreign-owned — are handling the standards and requirements, as well as the…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft

CMMC Con 2021 is here! Save your spot to hear the latest on CMMC from our expert speakers across the government and Defense Industrial Base.