Mike Winslow, IAM Consultant, SecureITsource, Inc.
Privileged accounts are often referred to as the keys to a company’s digital kingdom. Yet many of the people responsible for protecting the kingdom tend to ignore or overlook the proper safeguarding of these critical assets. Frequently it’s due to over utilized resources that just can’t keep up with the demands of password management. Other times it’s a lack of training or awareness of the need to protect them. For some it isn’t a matter of resources or training, but a desire to make their daily administration duties easier. Or it’s simply a lack of priority. Default or easy to remember passwords save time when an admin needs to quickly logon and troubleshoot a system problem. They feel it’s inconvenient to logon and look it up in a vault or password safe, let alone the time and effort required to install, deploy, and maintain such a system.
Of course when it comes to passwords, we aren’t talking about one or two additional accounts that the system administrator needs to manage. According to Udi Mokady, CEO of CyberArk, in many larger organizations there are three to four times as many privileged accounts as there are users. This is because privileged passwords are required to authenticate local administrator accounts, service accounts, and application to application connections. System admins are the major users of privileged accounts but depending on what the account is used for, it’s possible that every employee in the company has access to at least one privileged account. And each one is a potential entry point into the corporate kingdom.
A recent addition to these traditional entry points is the Internet of Things. The 2016 cyber-attack of DNS provider Dyn used a botnet of devices on the IoT to create a DDoS attack that made major internet platforms and services unavailable throughout the day. This attack showed that previously ignored devices such as printers, IP cameras, and other web enabled products also have the potential to disrupt daily production in the corporate world. Default passwords on these network and web enabled devices must also be managed and have been added to the oversight of system administrators. They no longer have a choice when it comes to privileged account password management. Because of what is at risk, one way or another, all of them must be managed. So how does an overwhelmed, untrained, or technically challenged system administrator protect the keys to the company’s digital kingdom?
First, forget about trying to manually protect and manage all of your passwords. Unless your firm is so small that you only have 5 privileged accounts, the task of manually managing hundreds of passwords will not only be tedious but a massive drain on your already scarce resources. Finding and implementing an automatic process for password management is the only solution to consider. Of course making the decision that you need to find a solution is the easy part. With so many options available, finding a solution to fit your environment is going to take some study, planning, and work. So where do you start?
First you need to take a detailed look at your environment.
- Do you have an idea of how many accounts you have?
- Do they all need to be managed?
- Who uses the accounts? Who owns the accounts?
- Can any of the accounts you currently have be eliminated?
- How is access granted or removed?
- What kind of control or auditing is required on the use of the accounts?
- Are there any industry or governmental regulations to take into consideration?
- What kind of budget do you have for password management
- What are your current privileged account password policies?
- Are there any time constraints that will determine the implementation time frame?
- What tasks do you want a privileged account password management system to perform?
This initial discovery phase could take a couple of days or weeks if you have a small company. The larger the company, the longer it will take. Not only because the amount of data to uncover is greater but there is also more bureaucracy involved in the decision making process.
One tool that will help in your discovery process is CyberArk’s free risk assessment discovery and audit tool called DNA™. This tool will scan your network and discover privileged accounts, assess privileged account security risks, identify accounts with local administrator access, and find embedded and hard-coded credentials stored within applications. If you don’t know where all your privileged accounts exist, this tool can make your life easier and uncover things you may have missed while doing a manual review of your system.
Once you’ve gathered all this data you need to organize it and make a list of what your requirements are for a privileged account management system. What tasks do you want it to automate and monitor? Are there any additional processes that you will need to create in order to support the system?
In the following list I have taken different types of actions a Privileged Access Management system performs and added in some best practices for managing passwords and privileged accounts that you should consider implementing in your environment if you haven’t already done so.
- Provisioning and life cycle management
- Inventory and reduce the number of privileged accounts you have
- Prohibit standard user accounts from having privileged access
- Have a well-defined policy and process for on- and off-boarding employee privileged access
- Automatically disable inactive privileged accounts.
- If possible use one-time passwords that change each time they are used.
- Use multifactor authentication for all administrative access.
- Disable interactive (human) login for service accounts.
- Use a request workflow for credential access approval such as dual-controls and helpdesk ticketing systems.
- Password management
- Eliminate the practice of having accounts with non-expiring passwords.
- Automatically change privileged account passwords on a 30, 60, or 90 day cycle. The more often you can rotate them the more secure they will be.
- Use randomly generated passwords containing at least three, if not all four, of the following: upper case, lower case, numbers, and special characters. Remember that the longer the password, the time needed to hack it grows exponentially. Many admins still use 8 character passwords with 3 of the 4 complexity requirements. With today’s super computers, 8 digit passwords can be cracked within minutes. If you are having a system automatically rotate passwords why not increase the minimum to 12 digits and require all 4 complexity requirements? Some types of account passwords can’t use special characters. That’s ok. The length of the password is more important than the complexity.
- Use an automatic system to verify and reconcile passwords for all accounts on a regular basis.
- Modify hard-coded or embedded passwords for scripts and service accounts on a regular basis. An automated system will remove human error and reduce the burden on administrators that currently use a manual process while increasing the level of security.
- Password vault
- Store passwords securely with encryption on a hardened server that has limited access or open ports.
- All actions using shared administrative accounts should be able to be attributed to a specific user.
- Audit all administrative privileged functions and monitor for unusual or suspect behavior.
- Proactive detection of malicious behavior.
- Access controls
- Create controls that limit what a user can do on a system while connected with a privileged account.
- Implement the principle of least privilege. Don’t allow a user or account total access unless it is needed.
- Session recording
- Especially important for key assets or devices accessed by third parties. If possible implement it for all privileged access.
- Session isolation
- Use a system that will allow a user to directly connect to a target system without displaying the password.
- Create a gateway to eliminate direct privileged access to sensitive assets.
You did your research, came up with a plan, and implemented a solution that meets all of your requirements. You’ve put all of your accounts into the new management system and implemented all of the new processes and controls. It has not been an easy process and there were many roadblocks and unforeseen obstacles that had to be overcome. At one point you thought this day would never come. But it has and you just finished reporting to upper management, showing them all the wonderful things it does to protect the company from attack and received their signoff. They like what they’ve seen and immediately go out and announce to everyone in the company that the digital kingdom is now secure. You sit back and relax in the knowledge that your new password management system is taking care of everything. And this is where too many system admins and companies lose the battle. What you don’t want to do is let your guard down. No matter how impenetrable of a system you have created, you can’t eliminate human error. Things will go wrong and people will make mistakes. If you have properly implemented the best practices described above you will catch these mistakes and can make corrections before anything bad happens or gets out of control. And don’t forget. The bad guys are always hurling rocks at your wall. If you lower your shield for even a minute you just may catch a rock to the head. Vigilance is the key to victory.
SecureITsource is an authorized reseller and professional services partner with the industry’s leading Identity & Access Management solution providers. Our team of experienced consultants help our clients to achieve their IAM goals by providing strategy, design, and engineering expertise.
Visit our website at www.secureitsource.com