Best Practices In Privileged Identity Management – Part Two

This is the second in a weekly four-part series providing practical insight on how to best implement an effective Privileged Identity Management program.

[su_dropcap style=”simple”]I[/su_dropcap]n the first post of this series, we provided an introductory overview of Privileged Identity Management. This week we’ll explore the basic requirements for Privileged Identity Management. Future posts will focus on proactive planning and advanced cyber defense.

The term Privileged Identity Management now seems to cover a broad spectrum of capabilities and products – from advanced cyber defense solutions to routine IT administration tools. But in its most basic form, there are several factors that even the simplest Privileged Identity Management project should encompass. We’ll look at four of them here.

Download the white paper Best Practices in Privileged Identity Management to get your complete guide to securing privileged identities.

A Vault to Provide Safe Storage for Privileged Identities

It’s easy to see why this is the first thing on the list. You want to get the privilege out of the hands of people and under the control of your systems. No one should need the god-like administrator account all day, every day. Last we checked, those powers were not required to read email or surf the web. No one needs to know that elevated account password every moment, either.

What you do need is something that stores the privileged identities securely, and has mobile friendly check out and check in. It should also be able to automatically manage credentials when the user forgets to check passwords in on their own.

It’s important to realize that this is a start, not an end. Simply putting the privileged identities under management doesn’t complete the Privileged Identity Management goal. Simply storing static administrator passwords creates its own security problems.

Rotate the Privileged Passwords on a Schedule

Now that you put the privileged identities in the hands of the system, it’s time to leverage the full power of that system to make your infrastructure as secure as possible. The best way to do this is to rotate every one of these credentials as often as possible.

The world of IT is littered with stories about spreadsheets shared by IT admins containing passwords that didn’t change for years for fear of causing an outage. IT can hardly be blamed since they’re measured on uptime, not security.

With a competent Privileged Identity Management system, they can continuously randomize their passwords to keep the bad guys guessing. The attacker that’s just landed on the laptop of the person silly enough to open his malware infected email needs to grab privileged accounts to do real harm. He’s going to sit there and collect as many of these keys to the kingdom as he can. The same thing goes for the insider who planned to log back in after they were fired with a password they knew was never changed.

Once you start your best practice of rotating these passwords, both attackers and insider threats are out of luck. Rotation and randomization needs to be done as aggressively as possible. The right question to ask here is not “how often should I rotate,” but rather “what’s the shortest time I will be forced to leave anything in place?”

Manage Service Accounts to Avoid Stale Credentials

One of the worst offenders in bad password policies are the accounts running the most critical applications. Service accounts, database accounts, and other credentials embedded in applications are often left untouched because of that habit of measuring IT primarily on uptime.

Many think this practice is OK since, in theory, no human should know these passwords. But, as Einstein said, “In theory, theory and practice are the same, but in practice they seldom are.” IT veterans know humans do get their hands on these passwords, so they need just as much attention as any other privileged account.

These special accounts also need a different approach. Simply changing these passwords without attention to the services in which they’re embedded or the applications they run would be potentially disastrous.

The advice here is an extension of the advice above – rotate aggressively. The difference is that your approach must take the complex ways passwords get embedded into applications. You need to demand that services can use accounts that are being protected with rotation, that this rotation does not interfere with the operations of the service, and that at no time does this mean the credentials are exposed.

Furnish Reporting Mechanisms to Satisfy Auditors

The true goal of Privileged Identity Management is strong cyber defense behind the firewall. Good security will always be more than just maintaining regulatory compliance. Of course, good security will also produce a lot of information the auditors want, and it makes sense to have that information easily available for auditing.

However, it’s easy to allow regulatory pressure to run away with your Privileged Identity Management efforts. Demands for always changing reports can soak up a project’s time and make you lose sight of the real security goals.

The recommendation is to make sure that your Privileged Identity Management system has adequate out-of-the-box reports, but also allows for extensive data mining of the information it contains. This strikes the right balance between audit and security needs. By giving you an open platform to query the data, auditors can apply whatever tool they use for reporting in a larger scope to get all the varied reports that they need.