Four Best and Efficient Practices for Managing Privileged AccountsAnirban Banerjee
Large business organization have managed their privileged accounts (administrator accounts), and many others embedded accounts by using only one system to communicate with each other with different level of access (editing, updating, reading etc.), and the required system is achieved from IT infrastructure.
A number of practices are available to CTO, CIO, CISO, etc. to defend organizations from cyber-attacks. While this article cannot be completely exhaustive of the subject (entire books would be required), in the following paragraphs, in a not specific order, will be presented four best security practices allowing passing privileged access to people in your organization.
Avoid hard coded passwords
We intend here for hard coded all the passwords that are “forgotten” in applications and scripts. Applications can be custom applications and mobile apps for your organization, Internet browsers, or scripts. Avoid hard coded passwords probably means a need for a mindset change in your staff, since they have to face an unwanted variation in their everyday working behavior to change something that “already works” in something secure. Moreover, there are systems that remove password, SSH keys, etc. automatically from applications and scripts with no impact on performance.
Monitor and audit
Real time monitoring of privileged user accesses, recording all transactions, including for the purpose of a forensic dispute, is a mandatory feature to implement in big organizations. In addition to tracing privileged user’s actions, the system must provide features to permit acting properly, basing on that information. By analyzing data, algorithms must compare the user’s actions with an internal action’s database and check whether there are “code of conduct” and other violations. However, the new system should have to take immediate precautions with defensive action’s behavior, and send exhaustive, specific warnings addressed to incident response teams when encountering suspicious behavior. There are a number of promising parameters whose values can be monitored, and a number of different response events “triggered” when the other values gets out of a certain range, becoming “suspicious”. Among them, our system can monitor timings of user actions, action sequences, etc.
Password reset policy
Privileged accounts passwords should be changed daily or on a weekly basis. That way, passwords reached illegally outside the organization cannot grow.
The staff needs to be prepared for security. This is even truer when they have to face a change in their daily routine, as we said above. In addition, education should be for all. From administrators, to employers, to end users. Everyone should know how to manage their privileged credentials.
In order to pass an audit there are certain practices that you and your organization should adhere to and put in place to ensure you meet the audit requirements.
- Ensure that you allow different accounts, including privileged accounts on your system to be accessible. Permissions and security controls are a major source of non-conformances, so allow auditors to be able to discover privileged accounts; only if they’re discovered can they be removed or managed, therefore discovery is critical to show the auditor that you have a handle of privileged accounts and are thus able to manage them in order to perform a task – this process of delegation is also known as least privilege.
- Privileged accounts can be located in many environments within your company’s management system, including in domain as well as administrative groups, control accounts access and in providing encryption, so ensure that they’re readily accessible. Failure to manage such accounts and user privileges may result in; misuse of privileges, the likelihood of the system’s security being compromised and changes in security control data. Risk is a key element to passing privileged account audits that needs to be limited.
- Security is key; put appropriate security measures in place such as the changing of passwords. Change and/or rotate company passwords or codes on a regular basis as frequently as possible to reduce the likelihood of there being a security leak, possibly resulting in confidential information being leaked outside your company.
- Have a strong password authentication policy. Safeguard privileged accounts by using soft certificates, OTP, high complexity passwords and other methods to make sure your company’s privileged accounts are kept confidential.
- Shun the usage of embedded passwords as well as hard-coded passwords each time. When certain IT systems are created, developers tend to embed hard-coded passwords into the web pages which they often forget to remove. This is a poor practice which may result in improper control and management of such accounts.
- Keep your inventory of privileged accounts updated to ensure that your business activities are logged, can be analyzed and so that any potential issues can be addressed.
The appropriate training should be conducted to those in charge of administrative duties. Regular training and refresher training of system usage should be provided to system users, to ensure the credentials of privileged accounts are managed in the correct manner.
In this article I am also going to describe the four essential and best practices which will ensure that you pass your privilege management audits 99% of the time:
1. Limited Number of Personal and Shared Privileged Accounts
It is one of the flexible and efficient practices for managing your company privileged accounts. Try to minimize the number of shared privileged account (means an account which is used by different employee of organization or a company) as well as try to minimize the number of personal.
2.Privileged Accounts Security
Never share and stored the privileged account passwords as a plain text file and periodically randomized them. Always synchronize password with the back-end systems and the programs (front-end systems) that need to use them. It is to note that all gaining access or approving to a privileged account is authenticated by IT staff, upon prior to requesting.
Make a list of some rules for passing privileged efficiently without any risk and lose of company. The rules should be:
- For managing the different users of shared accounts established different process and controls.
- Restores and observe all the Privileged Accounts Activity
- For managing personal privileged accounts make the use of Appropriate Risk Authentication Methods
- The time-Limit for each of the Privileged Account should be restricted
- Use an encrypted format for all the sensitive data, and for all the stored passwords of different privilege accounts.
4. The Privileged Access Management System Should Be Protected and Secure
It is necessary to protect the privilege management system against any type of disclosure. Install the system on secure platform having limited number of services using. Keep the encryption key in complex form which is difficult to disclose.
Privileged accounts security is becoming increasingly important, and requires sophisticated solutions, and audits are ever more rigid. For this reason, numerous companies are born out there to provide their solutions. You should consider whether your organization can adopt one of these, often highly customizable, for their own security.
Also published on Medium.