10 Features Every Privileged Account Management Solution Should HaveOliver Bock
As the wave after wave of cyber-attacks continues to hit the news, it´s becoming apparent that we are no longer living in a time when tales of espionage and data breaches are reserved for government agencies and action flicks. Exposed both to hackers on the outside and their own employees on the inside, every business, no matter which sector are they in, are at great risk of having a data breach.
Since all businesses have large amounts of data, from intellectual property to classified customer information, it is needless to say that exposing those records can result in a great financial loss. A recent study conducted by Ponemon Institute has shown that the average cost per each stolen record increased from $154 in 2015 to $158 in 2016. By looking at previous reports conducted by Ponemon, it is obvious that the cost of data breach doesn’t fluctuate – at least significantly. From a business perspective, this finding suggests that the cost associated with data breaches is here to stay and businesses need to be prepared to deal with and incorporate in their data protection efforts.
When Edward Snowden started blowing his whistle, the world has been shocked by the sheer scope and depth of NSA´s surveillance programs. But, that is not everything that Snowden exposed – he revealed a major weakness in our business infrastructure: the risk from privileged users.
As number of data breaches caused by insiders or stolen user credentials continues to grow, so does the need to control access to privileged accounts.
With Great Power Comes Great Responsibility
It takes only one breach to cause irreparable financial and reputation damage. Compromised security credentials have been used as a primary attack vector in several large-scale data breaches. Privileged accounts have become a “must have” for attackers that want to gain access and move around breached networks and the need to control these accounts is more important than ever. Additionally, the clear threat from insiders and compromised privileged accounts has resulted in regulatory bodies and auditors to focus their attention onto controlling what organizations do to mitigate that threat. Cloud-based IT infrastructure makes things even harder for organizations. While virtual and cloud-based solutions come with a wide set of benefits, the dynamic nature of resources deployed in such environments and powerful APIs significantly expand the attack surface for hackers and insiders.
It´s a fact. The keys for your kingdom are no longer in your pocket. They are scattered all over your kingdom, unsecured, shared among your employees and often completely unmonitored. In order to ensure they do not fall into the wrong hands, you need to keep an eye on them at all times. You need Privileged Access Management (PAM). However, with so many different solutions available on the market, and primary drivers ranging from regulatory compliance and data theft to insider breaches and employee mistakes, picking the right one can be a time consuming process. This is why we decided to dedicate this blog post to explaining which features every Privileged Account Management solution should have in order to prove its worth.
Privileged Account Management Solution
Those features of a good Privileged Account Management Solution are:
All PAM solutions should be able to prevent privileged users from knowing the actual passwords to critical systems and resources. This way, any attempt of a manual override on a physical device can be prevented. Instead of giving passwords to privileged users, the Privileged Account Management solution needs to keep all such passwords in a secure vault.
Privileged account life cycle management
Having the ability to manage the life cycle of privileged accounts, you can easily handle access permissions of a personal user to shared privileged accounts based on roles and policies. This enables businesses to easily define a fixed number of parameters that control administrative access, as well as to limit access to specific functions and resources.
Privileged password management
Having a privileged password management feature, your PAM solution will allow you to automate and control the whole process of giving access and passwords to privileged accounts. These highly critical and sensitive credentials are given only if the previously established policy is followed and when all required approvals are met. Privileged access manager keeps track of all activity on privileged accounts and ensures that passwords are changed immediately after return.
Workflow approval and emergency access
All PAM solution should enable you to configure your access controls and approval workflows for a “break glass” scenario. When an all-out emergency scenario occurs, a user should be able to put a flag on the system to indicate that no approval is required for any checkout. Needless to say, all such requests have to be approved automatically but still audited, and users must pre-define who can request such access, who is responsible for approving it and on which systems.
As we mentioned above, controlling access is not enough and businesses need to know everything that a privileged user did during their administrative session. Because of this, a PAM solution needs to be able to establish sessions for each and every privileged user.
Privileged session recording and playback
PAM solution should be able to record all privileged sessions, both command-line and video, in a searchable and comprehensive way. This way, security and IT governance teams can quickly show their full compliance with regulations for SOC2, SOX, PCI DSS 3.2, HIPAA, NERC CIP, ISO 27001 and more.
Real-time visibility and alerting
When a threat has been detected, preventative actions should be taken immediately. An effective Privileged Account Management solution should enable IT security to quickly address any deviations in account usage and quickly create alerts. In order to do this, IT security should have the ability to access all incident information instantly, for instance via an RST API.
Auditing and reporting
Identities should be consolidated by creating a unified identity across all operating systems and environments, on premise and cloud to simplify the governance, risk and compliance processes. By providing risk-based scorecards that show who has how much access and to which resources, an effective PAM solution can save hours for GRC and IT teams when gathering audit and compliance information.
Live session monitoring
With this feature, IT teams are capable of viewing all sessions in real time. Having a PAM that gives you a real-time view of all privileged sessions, you can quickly terminate all suspicious or unauthorized sessions.
Forensic investigation capability
After the incident has occurred, a forensic investigation will require you to provide the complete picture. Only few Privileged Account Managemet solutions are able to give you a 360° view of when the privileged account password was checked out and by whom, as well as all the actions that were taken by that account.
As the number and scale of data breaches continues to grow, there are more and more occurrences of data breach happening due to exposed privileged user credentials. Armed with these credentials, attackers can not only move through your network undetected but also gain access to more sensitive customer data and intellectual property.
With the right PAM solution in place, you can rest assured that all your mission-critical infrastructure is protected. What´s more, it will empower you with powerful controls that will allow you to enforce access controls even on native “super user” accounts, improve your security and ensure that audit and compliance requirements are met.
Also published on Medium.