No matter what risks a federal government agency is facing, you can draw a threat vector from that risk to a privileged account. Privileged accounts are the backbone of any operating agency, so it’s vital that these accounts are protected from internal misuse, as well as bad actors who would use them for nefarious purposes. In order to get your privileged accounts under control, consider implementing these 12 Privileged Access Management best practices.
1. Assess privileged accounts based on risk
It takes time and effort to fully assess the privileged accounts within a federal agency. However, it’s the key to identifying which accounts are simply user accounts versus privileged accounts. The old way of thinking about this is that a user just uses a system, while a privileged user changes a system. However, consider the impact the social media account holder may have on your agency. Are they a user of social media, or do they change the back-end database? What are an agency’s riskiest processes, and what are the accounts used in that process? Who has access to them? How do you rank those privileged accounts according to risk? Often, agencies will overlook this because they just want to simply tick the box. However, organizations that assess their privileged accounts based on risk have a better understanding of their potential vulnerabilities.
2. Eliminate orphaned accounts
Orphaned accounts lack ownership and are valuable targets for bad actors. Orphaned accounts with privileges hand bad actors the keys to the kingdom. In your assessment of privileged accounts, all identities should be accounted for within your environment. When you find accounts that you’re not responsible for and you can’t figure out where they came from or who oversees them, take steps to put them under governance and assign an owner, or eliminate them.
3. Make users accountable for their credentials
Shared credentials are a huge risk, especially for privileged accounts. Preventing users from sharing their credentials isn’t possible. However, implementing a Privileged Access Management process to assign individual accountability for credential use helps reduce that risk. Additionally, emphasizing that all team members are accountable for actions associated with their identity can further reduce the risk of credential sharing.
4. Determine what identities should be allowed access against which privileged systems
There is typically an underlying process that grants certain users privileged access. Any federal agency will have to be thoughtful about the permissions granted to users and keep their roles in mind. Keeping an identity management system up to date should make it easy to help manage which users should have access to privileged systems, especially if the identity management system easily integrates with a Privileged Access Management solution. This should allow admins to quickly and simply add and remove access levels to identities within your environment.
5. Implement the principle of least privilege and just-in-time elevation for privileged accounts
Across your environment, the principle of least privilege should be implemented for every identity: Every user should only have access to what they need to do their jobs and nothing more. That principle is even more important when it comes to privileged accounts. For users who need temporary elevated access, they can follow a set of guidelines to get “just-in-time” elevation of privileges. With a Privileged Access Management system integrated with an identity management system, users with correct access levels can temporarily “check out” elevated access to privileged systems. Once they’ve completed their task, their credentials can be changed so that their access is revoked.
6. Separation of duties
Beyond implementing the principle of least privilege, a separation of duties is key for every identity that needs access to privileged systems. The credentials that someone uses for daily activities should not be the same credentials used for accessing highly privileged sessions. Preventing this requires defining roles and tasks across an environment so that users have separate credentials across account types.
7. Implement Multi-Factor Authentication
A key tenant of Zero Trust is “never trust, always verify.” While privileged session users will often check out a set of credentials, it’s always wise to verify that they are who they say they are with a second set of authentications. Multi-Factor Authentication provides that second check of a user’s identity before granting them access to sensitive data.
8. Continuously monitor anomalous behavior on privileged accounts
Session recording helps security teams monitor activity across hundreds or thousands of privileged sessions. Though it’s possible to sit and review hours and hours of recordings, some Privileged Access Management solutions are able to analyze the footage and establish a baseline of what user behavior should look like. Any action that occurs outside that baseline sends an alert to security teams and offers an easy way to prioritize and monitor unusual actions.
9. Educate team members
People tend to follow processes they understand and know the benefits as well as consequences if those processes aren’t followed. Earning buy-in from users is a critical factor in the overall success of any Privileged Access Management program. Invest in getting that buy-in, because maintaining security won’t happen if the users don’t care and don’t understand why those measures are necessary. Beyond that, training, user guides, videos and other resources make enabling teams to follow Privileged Access Management processes much easier. Without that training, team members will take the path of least resistance to figure out how to access what they need, which is a huge risk. By providing training, getting buy-in and allowing team members to take an active role, you help mitigate potential risks.
10. Keep documentation maintained and updated
Documentation on Privileged Access Management technical and training procedures is key to helping prove compliance. Rather than hastily gathering disparate documentation, an up-to-date resource of all practices, policies and guidelines makes it easy to hand off necessary information to an auditor.
11. Engage with executive sponsorship
Executive sponsorship will go a long way in the success of a Privileged Access Management implementation, as well as provide long-term resources for maintenance. When engaging with executive sponsors, it’s helpful to be able to explain why you want Privileged Access Management, why it’s necessary and how you will measure the success of a Privileged Access Management program. Though an organization’s overall security posture will evolve, it’s essential to have ongoing support for a successful and ongoing Privileged Access Management program. Support from above and understanding helps get people assigned to projects, enables implementations and makes ongoing maintenance run smoothly for a Privileged Access Management program.
12. Periodic reviews
Conduct periodic reviews of Privileged Access Management programs to ensure that they are working as expected. This review period also allows federal agencies to decide if their Privileged Access Management solutions are optimized to best support users and see if any new functionalities should be added to the program. As agencies grow and change, your Privileged Access Management program should be able to grow and change along with it.
Privileged accounts are one of the most important things for organizations to protect. Without a comprehensive Privileged Access Management program, the risk of misuse from internal or external bad actors is significantly increased. Implementing these Privileged Access Management best practices sets organizations on the right track to fully manage their privileged accounts.