How to Protect Your Privileged Accounts (And Why You Need To)

How to Protect Your Privileged Accounts (And Why You Need To)

Before we explore how to protect your privileged accounts, we need to understand the evolution of enterprise IT environments. 

Previously, traditional identity and access management built its foundation on the Active Directory. Fortunately, the Active Directory worked well with the Microsoft operating system and could manage the entire enterprise’s identities. Unfortunately, the Active Directory doesn’t meet the identity management requirements of modern IT environments. 

For example, the Active Directory may struggle with managing different operating systems and with new devices; both become especially relevant with the advent of bring-your-own-devices (BYOD) cultures in American businesses.   

Additionally, the rise in cloud adoption and digital transformation brings with it a need for tighter identity management controls; since your users can now access almost anything from any device and anywhere, you need to maintain greater visibility over their activities. Moreover, most traditional identity management solution tools only focus on on-premises devices and environments.  

Thankfully, protecting your privileged accounts can often solve these problems. In fact, through next-generation privileged access management (PAM), you can seriously mitigate and prevent future data breaches. Here’s how: 

How to Protect Your Privileged Accounts (And Why)

Follow the Principle of Least Privilege

The Principle of Least Privilege states users should only possess the privileges they need to perform their job duties. Indeed, the idea of special privileges or legacy permissions is anathema to the Principle of Least Privilege. Instead, you need to to cut or curtail permissions as much as possible. 

The more privileges your users possess, the more danger each privileged account poses overall. For example, imagine if your HR head could access your financial records. Practically, this user does not need these records—thus these permissions only constitute a vulnerability. Hackers could easily commandeer the credentials and therefore access the financial records. Alternatively, your users could turn malicious or negligence and damage your workflows directly.  

Trust alone can’t protect your privileged accounts or the databases they can access. However, you can protect them through other capabilities found in privileged access management: 

  • Governing User Permissions. You can achieve this either directly through privileged access management or through integration with Identity Governance. Regardless, you need to gain visibility on your users’ permissions and remove whatever proves unnecessary. 
  • Enact Session Management and Active Monitoring. These capabilities enable you to keep a close eye on the behaviors and activities of your privileged users; so long as they remain logged in, you can monitor them and make sure they follow previously established behavioral baselines.
  • Ensuring Limited Temporary Permissions. So many privileged accounts become bloated due to temporary permissions never being revoked after the project’s end. Don’t let that happen in your IT environment.

Practice Discovery of Privileged Accounts       

In the “2018 Global State of Privileged Access Management (PAM) Risk & Compliance” report, Thycotic discovered serious issues. For example, they learned that 70% of enterprises fail to discover all of the privileged access accounts in their networks. Meanwhile, 40% never look for their accounts. 

No one can overstate the dangers posed by undiscovered accounts in your IT environment. Unseen privileged users can wreck damage as hackers subvert them or users enact insider threats. Additionally, poor offboarding can actually result in accounts lingering after their user leaves your enterprise. Called “orphaned accounts,” these can completely change your enterprise’s workflows and business processes with no monitoring whatsoever. As your enterprise scales with the cloud, these become much more difficult to detect manually.  

Thankfully, privileged access management can discover and close orphaned accounts in your network; indeed, it can help you discover all of the privileged users connecting to your network, increasing visibility. Also, PAM solutions can automate and facilitate the offboarding process, which actually prevents orphaned accounts from appearing.  

You can’t protect what you can’t see. Let privileged access management open your eyes. 

Beware the Machines!

Put in a less science-fiction and panicky manner, you need to enforce privileged access management on your non-human identities. As more devices connect to your environment, and as that environment transitions to that cloud, non-human identities become increasingly prevalent; with this comes more complications to your data movements and permissions. Applications on cloud environments can often access data without necessarily alerting your security team. Some authentication protocols use endpoint devices as a secondary factor, even though they also store data. 

In other words, non-human identities embody the decentralized nature of modern networks and thus modern cybersecurity. So to combat this issue you need the centralization that comes with next-generation privileged access management; these can also enforce their capabilities on applications, devices, and other non-human identities. For example, it can establish behavioral baselines for each device and create alerts when the device begins to deviate from them. 

Staying proactive can help you protect your privileged accounts, even the privileged accounts you don’t expect. 

Deploy Password Automation (And Other Automation Capabilities) 

We’ve covered our issues with passwords in articles past (we cover our issues with passwords quite a bit). However, what we often fail to emphasize is the embeddedness of passwords in most authentication protocols. 

Despite best practices decrying the use of passwords, most users recognize and feel some measure of comfort with passwords. Often, the real problem lies with users not obeying password best practices; for example, users frequently reuse their passwords even though doing so puts them at serious risk. These issues affect both regular users and super users as well. 

Privileged access management helps solve these problems through capabilities such as password vaulting. Indeed, password vaulting outright prevents password reuse and infrequent password changes. Additionally, password automation helps rotate passwords automatically, preventing password stagnation. 

In fact, a lot of issues surrounding protecting privileged accounts stem from IT security teams attempting to handle their problems manually. Plenty of enterprises try to keep up with their scaling environments and escalating privileges with spreadsheets! This cannot work for modern identity management or for modern workflows—it only adds stress when it comes time to grant privileges through onboarding or temporary projects.  

But First, You Must Know PAM

According to Centrify, 26% of IT decision-makers in the United States couldn’t define privileged access management. This is a serious issue in part because 74% of those same respondents whose enterprise suffered a breach said it involved a privileged account. You need to learn more about privileged access and get your enterprise up-to-date. 

You can learn more in our 2019 Privileged Access Management Buyer’s Guide. We cover the top vendors and their key capabilities! We even provide a Bottom Line Analysis for each! 

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner