According to technology research and advisory firm Gartner, “All the privileged accounts in the IT environment that enjoy privileges beyond that of a standard user should be recorded and accounted for. It is a security best practice to frequently scan the infrastructure to discover any new accounts introduced with excess privileges.”
Indeed, traditional identity and access management (IAM) offers control for standard users’ access but can’t keep up with privileged accounts. It can’t control shared privileges, third-party administration tools, or elevating individual credentials. No, to handle these issues enterprises need to embrace privileged access management (PAM) solutions.
But even then, the situation is a little more complicated. Without employing best practices for privileged access management, privileged accounts can prove difficult to manage. They are often heterogeneous and distributed throughout the enterprise network. Additionally, Gartner found that 65% of enterprises allow for the unrestricted, unmonitored, and shared use of privileged accounts. Not only does this violate basic identity security principles, it also makes it almost impossible to hold individuals accountable for security violations.
So what best practices for privileged access management should your enterprise be embracing? We took a look at the Gartner “Best Practices For Privileged Access Management” Report to find out:
Find All of Your Privileged Accounts
This may seem trite, but it actually proves to be a consistent challenge for many enterprises. According to a study by Thycotic, 70% of enterprises fail to discover all of the privileged accounts in their networks and 40% never bother to look in the first place. Orphaned accounts can linger on networks for months or years, remaining a constant security hole.
Therefore, your enterprise’s first step to following best practices for privileged access management should be to find all of your privileged credentials, find and remove any orphaned accounts, and evaluate your privileged credentials for ownership conflicts.
Get the Right Privileged Access Management Tools
Gartner acknowledges that your IT security team could control privileged accounts manually…in theory. However, actually manually controlling privileges has consistently proven to be an unreliable and stiff process, and even then you’ll still need specialized tools to make sure your team handles the entitlements properly.
Instead of dealing with that, get your enterprise the right privileged access management solution. This will be contingent on your individual security needs, business processes, regulatory processes, and security budget. You can’t perform best practices for privileged access management without the right tools.
Manage Your Deployment and Scope
Part of doing PAM right is making sure your implement it properly in the first place. Before you deploy your PAM solution, make sure you understand where you are deploying it and what you are aiming to achieve with it. You should also make sure you fully understand all of the tools you are planning to implement.
Gartner also suggests that you scale your solution carefully: too narrow and you’ll create inconsistent enforcement, too broad and the solution will generate too much complexity. Talk to your solutions architects to ensure you scale your PAM solution optimally. The stakes are high: according to Gartner, by 2021 enterprises with PAM tools will be at a 50% lower risk of advanced threat impacts compared to their peers.
Less, Less, Less Is More
Best practices for privileged access management can be summarized by a single word: reduce.
- Reduce the number of permanent privileged accounts overall.
- Reduce the number of shared accounts.
- Reduce the duration of temporary privileges.
- Reduce the entitlements of each account overall.
Indeed, your PAM best practices should embrace the principle of least privilege—that each account should have as few entitlements as possible—as a rule. Excess privileges and accounts must be accounted for and removed, and only rarely (if ever) should permanent superuser privileges be granted. This applies to your full-time administrators; even if your trust those users, you may not trust whoever gets their hands on their credentials.
Incorporate Identity Governance
Without access governance, there is a risk of excess privileges, orphaned accounts, ownership conflicts continuing to plague your enterprise network. IGA is also useful for compliance, auditing privileged accounts, and access certification. Your PAM solution should be integrated with an IGA solution to give your enterprise the most comprehensive coverage of privileged accounts possible.
To learn more, check out the Gartner “Best Practices For Privileged Access Management” Report, available for free courtesy of Centrify.