Privileged Access Security: 5 Key Enterprise Best Practices

Privileged Access Security: 5 Key Enterprise Best Practices

No one can overstate the importance of privileged access security in modern enterprise InfoSec. According to a recent report from privileged access management solution provider Centrify, 74% of data breaches begin with a privileged account.

Moreover, Centrify’s findings may prove conservative. Forrester Research estimates 80% of enterprise breaches begin with a stolen or weak set of privileged credentials.

Even though enterprises continue to increase their cybersecurity budgets, a widespread immaturity surrounding their privileged access security lingers. If enterprises truly invested and researched the potential of identity management and privileged access management, they could mitigate the chances of a data breach significantly.

To help your business recognize the importance of privileged access security, we compiled 5 key best practices:  

1) Privileged Access Security In Context

Of course, recognizing the importance of privileged access management requires understanding the full cybersecurity context. You need to understand the severity of the problem to motivate wholehearted policy changes.

Key findings from Thycotic, Centrify, and Identity Automation on the importance of PAM include:

  • 40% of enterprises never bother to look for all of the privileged accounts on their network (Identity Automation).
  • 63% don’t have security alerts in place for failed privileged access account login attempts (Identity Automation).
  • 62% of enterprises fail to provision for privileged access accounts (Thycotic).
  • 55% fail to revoke permissions after a privileged employee is removed (Thycotic).
  • 65% admit to sharing root or privileged access (Centrify).  

2) Implement Key Privileged Access Security Capabilities

Investing in full-fledged privileged access security constitutes a basic first step in cybersecurity. Therefore, enterprises’ neglect of PAM demonstrates either ignorance or arrogance. Your business must take the first step to keep its users and digital assets safe from external threat actors and insider threats.

If your current identity management or PAM solution doesn’t provide these tools and capabilities, you should seriously consider an update:

These aren’t abstract tools or mild suggestions. Your enterprise needs them to properly implement identity as the digital perimeter and protect users’ credentials. Simply installing antivirus on your network and calling it a day essentially puts your entire enterprise in harm’s way.      

3) Biometrics Don’t Function Optimally Alone

Some enterprises look to biometric authentication as the inevitable evolution of privileged access security. If my business deploys biometric scanners on our endpoints, so the thinking goes, we essentially kill two birds with one stone; we secure the endpoint and the identity logging in simultaneously.  

Biometric authentication currently enjoys a surge in popularity for its unique benefits. Biometric files are incredibly difficult to steal, spoof, or misdirect to fraudulent identities, unlike passwords. Employees and enterprises see them as more convenient than passwords, as they (generally) cannot be lost or forgotten.   

However, while biometric authentication is an effective and powerful identity and access management branch, it doesn’t serve as a replacement of a full privileged identity management platform.  

The reasons why stem from some inherent dangers within biometric authentication. Just because biometric files remain “difficult” to fraudulently acquire or manipulate does not mean “impossible”. Hackers, after all, are some of the most dangerously innovative individuals in the world; subverting biometric authentication may only be a matter of time.

Furthermore, the more apparent drawback to biometrics seems almost trivial to passwords: you can change your password in the event of a breach. Users struggle to do so, true, but they can (and should). Once a biometric factor becomes compromised, it remains compromised forever.  

Furthermore, as this article by Doug Clare points out, biometrics essentially creates a new kind of repeated password—which carries its own security risks.

Biometrics function best as a layer to your privileged access security platform; more specifically, it can be a vital layer to your multifactor authentication, which can combine biometric authentication with passwords and behavioral analytics or behavioral biometrics.

The more layers to your privileged access security, the less likely hackers find a way to penetrate your network.  

4) The Power of Least Privilege

The principle behind privileged access security states that not all of your enterprise users should be created equal. It is, in, fact, the Principle of Least Privilege.  

Your CFO should have greater permissions than a non-C-Suite executive, for example. However, your CFO and your CISO should have different sets of permissions altogether; there’s no reason the former should have access to network configuration dashboards or for the latter to have access to financial information.

In your privileged access security platform, every user should only possess the access entitlements they absolutely need to perform their job duties. This limits the damage any one set of credentials can do if they fall into the wrong hands.    

5) The Power of Granularity

What is the importance of the user experience in privileged access security?

Surprisingly, this isn’t a rhetorical question. Experts continue to debate this very question when discussing enterprises’ identity and access management.

On the one hand, security needs to take precedence over convenience or pleasant user experience (unless we’re discussing CIAM). A data breach can easily shutter your business; going through a more lengthy login process seems a small price to pay.

Yet without at least some kind of user experience consideration, adoption may prove a Herculean task. Employees may develop dangerous workarounds or ignore best practices.

A good way to work through this balancing act through privileged access security is through granular authentication (also called step-up authentication). This triggers more authentication requests as users request access to more sensitive materials. For example, simply logging into the network may require only two factors but logging into the financial records may require six factors.  

Above all, proper privileged access security is within your reach. But you need to take the first steps.

Ben Canner

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner