Securing Privileged Accounts - A Best Practices Guide - Part 4

CyberArk recently released The Three Phases of Securing Privileged Accounts – a maturity model providing a simple, yet effective, framework for applying the best security strategy for privileged accounts in any environment.  In the last post – we looked at the best practices of companies in the middle of the privileged account security maturity model. This post will examine best practices for a company in the best maturity model.

Here are best practices for companies at the forefront of privileged account security. These companies understand the threats that unprotected privileged accounts present and are enacting security policies that every company should aspire to emulate.

Best Practices – Highly Effective Maturity

 

  • Automated Disabling Inactive Privileged Accounts:  Privileged account security across the enterprise is difficult and prone to human error. Relying on manual solutions and institutional knowledge is better than doing nothing but automation is far more effective.
  • Multi-factor Authentication for All Admin Access:  This includes domain admin access.  While this is not a foolproof security measure, it’s an additional layer that makes privileged identities a harder target for advanced threats.  Many platforms (such as legacy network devices or business applications) may not support multi-factor authentication. This is why deploying a privileged account security solution with support for multifactor authentication eliminates the need to support multifactor authentication natively to target devices.
  • Automate Password Verification and Reconciliation:  This process ensures that all passwords of record are current on all systems.  Automating this process is critical when managing privileged identities. New privileged accounts are constantly created and deleted – requiring an automated system to manage and verify passwords.
  • Frequently Identify, Change and Verify Hardcoded Passwords:  Hardcoded passwords are often embedded in applications and can become an afterthought in many organizations – a critical security vulnerability that hackers frequently target.  Auditing all accounts and automating the management of app credentials allows an organization to rotate passwords without risk. 
  • Directly Connect Target Systems without Displaying Passwords to Users:  Preventing the disclosure of privileged passwords to the end user adds an additional layer of security sand reduces the maintenance of shared accounts.
  • Privileged Gateway – Eliminate Users Directly Accessing Sensitive Assets/Infrastructure:   Implementing a gateway between the end-user and sensitive assets limits network exposure to malware and keeps privileged credentials off of administrative endpoints and desktops.
  • Implement Request Workflows for Credential Access Approval (Dual-Controls):  Dual controls provide a checks and balance mechanism needed to prevent malicious insiders from exploiting their privileged accounts.
  • Record All Privileged Sessions:   Requiring that all privileged account action be recorded with session recording and video playback for forensic analysis and change management review.
  • Proactively Detect Malicious Behavior: A solution to monitor, detect and alert on anomalous privileged user behavior is a critical layer in a best-in-class privileged accounts security strategy.

One hundred percent of all advanced attacks exploit privileged credentials – locking these accounts down is critical to the security of the enterprise. The process of securing privileged accounts should be on-going with continuous evaluation and adjustments to improve security as the business and threat landscape changes.

If you have questions about where you company would rank on the maturity model, let us know and we’re happy to provide an assessment.

Monday, April 28, 2014