Securing Privileged Accounts – A Best Practices Guide Part 2
April 23, 2014 | Uncategorized | CyberArk
CyberArk recently released The Three Phases of Securing Privileged Accounts – a maturity model providing a simple, yet effective, framework for applying the best security strategy for privileged accounts in any environment. In the last post, we pulled an excerpt of the paper to define privileged accounts. This post will look at best practices in securing these accounts.
The practice of securing privileged accounts has traditionally focused on keeping insiders from abusing the levels of privileged they were granted in an organization. But over the last 3-4 years, we’ve seen outside attackers specifically target privileged accounts because they give ultimate control over a company’s infrastructure. These new threats have clearly demonstrated that securing privileged accounts cannot be underestimated.
While it would be great if every company approached privileged account security at the same high level, the reality is that every company is different in terms of the maturity level of their privileged account security. Over the next few blog posts, we’ll outline best practices for companies at every level of the maturity model – those that have just started to deal with privileged account security, those who are in the middle of the spectrum, and those who are at the forefront of developing strong, proactive, preventative measures for securing privileged accounts.
Best Practices – Baseline Maturity
These are the baseline security requirements that every organizations should enact.
- Identify and Reduce the Number of Privileged Accounts: A recent survey we did showed that the majority of organizations had no idea, or vastly underestimated the number of privileged accounts in their organization. Creating an inventory of these accounts is critical – once this is established, unnecessary accounts should be deleted.
- Principle of Least Privilege – Enforce It! The principle of least privilege is one of the most important security policies a company can enforce – only give as much power to an employee as they need to do their job. In addition, standard users should only be given privileged access on a need basis.
- Process for Revocation of Rights: Onboarding and off-boarding privileged access is critical to security. New employees need to clearly understand the power these accounts provide and the responsibility that comes with it. Businesses should always have a mechanism for immediately removing access to employee privileged accounts or changing shared passwords. Without this power, companies are at the mercy of rogue employees.
- Eliminate Shared Accounts with Non-Expiring Passwords: This is just good passwords security – but given that privileged accounts are the most powerful accounts in any organization, this is a critical security step. Passwords should be changed on a regular schedule to reduce their vulnerability to password cracking tools and password sharing between employees.
- Secure Password Storage: Businesses should store privileged passwords in the most secure, encrypted vaulting system available. Passwords should NEVER be stored in binders, spreadsheets, or any other non-secure mechanism.
- Shared Account Attribution: All actions using shared administrative accounts should be attributed to a specific individual. Shared credentials should be completely eliminated. If that is not possible, the ability to enforce and audit individual accountability is required.
In our next post, we’ll look at the maturity model for organizations in the middle of the spectrum of privileged account security – providing tips on best practices to get your organization to the next stage.