Ten Steps for Securing Privileged Access
September 18, 2018 | Security and Risk | Amy Burnis
In today’s digital world, privileged accounts, credentials and secrets are everywhere—on-premises, in the cloud, on endpoints and across DevOps environments. Security breaches of sensitive data ranging from customer records to intellectual property frequently involve the use of stolen privileged credentials.
Our recently launched “Privileged Access Security for Dummies” eBook educates organizations on how to tighten privileged access security to reduce risk from attackers and malicious insiders. One particularly popular chapter highlights 10 practical steps for reducing privileged access risk. Here is an at-a-glance look at these recommendations. For full details and tips on prioritizing steps to efficiently drive down risk, download a free copy of the eBook today.
- Eliminate irreversible network takeover attacks. Don’t let attackers ruin your network and create long-term damage by gaining access to your domain controllers. Move privileged credentials associated with all tier0 and tier1 assets—such as domain controller accounts—to a centralized and automated system. Implement multi-factor authentication (MFA) to protect it.
- Control and secure infrastructure accounts. You must control and secure access to your on-premises and cloud infrastructure accounts—from server admin accounts to database instance accounts—because these are some of the riskiest keys to your IT kingdom. Vault all well-known infrastructure accounts and automatically rotate passwords periodically after every use.
- Limit lateral movement. Attackers follow patterns – stealing credentials and moving laterally across the infrastructure to carry out their goals. To limit attackers’ movement, remove local admin rights on IT Windows workstations to stop credential theft.
- Protect credentials for third-party applications. Attackers increasingly target third-party vendors such as business services, management consultants, legal counsel, facilities maintenance support, logistics companies and more as their applications and IT systems are often less sophisticated and their security defenses are easier to infiltrate. To minimize risk, it’s important to vault all privileged credentials used by third-party applications and vendors. Be sure credentials are rotated frequently.
- Manage *NIX SSH keys. SSH keys are gold to an external attacker or malicious insider, as they can leverage unmanaged SSH keys to log in with root access and take over the *NIX (Linux and Unix systems) technology stack. Get these keys in a vault ASAP. After vaulting, make sure to routinely rotate them based on policy and employ a solution that enables event notifications and automation to lessen the potential impact of human error.
- Defend DevOps secrets in the cloud and on-premises. DevOps teams have the “need for speed.” Make sure their tools and coding methods don’t compromise privilege access security. Vault and automatically rotate all public cloud privileged accounts, keys and API keys. Additionally, secure secrets used by CI/CD tools such as Ansible, Jenkins and Docker in a vault, while allowing them to be retrieved on the fly, automatically rotated and managed.
- Secure SaaS admins and privileged business users. Cyber criminals steal credentials used by SaaS administrators and privileged business users to get high-level and stealthy access to sensitive systems. To prevent this kind of attack, isolate all access to shared IDs and require MFA. Also monitor and record sessions of SaaS admins and privileged business users.
- Invest in periodic Red Team exercises to test defenses. In order to stay a step ahead of advanced cyber maneuvers, it’s critical to adopt an attacker’s mindset. When you hire and operate your own Red Team or hire an outside firm, the drills will be as real as possible. Check out this Q&A with our Head of Red Team Services for tips.
- Invest in a tool to periodically measure reduction in privileged security risk. Measurement of risk and maturity is a critical capability. If you aren’t gauging and adjusting for risk and change, you can’t focus and know if you’ve done enough. Measurement tools may be available from your privileged access management solution. There are also solutions in the market available to measure your entire security program against an established framework (such as NIST CSF).
- Utilize MFA. Passwords are crackable, findable and sharable. MFA that requires “something you have” and “something you know” exponentially decreases compromise. It’s important to ensure your privileged access management solution heavily leverages MFA to enhance the protection that you’re investing in.
Together, these 10 steps provide a framework to establish essential privileged access security controls to strengthen your security posture. Implementing a program that leverages these steps can you help your organization achieve greater risk reduction in less time and satisfy security and regulatory objectives with fewer internal resources. Read more details in our “Privileged Access Security for Dummies” eBook.