Gerard Taylor, senior consultant at Ubusha Technologies
There is a growing understanding within organizations of the security risk posed by privileged accounts. Privileged accounts are sought out by cyber-attackers to gain access to systems and networks to perpetrate their damage.
Managing the entire universe of privileged accounts in an organization is an incredibly difficult task – this is where organizations such as CyberArk can assist businesses in discovering all of the existing privileged accounts, and help them audit the state of these accounts and monitor the usage of these accounts.
In this way, businesses can ensure that passwords are changed regularly and that only those who have been assigned access to use these privileged accounts can do so.
However, the full life cycle of a privileged account involves much more than mere password and usage management; it does, in fact, need to explain and substantiate the account from its inception, right through to its de-provisioning.
This is critical, since there are multiple instances of privileged accounts virtually arriving in a corporate system in secret, without management even being aware of their extent or existence.
This is due to the simple fact that, in the life cycle of a business, many systems and applications are not installed at the corporate level, but are instead implemented by individual departments or business units.
Typically in such a situation, the privileged account is created in order to implement an application. These applications may be Web applications, client server applications or appear to be standalone applications.
They do, however, all have one thing in common – they require some level of privileged access to be installed and may even need a service account to run. They may also have internal privileged accounts to connect to databases or data stores.
The trouble is that because the account is not linked to a specific accountable person, there is every likelihood that unless effective life cycle management is in place, the account may remain on the system, long after the application it was created for has fallen into disuse. In addition, it is often the case that multiple users utilize the account, which makes an effective audit trail difficult.
Businesses need to ensure that there is a means for identifying not only who is using a given account at any one time, but also what they are using it for.
Managing the existence of the account itself
While it is all good and well to manage both the users and their access to a privileged account according to the ‘when, where and how’ principle, and it is equally important to manage the auditing, permissions and usage aspects, the area where most companies fail is with managing the existence of the account itself.
Many companies lack the necessary means to understand what accounts have been opened and whether such accounts are still in use or should be de-provisioned, as the life cycle of the specific application has expired. Failure to de-provision accounts upon an application’s life cycle expiry creates a range of risks for an organization.
Expired privileged accounts that still exist present a massive risk to every organization. In a business where a vast number of privileged accounts have been enabled, there arises a situation where maybe dozens of employees have, over time, made use of each of these accounts.
It is inevitable that some of these people will no longer be working for the organization – yet access to these accounts may exist after they leave. This type of privileged access provides access to other accounts within the organization – creating the potential for havoc.
This is why we partner with CyberArk, to provide our customers with the ability to identify, monitor, control and ultimately close down expired accounts to mitigate risk.