Stopping Privileged Credentials Abuse

No one has more access to critical resources and sensitive information than privileged users, which means no one poses a greater security risk. Here’s how to keep their credentials from being compromised with multi-factor authentication (MFA) and centralized identity governance.

istock 121199603

It’s your worst nightmare, and a cyber attacker’s dream come true: the credentials of a privileged user getting stolen or otherwise compromised. After all, privileged users can go practically anywhere and do anything in your network as they go about the business of configuring servers and systems and setting security policies.

That freedom is not inherently a bad thing—they are, after all, just doing their jobs—but it does have a dark side: the high level of risk it creates if cyber attackers get their hands on those credentials. Fortunately, there are a few things you can do to reduce the risk of a breach involving a privileged user’s credentials.

Make Multi-Factor Authentication (MFA) a Must

Next time someone enters a privileged user’s password for access to sensitive data, double-check that they’re really who they say they are by asking them to prove it with another form of authentication—and locking them out if they can’t oblige. In addition, because privileged users tend to be admins working on many systems at one time, look for a solution that makes access secure yet simple, with a variety of convenient authentication methods.

For example, let’s say your admins prefer to use traditional one-time password tokens whenever possible because of the “air gap” security they provide. But for certain maintenance or troubleshooting activities that require them to authenticate into multiple remote hosts simultaneously, they may find it cumbersome to wait 60 seconds for the next token code. The answer is an approach to authentication that also provides options for other, more convenient authentication methods such as mobile biometrics or push to approve.  

Implement Centralized Identity Governance

Keeping track of privileged users and their access can be a challenge if you don’t have some sort of unified and automated way to administer access. Centralized identity governance and lifecycle capabilities serve this function. Centralized governance helps ensure privileged access is being exercised in ways that conform with the organization’s established security policies and practices; lifecycle management helps ensure that the access is appropriate throughout the user’s lifecycle, from the time they join the company, through any changes in role, until they leave the company altogether. Good lifecycle management also helps avoid problems with, say, a user accumulating excessive privileges because their permissions haven’t been adjusted as they’ve changed roles.

Integrate These Capabilities into Your PAM Solution

To address growing concerns about privileged credentials abuse, many organizations are rolling out privileged access management (PAM) solutions that make it possible to both restrict access to privileged accounts and monitor their usage. These solutions provide accountability and traceability, with capabilities like password vaulting and least privileged management.

The problem is that while PAM plays an important role in helping efficiently manage privileged accounts, it’s not designed to provide a high level of identity assurance. Therefore, the ideal approach is to have a PAM solution that’s integrated with multi-factor authentication as well as identity governance and lifecycle management. That’s a step toward reimagining identity to meet today’s access challenges that’s worth exploring.

Copyright © 2018 IDG Communications, Inc.