Organisations must continue extending their security parameters in the battle against cyber criminals and they should start with privileged user accounts.
In 2018 the UK's National Cyber Security Centre (NCSC) published online guidance on identity and access management, providing an introduction to the technologies and best practice techniques for access management. Privileged user management (PAM) was a key area covered in this guidance.
There are numerous firms and security experts continuously lobbying for privileged access management (PAM). Similar to the NCSC, the Australian Cyber Security Centre (ACSC) also published the "Essential Eight", another helpful guide for those tasked with overseeing the cyber security strategy in their organisation. While created around the practices of Australian federal and state agencies, the guide is well worth reading for any type of organisation anywhere in the world.
At Gartner's Security and Risk Management Summit in June, the top 10 security projects that chief information security officers (CISOs) should concentrate on in 2018 were laid. Once again, PAM was identified the most significant.
Despite these steady reminders, many privileged accounts still remain poorly protected, ignored, or mismanaged, making them easy targets. With that in mind, here's a list of essentials policies that every IT manager or security administrator should implement to protect privileged accounts:
1) Track and consolidate each privileged account with an automated discovery mechanism.
The first step to secure and manage your organisation's privileged accounts is to discover all critical assets on your corporate network, as well as the associated accounts and credentials. As your organisation grows and expands its infrastructure, you should ensure that your IT team is equipped with a strong discovery mechanism to tackle the proliferation of privileged accounts and keep track of them. Running a fully automated program that regularly scans your network, detects new accounts, and adds them to a central database is the best way to build a strong foundation for your PAM strategy.
2) Store privileged accounts in a secure, centralised vault.
Do away with localised, siloed databases that are often maintained by various teams. More importantly, make sure employees stop writing down passwords on sticky notes or storing passwords in plain text files. These practices are dangerous and lead to increased instances of outdated passwords...