Privileged accounts have access to the most valuable corporate information, which is why they are often targeted by attackers. As a result, organizations face the need to manage privileged access in a secure and effective manner.
Many compliance regulations have strong security control recommendations for privileged user management. To meet these requirements and prevent devastating data breaches from happening, organizations implement various Privileged Access Management (PAM) practices in their security routine. But how to choose the right PAM solution and what features to look for?
According to Gartner’s 2019 Best Practices for Privileged Account Management, a quality PAM solution should be based on four pillars:
- Provide full visibility of all privileged accounts
- Govern and control privileged access
- Monitor and audit privileged activity
- Automate and integrate PAM tools
In this overview, we list the most critical features that can help you secure privileged access to your company’s sensitive data according to these four pillars.
1. Continuous discovery of privileged accounts
You can’t protect something you are unaware of. So discovering every single privileged account in your network is a must. Look for privileged access management solutions that allow discovering all kinds of privileged accounts used by both human users and applications.
Once you have full visibility of all the privileged accounts present in your network, you can easily get rid of needless admin accounts and specify which accounts or particular users can access what critical assets. To go even further, you may harden the system by eliminating all default admin accounts, deploy the least privilege principle or zero-trust security approach.
The biggest challenge with implementing these features is keeping the data about privileges accounts up to date. If any privilege elevation goes amiss, you will put your company’s cybersecurity at serious risk.
2. Multi-factor authentication
Multi-factor authentication (MFA) feature is a necessary measure for making sure that only the right people can access your critical data. It’s also a great way of preventing insider threats by mitigating the risk of malicious insiders “borrowing” passwords from their colleagues.
Most MFA tools offer a combination of two factors:
- Knowledge (user credentials)
- Possession (biometrics, one-time password sent to a user’s verified mobile device, etc.)
Defining which endpoints or assets need to be protected the most is one of the main challenges associated with implementing this feature. To avoid creating excessive difficulties for the employees, it’s important to implement the MFA functionality only when and where it’s necessary.
3. Session management
Many security vendors offer Privileged Access and Session Management (PASM) as a standalone solution or a part of their privileged account management software. The ability to monitor and record privileged sessions provides security specialists with all the needed information for auditing privileged activity and investigating cybersecurity incidents.
The main challenge here is to associate each recorded session with a particular user. In many companies, employees use shared accounts for accessing various systems and applications. If they use the same credentials, sessions initiated by different users will be associated with the same shared account.
To deal with this challenge, look for a PAM solution that offers a secondary authentication functionality for shared and default accounts. So if a user logs in into the system under a shared account, they will be asked to provide their personal credentials as well, thus allowing to confirm that this particular session was started by this particular user.
4. One-time passwords
Another great way to make sure that only the right person will be granted access to your critical assets is to deploy the one-time password functionality. This feature works best for granting just-in-time (JIT) access to the most valuable information to your third-party contractors.
One-time passwords remain valid for only a short period of time and can’t be reused again, thus minimizing the risk of data compromise.
5. User and entity behavior analytics (UEBA)
User and entity behavior analytics (UEBA) tools can help indicate the fact of a privileged account compromisation at an early stage. They analyze data logged by other PAM tools, including session records and logs, and identify patterns of regular user behavior. If the behavior of a specific user or entity starts deviating from its typical pattern, the system will mark it as suspicious. UEBA tools are meant to help you close the gaps left by other security tools and detect an intrusion as early as possible.
Currently, the market offers a lot of both standalone UEBA solutions and other security solutions with built-in UEBA functionality. When it comes to managing privileged access, look for a PAM or security information and event management (SIEM) solution that offers at least UEBA capabilities.
6. Real-time notifications
The earlier you stop the attack, the lesser its consequences will be. But in order to be able to respond to a possible security incident in a timely manner, you need to be notified about near to real-time. So, when choosing a privileged access management solution, make sure to check if it has a fine alerting system.
Most PAM solutions offer a set of standard rules and alerts. For instance, responsible security personnel will be notified every time the system registers a failed login attempt for a privileged account. To go further, you can create custom alerts for specific events, activities, or even groups of users.
7. Comprehensive reporting and audit
PAM tools usually collect enormous amounts of data: activity logs, keystroke logs, event logs, session records, and so on. But it doesn’t matter how many useful data your PAM solution gathers if you can’t form a comprehensive report out of it. So you need to be able to form different types of reports according to your specific needs and requirements.
Pay special attention to the type of data and information that can be included in the reports. For instance, it would be great if you can get a full report about all activities performed underprivileged accounts or privileged sessions that were initiated out of the usual work hours.
In some cases, forensic analysis is needed to investigate a security incident or evaluate the state of the current security system. Therefore, you need to choose a privileged access management solution with forensic export functionality.
The possibility to integrate your PAM solution with your current SIEM will be a plus. This way you can get the most out of all the data collected by the PAM tool and analyze potential threats in a more effective manner.
The abuse of privileged access can lead to devastating consequences, allowing attackers to get the most valuable and important information with minimal efforts. Secure and properly managed privileged access is also required, sometimes indirectly, by most compliance regulations. This is why deploying a quality PAM solution is a necessary step for every modern organization.
Hopefully, the described criteria will help you find the best-privileged access management solution faster and with ease.