These superusers have rights to gain access across systems and endpoint devices, such as laptops, so they can patch software, interrogate secure data, or change the way the network or devices are set up. Privileged accounts are extremely powerful since they govern all the systems that drive the business, and may extend to users outside the enterprise, such as partners or suppliers.
What's the problem?
As privileged accounts allow access to ‘all areas' within the enterprise, a stolen privileged account credential can lead to the theft of company data for competitive, espionage or fraudulent reasons, which in turn can cause serious business interruption, financial loss and ruined reputations for the enterprise, its customers and partners.
And if the theft goes undetected, it allows hackers to sit in the network, cuckoo-like, and observe business processes over several months before making a move that could seriously impact or even destroy the business.
While organizations may not face such dire circumstances due to the theft of a privileged account credential, there are still serious consequences to the loss of people's data that they store. With the General Data Protection Regulation being written into law in the EU on 25 May, organizations will face steep fines if the personal information of consumers – such as identities, bank account details and medical records – are not kept safe. The ramifications are widespread as not only European companies are affected, but also any company that stores personal information about European residents.
There are numerous other regulations to comply with, including HIPAA (securing patient medical records), SOX (regulation of corporate accounting) and ISO 27001 (international regulation of third party information entrusted to companies).
Privileged account management (PAM) is a very effective method for enterprises to audit and manage critical enterprise system passwords, which give access to set parameters and hierarchies for access throughout the rest of the organization.
Ticking the boxes is not enough
Companies have been accused of merely ticking boxes for compliance to regulations that govern data access, rather than taking a holistic view. A recent report by Thycotic, a PAM system developer, investigated the security stance of 500 organizations worldwide and found that more than half of organizations were failing to use a secure logon process for privileged accounts.
This can lead to a breach where hackers steal credentials and could, for example, then access email address and email content to make spear-phishing attacks more effective. Or, they could cause business interruption by controlling systems for themselves.
“Through 2020, more than half of the security failures associated with Infrastructure or Platform As a Service will be attributable to significant security gaps caused by failure to adopt PAM technology and processes," according to the latest PAM market guide analyst report from Gartner.
In the last 12 months alone, there have been several breaches of blue chip companies who hold personal consumer data – which in the US, has included social security numbers which are commonly used to authenticate a personal identity.
Five tips for protecting privileged accounts
1) Automatically generate random passwords
Manage and control how passwords are allocated by automating the process so that it falls squarely in line with established policies and rules out human error
2) Use a password vault
Shield privileged account users from ever knowing actual passwords by storing them in a vault. Use multi-factor authentication for access.
3) Remove credentials when users change roles
Manage the lifecycle of passwords by defining a process that automatically removes passwords from employees as their roles change, and then appropriately re-allocates privileges to others
4) Track privileged users
Enterprises need to know, and be able to audit, everything that takes place during an administrative session. Privileged sessions need to be recorded at command level and video playback, so that compliance with data privacy standards are met.
5) Real time alerts
Monitor all sessions by privileged users and set alerts for inappropriate behavior during administrative sessions.
I've been writing about technology for nearly 20 years, including editing industry magazines Connect and Communications International. In 2002 I co-founded Futurity Media with Anthony Plewes. My focus in Futurity Media is in emerging technologies, social media and future gazing. As a graduate of philosophy & science, I have studied futurology & foresight to the post-grad level.