Privileged access management (PAM) — also referred to as privileged account management — is the top cybersecurity project for chief information security officers (CISOs), according to Gartner. Why? Because privileged access carries significant risk, and all organizations deal with privileged, administrative or other sensitive accounts. These accounts are primary targets for attackers and need to be managed separately and with specific considerations.
Although the risks associated with privileged accounts are known, few organizations truly understand just how exposed they are. Implementing a PAM solution is a no-brainer, but these tools work best when the full depth and breadth of the systems they are supposed to protect are known.
Privileged Accounts, Where Are You?
Most organizations have no idea how many privileged accounts they have or where they are located. To truly know what privileged accounts exist in your environment, you need a discovery feature. Discovery is a crucial element of PAM that automatically scans for privileged credentials and alerts you when unexpected accounts are found.
Discovery helps organizations take the first step toward protecting privileged accounts. If you don’t know where privileged accounts are, your network could be riddled with hidden backdoor accounts — accounts that have gotten around normal security measures to gain high-level user access. A backdoor allows users to bypass proper controls and audits and can be used to steal confidential data, install malware and hijack devices. Automatic scanning for privileged credentials alerts you when unexpected accounts like these are found.
There are several different types of privileged accounts with varying degrees of power, which is why they often go overlooked by security and IT teams. While some user accounts are assigned to individuals, many types are shared by multiple people. Talk about confusing! This can lead to careless behavior, negligent password management and improper account deprovisioning.
The answer to these problems is automated discovery of privileged accounts. This functionality quickly scans your network to find and take over unmanaged privileged, shared and service accounts. If you’re curious about what this looks like, you can scan your environment with the privileged account discovery tool. This tool discovers where privileged accounts exist within your infrastructure and analyzes passwords to determine whether they have been changed regularly or set to never expire (which needs to be remedied). Privileged passwords should be changed regularly and automatically when they expire. Experience a single, comprehensive view of all your Windows privileged accounts with this free, interactive tool.
While PAM focuses on managing powerful accounts within the IT infrastructure of an enterprise, it’s also important to enforce privilege security on endpoints. A combination of endpoint privilege management and application control helps prevent external threats and stops malware by removing local administrative rights from endpoints and shutting down risky applications. The trick is to accomplish this without impacting user and help desk productivity.
Why You Need to Adopt a Least Privilege Strategy
Do your users have full admin rights on their computers? Hopefully not. Do you restrict access altogether? If so, this can result in an overwhelmed help desk and unproductive users. How do you give users access to the applications they need, but also ensure that endpoints and systems do not have unnecessary local administrative rights?
Many organizations are addressing these problems by limiting end-user permissions and implementing a strategy of least privilege. Least privilege is the ability to reduce the end-user permissions, service account, application account or even local administrator account to the minimum required to still carry out the intended tasks. This means endpoints don’t have unnecessary privileges that cybercriminals can abuse and use to avoid detection. This approach helps the organization stay compliant while enabling it to elevate applications on demand.
To see if you’re implementing least privilege effectively, you can scan your environment with a least privilege discovery tool. Such a solution can help you discover which endpoints and local users have admin rights, which applications are in use and whether they require admin rights to run. A single, comprehensive view of this information makes management easy, so you can lock down privilege on the endpoint and implement a consistent least privilege strategy.
If there are privileges on your endpoints that shouldn’t be there, or if admins are accessing accounts and data that they shouldn’t be, these are things the security team must be aware of. Have those passwords been changed?
Removing unneeded administrative rights is a key step toward implementing least privilege security. When an attacker compromises an endpoint via social engineering, they enjoy whatever rights and access the victim has. If that is a local administrator, the attacker effectively gains complete control of that endpoint. Restricting user rights to only those that they actually need greatly reduces the risk in the event that a user’s account is compromised. What are you waiting for?
Are Rogue Applications Running Across Your Network?
Another crucial element to endpoint privilege management — one that works in combination with enforcing least privilege — is application control. Application control allows you to proactively manage and monitor all the applications running on your endpoints with policy-driven controls. Such policies dictate how privileges are accessed across your network and define what applications are allowed to run and where.
With proper application controls in place, you can significantly reduce the risks associated with application use. You can create specific whitelisting, blacklisting, elevation and greylisting policies for your network. These policies support known applications, deny malicious applications or prevent unknown applications from running. Hackers know how to exploit applications, and the ability to discover vulnerabilities and associated risks is crucial to preventing cybercriminals from accessing your core systems.
An endpoint application discovery tool can help you identify rogue and other risky applications that open your organization to attack. Evaluate the potential risk of applications running in your environment so you can stay compliant with security policies, secure your endpoints and protect against rogue applications.
Whether you are discovering privileged accounts, risky applications or elevated privileges, implementing cutting-edge privileged access management and endpoint privilege management solutions will help you get there.
Product Marketing Manager, IBM
Katherine Cola is a contributor for SecurityIntelligence.