When an IT administrator or other privileged user leaves an organization, the security team must take care to determine which systems he or she could access, and what data, if any, he or she accessed on the way out the door — especially if the outgoing administrator is in any way disgruntled.
But how can organizations gain the visibility they need to monitor their most sensitive accounts and databases? A privileged account management solution is a great place to start.
The IT Administrator Challenge
IT administrators have access to most of the systems, applications and technologies within an organization. This means that they have sufficient privileges to potentially cause harm to the organization by manipulating data, destroying important services or stealing intellectual property.
Since many privileged accounts are shared between several administrators, removing these accounts is not a viable option, and the process of changing passwords for such accounts can be arduous. In addition, it’s difficult for security teams to see exactly how many accounts an outgoing administrator has access to — it could be hundreds. Removing or securing all these credentials manually requires a significant investment in time and resources.
Even if the security team manages to block the outgoing administrator from accessing privileged accounts, it must still determine which accounts were accessed the last time the administrator logged in and what activity he or she conducted while inside the database. To gain this visibility, security teams must invest in either:
- A centralized monitoring solution that analyzes activity on all systems and applications; or
- A session-recording solution that records all the administrator’s activities when using privileged accounts.
Although both options require manual activities, they are critical tasks if the organization suspects that an outgoing administrator might conduct harmful activity on the way out.
What Does a Privileged Account Management Solution Do?
Fortunately, there are privileged account management (PAM) solutions available to automate these processes while producing the necessary documentation. This documentation is required by a wide range of compliance regulations, many of which focus explicitly on the management of privileged accounts.
PAM solutions can cover all of the above-mentioned challenges and more. The functionality mostly includes:
- Secure storage of account credentials, meaning an admin no longer needs to know the credentials;
- Automatic discovery of administrative accounts;
- Controlled access to privileged accounts by permitted administrators, including automatic logins;
- Recording of administrative sessions; and
- Manual and automatic password rotation for one or all administrator accounts.
How Else Can PAM Help Boost Data Security?
While the main use case of a PAM solution is to allow administrators to securely access privileged accounts, there are additional scenarios where such a tool can be used.
Administrators aren’t the only ones who need access to certain accounts; developers also need test accounts in various systems. Managing these — especially in an DevOps environment — is just as complex as managing shared administrator accounts. A PAM solution can help provide the right developers with the right test accounts at the right time.
In addition, there is another oft-forgotten group of accounts that must have the passwords changed from time to time: technical and application accounts. There is likely not even an overview of all these accounts, and their passwords will almost certainly not be changed periodically, even if regulations require this. The problem is that it is not always clear which application uses this account. A PAM solution provides an overview of all such accounts, discovers the dependent services, changes the password in all places at once and restarts the services in the correct order.
Whether you need to manage administrator access, privileged users or application accounts, a PAM solution can provide the security team with robust protection capabilities to keep data safe from risks associated with outgoing administrators.