As nineteenth century British historian Lord Acton famously wrote: "Power tends to corrupt ... and absolute power corrupts absolutely." Few examples better support this phenomenon than the privileged IT account.
Common and dangerous, users with generous account credentials and unchecked access to systems, software and information represent a significant risk in the modern enterprise. Without proper safeguards, access to accounts with elevated permissions can lead to —whether by mistake or misfeasance — the spread of malicious applications, the misconfiguration of devices, and the compromise of data integrity.
And that's just the insider threat. Attackers target privileged account credentials because these make the task of getting in, rooting around, and wreaking havoc on victims' systems far, far easier and exponentially more productive. The more unmanaged, high-value, high-permission accounts an organization has, the greater the chance one will fall into the wrong hands with catastrophic results.
Consider the case of X, the social media network formerly known as Twitter. In 2020, attackers armed with access to one of the platform's admin accounts compromised high-profile users like Joe Biden, Bill Gates, Elon Musk, and Barack Obama and posted messages promoting a cryptocurrency scam. The crime was made possible by social engineering just one Twitter employee who had administrative access to the company's user management platform.
That same year, hackers successfully bribed a customer support representative from kid-friendly online gaming platform Roblox to gain access to an admin account. Through this privileged account, the attackers were able to steal user data, change profile information, and pilfer in-game purchases – damaging the company’s reputation in the process
These incidents are the norm, not the exception. According to Verizon’s Data Breach Investigations Report, more than one-third of breaches begin with some insider threat, deliberately or accidentally. Some 32% of reported incidents were related to privilege misuse, while 21% of breaches were due to password misuse.
The data demonstrates not only the important role privileged accounts and identities play in threat models and risk profiles, but also the imperative for proper privileged access management (PAM) to ensure users only get as much powerful account access as they need to do their jobs and only for as long as they actually need it.
At its core, PAM is a threat-reduction strategy that combines processes and technologies to monitor, detect, and prevent unauthorized access to critical resources by accounts with high-level permissions. PAM differs from Identity and Access Management (IAM) in that IAM typically focuses on automated provisioning and decommissioning of individually assigned user accounts based on job roles –think standard Active Directory accounts owned by one human user protected with a single password known only to that user.
PAM -- and the tangentially related Privileged Identity Management, or PIM -- focuses on managing the risk of accounts that generally can’t be attributed individually to specific users. This disintermediation of privileged users from privileged accounts is important within the privileged access management schema. Privileged users may access one or several privileged accounts to accomplish tasks like hardware and software deployment, password resets, sensitive data access, or infrastructure reboots and configuration changes. It's not unusual for organizations to have many more privileged account credentials on the books than they have employees on the payroll.
The ultimate goal of a PAM (or a PIM/PAM) platform is to manage this complexity; to limit the number of accounts with access to administrative functions, all while dutifully managing those that do. PAM tools reveal when privileged accounts are logged in, and what they are being used to do. PAM provides mechanisms for controlling these powerful accounts, often by applying policy- or time-based restrictions on access.
Many PAM solutions also include additional layers of protection that users can leverage when responding to breaches by attackers that have achieved some level of privileged access.
Organizations aspiring towards robust, effective privileged access management should aim for the principle of "least privilege," in which users, accounts, and computing processes are granted only as many access rights as is strictly necessary to perform legitimate routine activities. The least-privilege approach minimizes the risk of systems or data compromise resulting from a malicious attack on — or the accidental misuse of — privileged accounts.
One mistake organizations sometimes make when considering a PAM implementation is to acquire the tool first, then try to fit it to their environment. A better approach is to first look at the various types of accounts at risk in the enterprise, then determine whether a PAM platform is appropriate to address them. Common privileged accounts generally fall into one of the following categories:
Once the organization has identified the presence and prevalence of their various privileged account types, the task turns to monitoring and managing privileged access activity in the interest of overall security posture and risk mitigation. A short list of requirements for a workable privileged access management strategy might include:
Exploring this a bit further, consider the use case offered by system admin-level accounts. These powerful accounts can be adequately secured with single-use or time-based credentials — often called "just-in-time" credentials — that are both strong and changed after each use. The process is far superior to traditional passwords, which get shared, reused and are ripe for abuse. Single-use credentials all but guarantee that a compromised password or hash is useless to an attacker. Many PAM platforms manage just-in-time credentials by correlating the password checkout process with the individual user, while also enforcing a second factor of authentication. For even stronger security, organizations can add the use of a privileged access workstation or embedded “jump box” along with host- or network-based firewalls to ensure these powerful accounts can only be accessed from a designated, pre-approved source.
Public Key Infrastructure (PKI) and certificate-based identity mechanisms can help further ensure that access to sensitive systems is safeguarded by cryptographically secure methods. To wit:
By leveraging PKI and cryptographic identities, organizations reinforce the security around their most vulnerable assets, ensuring that privileged accounts remain secure and that access is only granted to authorized entities.
Corralling local admin accounts, meanwhile, benefits from controls that require a unique, random password for every machine in the organization. A user requiring such access must know the device name before retrieving a local admin password for each service in the system. It’s a complex policy, but one capably handled by PAM solutions. After use, the password is reset to a new, unique credential. This works well should the user fall victim to a phishing or malware attack. Even with remote access to a device, an attacker cannot retrieve local admin credentials on the compromised machine for lateral movement. PAM not only thwarts the typical attack vector with unique, strong local admin passwords, it makes the hack attempt much more likely to trigger failed log-in alerts.
For difficult-to-manage service accounts, organizations can use PAM tools to dynamically change service account passwords outright, but the risk of breaking system integrations is high unless in-house developers are thoroughly integrated into the process. Most organizations, therefore, opt for a defense-in-depth approach to service account security, combining the removal of interactive logins with host-based firewalls to restrict access to a bare minimum of systems, in addition to implementing strong passwords and diligent monitoring for misuse.
Privileged access management can help organizations manage risk, making it harder for attackers — internal and external — to get high-level access to critical network and data assets. PAM provides the monitoring and the granular controls necessary to discover all of an organization's privileged users along with detailed visibility into how the powerful accounts they access are being used. Key benefits of a robust PAM program include:
Sprawl over time of privileged accounts without proper security guardrails exposes today's enterprises to significant risks, including — but not limited to —the spread of malware, the compromise of networked devices, the loss of mission-critical data, with potentially catastrophic reputational or regulatory results. A proper privileged access management approach that combines thoughtful security policies and strategies along with specific PAM technology point solutions is a critical piece in an organization's overall infosec arsenal.