Reducing risk with Privileged Access Management
IAM (Identity and Access Management) has become a high priority issue for many companies. IAM is the process of ensuring that everyone has the right access at any time within and to the company in order to prevent unauthorized people (hackers) getting access to your systems. Privileged access in particular needs extra attention as it is often taken advantage off in cyber attacks. Modern PAM (Privileged Access Management) tools can be very effective solutions, and therefore are one of our top recommendations for any company.
However, there is a common challenge that makes privileged access management difficult: unclarity of how/by whom/what the account is created/used for. Looking back to the not so distant past, system access has not always been properly managed and therefore many accounts that were created a long time ago have survived. Another example is that where several parties are involved in the system management, no one has a comprehensive view of the accounts and some accounts are not covered by any management.
Where this really becomes an issue is in service account (machine identity) and platform/infrastructure system account management because they are often recognized as an untouchable matter since they are not clearly understood and are considered to be related to a technical process. Often we hear do not touch this account, because we are unsure if the application/server will keep on functioning.
Without validation of all privileged accounts usage, you will not be able to implement the PAM tool correctly, or even if you partially can, you cannot properly mitigate the risk. In fact, we see in industry companies with excellent security controls including a PAM tool but actually they still have several privileged accounts not managed by the PAM too. In our opinion this will lead to a critical pitfall.
Then what can you do for such a problem? Unfortunately, in most cases, there is no quick solution. You often need to investigate and/or test the need for each undocumented privileged account one by one. One certain advice is that you must not leave the issue untouched. If you ignore these accounts, the other security controls may be bypassed. In case you really struggle to justify the account, at least share the risk with management through your risk management process, so that investment into further investigations may be accelerated.
Once you complete the clean-up, it is important to implement a sustainable management process. A PAM tool is a great option but if you do not have the budget yet, you have to ensure that all accesses are periodically reviewed by the appropriate people.
If you need any assistance or have any questions regarding IAM or cybersecurity within your company, please don’t hesitate to contact us.