The Biggest Privileged Account Management (PAM) Challenges that Organizations Face
Toeing the line between employee access and company cybersecurity is a trick thing to do. But don't fret, we've got some tips to help shore up your security policy.
Join the DZone community and get the full member experience.Join For Free
Privileged account management is a key part of an organization's overall security. These accounts need to access sensitive data and systems, which means that they present significant vulnerabilities that insider threats or outside attackers can take advantage of.
There are many challenges involved in managing privileged accounts, simply because there is so much more at stake than regular user accounts. There is a complex balance between security and ease of access, with organizations needing to implement adequate infrastructure and a cohesive security policy in order to maintain a safe and productive environment.
Some of the main issues that companies face include how to deal with password management, managing access in a dynamic environment, effective monitoring, finding scalable account management solutions, creating a balanced security system, and meeting various regulations. With the right tools and intelligently-planned policy, most of these issues can be managed effectively.
Users hate passwords. Between work, banks, email, social media, and a myriad of other memberships, most of us probably have dozens of accounts. Of course, the passwords for these should all be different, but the reality is that many people use the same passwords over and over for simplicity’s sake. This is a huge security issue.
When it comes to Privileged Account Management (PAM), having secure and unknown passwords is critical. Imagine if an admin had their Hotmail account hacked and they used the same password for their privileged account. Access could easily fall into the wrong hands and a company’s systems and data would be vulnerable.
Due to the immense power held by privileged accounts, password security needs to be held to a high standard. Privileged password management systems should change passwords to random values at set intervals. These passwords need to be stored and encrypted, then only disclosed to admins or programs when they are required.
Privileged password management systems are complex and present many challenges to organizations. They require infrastructure and policies that regularly change passwords, authenticate privileged users, control access, and provide encryption, all with an auditable trail for monitoring and compliance purposes.
The power that lies inside privileged accounts requires them to be strictly controlled. It’s important for minimizing the risk of catastrophic security breaches that result from insider threats or external actors. Users should only be given privileged access to the systems and data that they need, and only when they need it. Allowing any more freedom significantly increases a company’s risks.
An important part of Privileged Account Management (PAM) is to be aware of an employee’s role and any changes that occur over time. Organizations need to develop a dynamic system that allows quick augmentations of access when necessary, but also the removal of access when it is no longer required. It is especially important to strip privileges from former employees, particularly if they have been fired and could be disgruntled. Contractors are another type of employee that need their access taken away when they have finished their jobs.
Monitoring and Auditing
Privileged Account Management (PAM) systems require rigorous monitoring and auditing in order to detect any potential issues. This is a huge logistical challenge for organizations and if it isn’t done correctly, privileged users can cause immense damage without being detected.
Companies need to monitor privileged access to all databases and files. They also need to be attentive to newly created accounts, as well as when new privileges are granted. Active monitoring systems should be in place so that when irregular use is detected, an alarm is raised and any unauthorized access is blocked. Suspected users should have their privileges quarantined while the situation is thoroughly reviewed. This kind of monitoring system can catch serious breaches as they are occurring and prevent fallout for the company.
A comprehensive logging system is important for audits as well as meeting various regulations. Keeping records of which users accessed sensitive files, and at what time, is a key attribute of any good Privileged Account Management (PAM) system. In the case of any serious issue, this information can be used to track down the culprit.
Another common problem that organizations face is the scalability of their privileged account management systems. This is a particular concern for rapidly expanding companies whose systems struggle to keep up with growth.
In smaller organizations, credentials can often be monitored and managed manually. This is simply not practical for a large company, particularly if they use virtualization. The complex structures of large organizations can often lead to unorganized and insecure PAM systems where access isn’t restricted to the essential systems for any given task. Of course, such a haphazard system leaves a company immensely vulnerable.
The best way to manage privileged access at scale is to use automated tools. These help by giving transparency to account management and they monitor what is going on in real time. Because of this, automated tools make it much easier for organizations to identify any potential access management issues.
Balancing Simplicity With Security
It would be great if we lived in a world where we could leave our doors unlocked and allow anyone to come in as they please. Despite the general good nature of people, there are certain individuals who would take advantage of the situation and pocket any valuables they saw. Network security is no different. In order to keep our systems and our data safe, we have to restrict access to keep out unscrupulous people. While PAM gives us the security we need, it also adds an extra layer of complexity to our systems.
Managing privileged account access takes up precious time–creating accounts, granting access and taking it away when it isn’t needed, as well as behind the scenes administration. It also causes delays for users, the time it takes to enter their credentials, as well as sometimes being locked out of systems that they need.
Finding the balance between ease of access and good security can be difficult for organizations. One of the most effective ways for companies to keep safe without sacrificing too much ease of access is to implement automated management programs.
Compliance with the various sets of regulations is often a huge challenge for organizations. The specific requirements vary between industries and individual situations, but companies may find themselves having to meet a mixture of HIPAA, FFIEC, PCI DSS, SOX, BASEL III, FISMA and other standards. Privileged accounts tend to be highly regulated because of their access to sensitive information and integral systems.
One example of PAM related regulation is Section 10 of the PCI DSS. Organizations need to “establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.” Further on in Section 10, the regulations also state that audit trails of privileged user actions need to be automated. Meeting these standards ensures that companies are able to monitor and log the activity of privileged accounts, enabling them to identify any potential misuse.
The FFIEC guidelines also cover PAM, stating that “privileged access should be tightly controlled.” The guidelines go on to state that organizations should follow similar practices to those that were also mentioned in the PCI DSS.
Although meeting compliance standards is an arduous task for companies, simply box-checking against PAM regulations is not enough to keep systems safe and reduce insider threats. Compliance needs to be an integrated part of a thorough security plan that goes above and beyond standards where necessary.
Surmounting Privileged Account Management Challenges
Privileged accounts present obvious complications to companies. These all-powerful accounts are capable of bringing a company to its knees if they aren’t managed effectively. Security needs to be tight and accounts need to be actively monitored in order to keep systems safe from both external cyber criminals and insider threats. Organizations need to take care in managing these accounts sensibly. It should be done in a way that gives them the security they need, without grinding business to a halt by forcing users to jump through needless hoops every time they want to open up Excel.
One of the most effective methods for managing privileged account access is through security software that automates and streamlines processes.
Published at DZone with permission of Oliver Bock. See the original article here.
Opinions expressed by DZone contributors are their own.