1 Introduction
The operation and management of IT applications and infrastructure depends upon privileged access needed to configure, operate, and maintain the components. This requires access to data as well as components and functions of the systems that are not available to normal users. To enable this access, IT systems, applications, and middleware provide built in accounts with the enhanced access needed. These are usually referred to as ‘privileged accounts. It is essential that these accounts - and their use - are carefully managed.
In addition, there are now also business users with privileged access to sensitive data and information assets such as HR records, payroll details, financial information, or intellectual property, as well as social media accounts. These include employees working on special projects, as well as developers building applications and third-party contract workers. With the drive towards digital transformation, organizations have seen the number of privilege users multiply as new types IT service delivery such a cloud services and new activities such as DevOps need access to privileged accounts.
While these accounts are essential, they can be misused, and their misuse can have a high impact. Therefore, with privilege comes a greater need for trust; it is essential that steps are taken to assure this trust. Abuses of privilege can occur through malice, misuse, or mistake: malicious abuse includes theft and criminal activities; misuse includes unauthorised access through curiosity in contravention of privacy laws; mistakes can lead to damage even without malicious intent.
Importantly, cyber-adversaries regularly target privileged accounts because these provide a route that allows them to take control over systems and gives unrestricted access to data.
Organizations must take steps to control the use of these privileged accounts. Recommendations include implementing the Principle of Least Privilege to ensure that both people and system components are only be given the minimum access necessary to perform their job. Avoid the use of shared accounts - many systems provide only a single privileged account – making it difficult to control and trace who did what. One way to control the use of shared accounts is to use tools that keep passwords to these accounts in a vault and that only release them as needed. Implement Segregation of Duties - for example, the administrator who makes a change should not be the same person who requests and approves it. Implement Strong Authentication for privileged accounts to make it more difficult for cyber-criminals to gain privileged access and to provide extra assurance over the identity of the administrator using it. Carefully monitor privileged account activity to assure trust in the way the accounts are used and act when abnormal activity is detected.
Privileged Access Management (PAM) solutions provide critical cybersecurity controls that help organizations to address the security risks associated with the use of privileged access by implementing the recommendations described above.