KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Rotating credentials of some privileged accounts is a risky task, which might lead to a business shutdown when things go wrong. But the alternative of not rotating them opens the door for attackers to take hold of your organization - thus leading to a business shutdown as well. This is a lose-lose situation.
So what should we do ? Rotate or not rotate credentials of privileged accounts ?
In this session we will discuss about the challenges and solutions.
Rotating credentials of some privileged accounts is a risky task, which might lead to a business shutdown when things go wrong. But the alternative of not rotating them opens the door for attackers to take hold of your organization - thus leading to a business shutdown as well. This is a lose-lose situation.
So what should we do ? Rotate or not rotate credentials of privileged accounts ?
In this session we will discuss about the challenges and solutions.
13 years ago as SISO told me that he plans to rotate the credentials of privilege accounts every day to prevent risks. Was that a good strategy? Even if even until today we all use password authentication and do password rotation because that way will become more secure, more compliant, and even better people, right? Wrong. Why? And I have to apologize in this session, I will break some fantasies that some of you have or had about FAM solutions or in general about rotating credentials. So the truth is first, technically some credentials cannot be changed ever.
Second, in some cases, changing rotating credentials of privilege account or, or credentials in general does not even improve security. And third, changing some credentials might get you into trouble. So hello everyone. I'm Iran effective it. I've began my journey in privileged access management 15 years ago in one of the security in PAM security vendors, I did many PAM deployments. But in the last five years as an independent advisor, I helped my customers to maximize the parent security effectiveness.
And in the last couple of years I've been researching this topic of credential rotation, how effective it is because I was extremely curious to know the truth behind it and to understand the effectiveness. And thanks to my customers and amazing colleagues, I've read some very interesting conclusions that I'm going to share with you today. That was the actual first question that was interesting for me and we'll discuss about that. But more importantly, this question was something that was bothering me re related to privilege credentials.
Now I will touch this annoying question by the way, through the example, through the three examples of identities, which I consider is the most important. And through these examples, I will emphasize the importance of the statements I mentioned earlier and support my claim that credential rotation should not be your first move. Okay? So let's begin with our personal identities, what you guys know as workforce accounts. So each one of us has personal account and its related username and password, whether we are employees of the company or external suppliers.
And as such as we are required, we change those credentials as they as they expire, right? But why do we need to discuss about them? They're personal, not privilege. So actually some of them are extremely privileged depending on the role that that person has within the company. So companies have a different password expiration policies, the 90 days, 60 days, 30 days. And by the way, a quick survey because we are in an intimate crowd here, audience, which of you organizations are using a password expiration of 90 days, 60 days? Who has 30 days?
Okay, so those who have, okay, so I, I saw one for 30 days. Those who raised their hand for 90 days are probably feeling a little bit uncomfortable now, but, and will probably fix it tomorrow morning, right? Actually there is no need because how really effective is it to rotate the accounts, those expiration of passwords while attackers, they will eventually get gain access to your passwords, okay?
And today, cracking password can take only a matter of minutes or even faster in some cases. So organization, what they will do, they will reduce the risk and they will put, they will reduce the passport expiration from 90 to 60 or to 30 days, right? But this causes other issues, employee frustration, which leads to choosing weak password and easy to remember password that the bad guys already have on their list. So I think the bottom line is about our personal identities that it's really the, the conventional way of rotating accounts is really ineffective and probably also insecure eventually.
So the solution is well known. I'm not going to drill down because you already heard at least once about MFA and Passwordless in this event. I'm not going to drill down. So it's a great solution for workforce account, right? Everybody is using it today to mitigate the risk and to improve the workforce productivity, which is great. But can we use MFA and PASSWORDLESS also and get rid of password rotation offer? So for privilege accounts, so when it comes for privilege accounts, we have many in IT infrastructure.
I mean we have many systems and application accounts that are related to system and devices which are legacy systems. And in most of them we are still required or even must to use password authentication. So what do we do with that? And especially what do we do when it's related to privilege account? Now while they important, it's day three, right? So after three days, you know what's privilege account is they're the most targeted. It's a fact.
So what, what do we do? What do we need to do? How do we solve this issue? So I will distinguish between two types of privilege accounts, human and machine accounts, and we will see what are the practices that we can do. We will start with human accounts. Take John for example, an IT admin who obviously has high privileges due to a local or directory group membership. Now should we n should we treat him in a different way than other employees? Absolutely he's privileged. But can we apply MFA or passwordless?
Well, as we see, not always due to the legacy systems that we have. So what should we do? Commonwealth practice is to use what panel.
So, and there is this fantasy about PS that what they do, they reduce John permission to John's standard used to be admin with with all the admin, right? To reduce his permission, downgrade his permission to a standard user and then we'll have another John on the other side. But it's actually a different user, John admin who is inside Pam.
So great, now we have two users instead of one. Now what about password rotation here on this side for John, we, we can all agree that we can and must use Passwordless and mfa. That's that's fine. But on the other side, look what's written here. Can anyone read in the red password authentication? This means that PAM solutions PAM solution don't get rid of password. There is a misperception of what PAM tools do. They just move the password to the backstage.
Yes, they are kept within a highly secure vault. Absolutely, but they are there. It must be rotated. But can they be rotated? What is the frequency? How often and is it effective? Remember the CISO that I mentioned, this is what he suggested. Has anyone tried that? No. Really? Am I the only one?
Oh my god, okay, if you will try that, you're about to have at least two surprises. Surprise number one, I tried that in one of my customers because the director of security requires requested that he said this is how I'm going to solve all password rotation. We'll do it every day. And what happened? We failed. Why? So we checked the configuration, everything seems to be okay. I was professional services back then. Everything seems to be okay. Network was not blocking anything.
I dunno if you guys know, but the panel tools, how they manage the account and rotate, they do it from remotely, it's an agentless solution. They connect through the network to the target devices and try to rotate the account using native, native protocol, SSH, wmi and stuff. Everything was okay, but after some time we troubleshoot it. We found out that hey, the GPO was preventing us from changing the password. So apparently many organizations don't even allow password change so often, right? Are you familiar with this?
Okay, cool. So I'm not the only one. So what did we do? We said to the management, okay, it's impossible to change passwords and can we change the group policy settings in organization? Good luck with that. Actually in one customer we did solve it. The customer had a great solution.
Joon, go ahead, you're the messenger. Go to the management and ask them to change it.
You're, you're the guy from Israel, you have, you can convince them, you probably can do that. And I said, okay, I will leave. I want you to be successful. One time we did succeed and the other one, no, we couldn't change the password every day. Another example from another customer. The P tool worked great really now GPO was blocking and the password change was successful. So we said, great, let's change the password every day. Now it worked perfect but it took only a couple of days that I started to receive phone calls about accounts being locked out.
The John admin types and I said, how did this happen? Everything should work well. It appears that when the RDP session is open and you run a password change activity, the user gets locked out. The user account is really locked out. It's a natural behavior of Microsoft. So if you will try to rotate the accounts in a high frequency, think how many accounts will you have locked out in your organization? So it might not work for you still, okay?
I do recommend to use panels in this case because it's better to be with the rather than without still with panel you store the highest privilege credential within a vault, within a secure places, which makes it very difficult for the attackers to get inside, okay? But as long as you do this, you enforce session isolation, which means that John over here will not be able to copy paste. There is capability that you can block, copy and pasting password outside of the PAM tool and use only session isolation.
This means that John here will never get the password to his station and neither an attacker. And we are not done yet. We still have one more thing to discuss about machine accounts or as many are familiar with the term application accounts. They are in many places, many applications that require high privileges just to launch and execute or even to access target sensitive information or target resources. Let's see what some CISOs told me about or have the opinion about machine accounts or more accurately why they don't handle them.
The first said, I don't consider them privilege, they just, they just do something in the background running some job privilege account. Our domain admins, Linux root account. I see some, some faces smiling and Linux account I do manage and also manage to rotate. I secured them.
Sam, first thing first. I just started my PAM program a few years ago and I'm familiar with machine accounts, but I will look into it when my pump program will become more mature. And the last one say changing privilege accounts of machine accounts. Are you crazier on This will shut down my business. I'm not touching it by the way, which of these personas are you think about it. But on the other side of the moon, what attackers think about privilege, account of machine accounts. They know that they exist in many places, both in on-prem and cloud.
They know that many of them are extremely privileged and they know, come on, who is really rotating machine accounts or application accounts? So what an amazing greenfield for attackers, right? Don't you agree? Great. So why not rotating the machine accounts every day, right? We need them to be on the move. We need them to be rotated all the time. That's how we'll be compliant and secured. Actually there is a problem. And that's because, and this is a diagram which explains in a higher level how application accounts work. We have an active directory with the master account.
They call it a p p. The thing with application account is that they are linked and used by target applications. So it means that if I rotate the master account here, I need to immediately update all the usages. Okay? This is a strict rule. Now for some applications it'll work fine, but for the others, no, because not every application is designed. Think about a business critical application which is in the middle of something. Okay? It's updating its database for example. And then come someone and rotate a password. Not all of them are designed to handle a sudden credential change.
So no password rotation here, forget about it actually PAM tools can assist here. They can automate this task for you, rotate the master account, and then push the password visit to all of the dependencies.
Still, as you can imagine, this method by itself is too risky even because even if the after successful password rotation who promises me that the application will still work right? In the next three launch, these are screens application, everything is automated scheduled. So you might have a downtime. That's why you need to plan it. That's why you need to really put it in a high severity. So that's one. One reason why panels could not do the work in some cases.
Second, what about unknown dependencies? Someone decided to use a domain user in a script and forgot to tell you. Obviously when you rotate the account, something will break at a certain point in time. So when it comes to machine accounts, as you can see rotating their credentials might get you into trouble. So aren't, aren't there any alternatives to passive rotation? Yes they are and I will get to it. But regardless what you choose to do first, don't ignore them research and discover them. This is I think the most important thing to do. And then don't postpone handling them.
Put them initially in your plans, in in your PAM strategy plan and prioritize them. And third of course, protect them, at least the most critical ones.
Of course, what right after you are discovering them and prioritize them, you'll be able to also protect them. How to protect without password notation First immediately start monitoring tomorrow morning. That's my one recommendation for you. Even with a CM tool, whatever you got, monitor them. Any creation of service account or application account, any execution, even rest API calls. You have the server, you have a client uses rest API call that client has token O of token, monitor the rest api. Call the hht, HTPs S call and try to understand what these, what these guys are are doing.
But even a better approach. Use tools and solutions. They exist, they're able to monitor and block, they identify using, they're leveraging AI technologies and they can really identify machine behavior of identities. And if they identify suspicious behavior of this, of these identities, they block the access automatically. So should, how should we conclude it? Should we rotate password or not? And the answer was rotating. Some credentials might be impossible. Ineffective and insecure for the personal identities of the workforce. You can use MFA and passwordless.
They provide much better and safer approach and they're relatively easy to implement for those privileged personal account for the human account. Use a panel but take into account all the surprises that you might have to handle. And of course, as long as you use session isolation, this is a must. And last but not least, machine accounts panels would be risky. Rotating account of these guys will be too risky.
First, discover them, that's the most important part. Be aware of them. Second plan to handle them from day one and third, use tools that are able to monitor them or even better are able to block them and leverage AI technologies to handle machine accounts. Before we move on to questions, if you are interested to hear more about how to discover and prioritize your privilege account in general or machine accounts or to hear about more surprises that you will have to handle during a palm deployment or how to maximize your existing palm deployment, come talk to me.
I'm here this evening and even tomorrow morning before my flight back. And I guess this is time for questions. Thank You so much. Thank you. Do we have any questions from the audience? No. Okay. Well if you do think of some, you can, as you said, pop over to the stand and or if you're too shy about asking 'em in public, ah, there's a yes For blocking access. Do you have any statistics or any idea of how many tools products you get?
Well, I have not, but I suggest to at least if you start using this tool, at least start the monitoring part because they have a learning mode that you can learn about your organization. So that's the first, by the way, for every tool or every vendor that declares, yeah, I do automatic detection of anomalies and I can block start from a learning period.
Okay, so that's my recommendation. One more at the back.
Yeah, yeah. One more question. Hang on. Show the service account, but how do you handle this group? Manage services? What do you mean Microsoft service? Inside service. Okay. So Years ago, but not every service supported, but if you look for a SQL server or probably normally you can use it like we have already a highest secure Yeah, the, the group services is something relatively new, but it does not cover the whole topic of application accounts. You're right for that area.
It covers, when I talk about application accounts, I will give you an example. Okay. One customer, they said to me, Joran, there is an application account, we want to change it. Okay?
And ask, what's the nature of this account? They said it's related to an Oracle database.
Okay, great. So where is it? It's running as a Windows service on that Windows machine.
Okay, can I rotate it? Yeah, of course. Go ahead. And I said, wait a minute, let me talk to the DBAs because that Windows machine connects to the dba. So I went to speak with the DBA guys and I said, Hey guys, I'm going to rotate that account. Is that fine window? And I said, no way, don't touch it.
I said, why is that rotating, restarting the service group, service account? He said, listen, if you change that password, you need to update it. Oracle database. There is a registry inside the database that you need to push a line through command line and updated the database registry.
So I, I was a very young PAM implement implementer deployment professional services. So I called the expert in Israel and they said, yeah, yeah, that's not a problem. We can actually, after we rotate a service account, we can also run a command line that will push a registry thing into the database. So I went back to the, the DBA team, the Oracle team, and I said, that's not enough because we have active passive database. What about the passive database? And I said, okay, so we need to update that as well.
Yeah, yeah, of course. So think about service account or serving application accounts. In some cases it might be like, I use the analogy of EH travel with multiple connection flights. The more you have more connection flights in between, the more risk it is. If one connection, one connection flight gets canceled or gets stuck, it's a chain reaction. Okay? So that's what I mean when there are multiple dependencies, not just window services.
But if I need to do change of that master account and then I need to the database, the failover database, which is in passive mode, by the way, we could not connect to that database because it's, it's on passive mode. We had to restart it, change the password, update on the third connection flight and then switch it off. Think about all the complexity that we had along the way and all the risks. That's why I'm saying that rotating account in some cases will get you into trouble.
Okay, thank you very much. Thank You. Thank you. We have to move on. Thank you.
