Privileged Access Security (PAM)
While cyberattacks and malware make headlines, one of the biggest security threats companies face comes from trusted users with privileged access to sensitive data. Many companies report that internal attacks are becoming more frequent and that they feel vulnerable to them.
by Eloise Gruber
Security of persistently privileged accounts
When it comes to security, one of the basic principles is to provide access with as few privileges as possible in order to reduce its attack surface. Permissions are therefore assigned for specific purposes. However, this foundation is easily forgotten for permanent privileges. Persistently privileged accounts represent always-on access, even when not needed, providing an operational attack surface for hackers.
Using accounts with permanent privileges is very common. Many companies assign accounts with privileges to all administrators, mistakenly believing that they need unlimited access to everything to do their jobs efficiently. These accounts often include access to more systems than necessary and are always available for use, thus derogating from the principle of least privilege.
What is a just-in-time authorization?
A “just-in-time” authorization model is, as the name suggests, a “just-in-time” authorization. The latter reduces the attack surface because permissions are enabled only when the user needs them.
When a user needs to perform an activity that requires high permission, they make a request describing the nature of the task and the resources they need to accomplish it. If the request is approved, it receives a temporary identity with just enough privileges to complete the task. After the task completes, the identity is disabled or deleted.
However, it is important to know that not all temporary access solutions completely reduce the attack surface. Some providers create accounts that are provided to users upon request. However, these accounts remain active after use, with all their permissions intact, instead of being disabled or deleted.
Why are just-in-time permissions important to your organization?
These temporary permissions offer multiple advantages such as:
Stronger cybersecurity. Just-in-time permissions significantly reduce the risk of credential theft by hackers. They reduce the risk of malicious or negligent misuse of credentials by account owners.
Simplified administration. Privileged account management is made easier and allows administrators to quickly access the resources they need while eliminating all management tasks associated with persistent accounts such as frequent password changes.
Increased compliance. The principle of least privilege as well as the control of privileged accounts are requirements described in the regulations in order to prove the compliance of the company. Auditors pay close attention to these points and deficiencies can lead to heavy fines.
What approach should be taken with privileged accounts?
As part of your organization’s ongoing risk management and data security strategy, you should strive to achieve the goal of zero permanent privileges. Eliminating “permanent” privileged access ensures that systems and data are only accessible when there is a valid reason to access them.
However, your approach should be the one that best balances your company’s security, risk, and operational goals. Here are 3 different approaches:
Elevation of temporary rights: A user’s account is granted additional permissions for a limited time. At the end of this period, the additional access is revoked.
Vault: One or more permanent privileged accounts are created and their credentials are stored in a central vault. Users must provide a justification when requesting to use one of these accounts to access specific systems for a set period of time.
Zero permanent privilege for zero risk: here, there are no permanent privileged accounts. Instead, temporary privileged accounts are activated or created based on specific needs. They are then destroyed or deactivated after use. Privileged access must be requested for the time necessary to complete the task. If the request is approved, access is granted. After the task is complete, access is revoked.
In summary, the zero permanent privilege allows:
– Segregation of duties: no user or device should have full access to all IT resources. Users and devices can only access the resources they need.
– Micro-segmentation: the IT environment must be divided into different security zones that require separate permissions.
– “Just-in-time” access: users and devices only get privileged access when necessary and for the fixed period.
– Audit and follow-up: a log is kept for each high access request, to know if this access has been granted and when it has been revoked.
How can Netwrix SbPAM help you?
Netwrix SbPAM eliminates permanent privileges. With this software solution, you can create just-in-time accounts with just enough privileges to complete your task and then delete the account. Therefore, there is no user account with permanent privileges that hackers could compromise.
Netwrix SbPAM is the only PAM solution on the market that offers the destruction of privileged accounts after their use.
Netwrix SbPAM helps you:
Reduce security risks related to privileged access: You can completely eliminate persistent privileges and choose to elevate user access permissions for an existing account just enough to perform a required task and revoke those additional rights automatically later.
Regain control of privileged accounts: Know exactly who has access to critical systems by minimizing high access and maintain a least-privileged access state to keep identity security risks low.
Strengthen administrator accountability: See exactly what privileged activity is taking place on your systems with live or retrospective session monitoring.
Protect your service accounts by rotating their passwords from one place: Receive an alert if the process is interrupted so you can pause it and undo unwanted changes.
Ask for a demo or a free trial at email@example.com, a few minutes will be enough to convince you of the richness of this PAM solution.