An approach towards effective Password and Privilege Access Management
Written by Ryan Bugeja
The rapid growth of the digital era has proven challenging for organizations to effectively manage and secure their systems and in turn, their infrastructure.
Determined human adversaries consistently target account credentials, that are usernames and passwords, in a persistent effort to gain foothold to the internal infrastructure of organizations. Ensuing mitigation techniques introduced by organizations generally include a password management solution, effectively increasing the security posture of the known and managed domain and privileged accounts.
The management of privileged account credentials has become increasingly challenging due to the rapid growth and breadth of systems, varying environment platforms from on-premise, to cloud and hybrid-cloud solutions as well as the rise of the remote-work culture which has provided further opportunities for threat actors to capitalize upon.
Password management solutions which have been employed for over the past decade in an attempt to mitigate threats associated with password storage and management, have become inadequate at effectively managing risks imposed by the modern-day threat actor. This is mainly due to the undiscovered privileged user accounts which are not being stored and managed by password vaulting solutions. Privileged accounts are considered as one of the greatest risks of an organization given their high authorized access, making them prime targets to perform malice.
As a result of the constantly evolving threat landscape, a holistic approach to account, password and privilege management is being established by leading organizations, referred to as Privileged Access Management (PAM). PAM solutions bridge the gap between contemporary password management solutions and privileged access to provide greater management, visibility and control of privilege within the digital environment. To effectively manage the threat landscape relating to privileged accounts it is essential that all privileged accounts are stored and managed within the PAM solution.
Unfortunately, administrators are rarely in a position to ascertain that all privileged accounts are onboarded to the PAM solution and for this reason leading solutions offer discovery engines. These provide the capability to automatically discover privileged accounts which are scattered in the organization, including discovery of hard-coded passwords in shell scripts and applications.
Having the ability to discover unmanaged accounts ensures that organizations can effectively onboard and manage previously unknown accounts to the PAM solution. Successful onboarding will aid in improving the security posture of the organization given that this would facilitate the secure, and automated changing of account credentials in-line with policies stipulated by the organization. Further to this, prominent PAM manufacturers are providing further value to this holistic privilege-management approach through additional controls. Just-In-Time provisioning is one prime example aimed at removing the continual privileged access and instead providing elevated rights on a need basis for a limited time frame. An additional benefit of PAM in the bid to manage privileged accounts most particularly in agile environments, is availability of a dedicated DevOps Vaults and Application-to-Application Management (AAPM). AAPM provides the ability for application accounts to seamlessly retrieve or inject account credentials to or from the vault, addressing the risk of having hard-coded credentials within applications.
These functionalities provide modern day organizations with an improved capability to tune their password and privileged account policies within their PAM to stipulate organizational requirements, all of which assist in keeping the organization’s technical policies in-line with latest standards and exigencies of current threats. For this reason, PAM strategies and implementations are regarded as a necessity within organizations to improve the security posture in elements where large organizations lack visibility of elevated accounts within their environment which are a prime target and highly beneficial if acquired by malicious threat actors.
These functionalities provide modern day organizations with an improved capability to tune their password and privileged account policies within their PAM to stipulate organizational requirements, all of which assist in keeping the organization’s technical policies in-line with latest standards and exigencies of current threats