This site uses cookies to serve our services. By using our site, you acknowledge that you have read and understood our Cookie Policy and Privacy Policy.
Menu
Whilst I can appreciate that you may not be a technical resource or someone that influences technology decisions at your workplace, you are here already, and the article is a 5-minute read. At a minimum you will leave a little more informed about best practices that should be occurring on your network when it comes to privileged accounts.
Non-technical users, continue to scroll down and continue reading.
For everyone else, as you’ve come to expect, my articles tend to be written for decision-makers and accompanied by technical examples for your IT staff to read through. For a list of examples using a PAM with RPAs, Red Hat Ansible, Web Services and many other systems, please click the GitHub link below.
The best way to be alerted about our new news articles is to follow us on Twitter or LinkedIn. If you’d rather be notified by email, fill out the form below.
Scan the barcode below to open this article up on your mobile device and continue reading this on the go.
Networks are made up of 100’s of accounts, also known as users. All devices on your network have these (e.g. network switches, firewalls, servers, PCs, mobile devices, IoT devices, etc.). Generally speaking, each device has at least one highly-privileged user (commonly known as an “administrator”). Your IT staff (or Managed Service Providers) create their own accounts with the same privileges. Also, integrations between two systems on your network generally involve creating one or more accounts on each platform. All of these examples are called “privileged accounts” because they have elevated access above that of a basic user.
The problem isn’t with the accounts. It is password management for those accounts. The password for those privileged users is not only known by your current staff but also by all of the staff that used to work at your organisation.
Banks ran into a similar problem a long time ago. If the safe combination is known by many people, the vault door can be easily opened, making the bank deposits only as secure as the other security systems surrounding the safe (e.g. security guards and the interior and exterior gates and doors). Despite strict policies forbidding the sharing of safe combinations, those secrets would inevitably be known by more than just the custodians. So to tackle that problem, banks would change the safe combination on a regular basis in addition to when a custodian was terminated. When they had the safe combination changing frequently and a process that would only share the new combination with authorised personnel, this helped them ensure that only authorised persons working at the bank knew the current safe combination, and leavers only knew what the combination was while they were employed at the bank.
Today corporations should protect passwords for privileged accounts on their network in the same way. The Privileged Access Management (PAM) platform will rotate passwords regularly and provide a way to give controlled and audited access to those credentials to authorised personnel or service. This is the best way to mitigate a password leak, and at the same time ensure passwords for your privileged accounts are complex and not easily guessed.
Every device has some initial administrator account that you use to set up the device. For a firewall, it is the account you use to do the initial configuration and create other privileged users. For a PC, it is the account you create when you provision the machine. The same applies to online services. Whatever the device or service is, these accounts have the highest privileges. They can install software. Open ports. Or change the default behaviour of your device or service. Bad actors can do all sorts of malicious actions with that level of access.
So if it is well-known that the default password for the local administrator account on your staff laptops is ABank-2003, then a malicious user could install a keylogger on your PC, wait for you to connect via VPN to your network, and use those captured VPN credentials to crawl, encrypt and hold ransom confidential information on your corporate network. This was all possible because a malicious user knew the password for the local user on your PC. And, what’s worse, because other employees also have a PC with the same default password, the malicious user can do the same action over and over again to other employees at your company.
You need a Privileged Access Management (PAM) platform.
PAM platforms can do many things like User Lifecycle Management, Discovery and much more. Today I am going to stick to one feature (i.e. password management) and discuss using a PAM platform to rotate those passwords on a regular basis.
How long has your company been in business? What has been the average headcount for your IT team? If your company is 20 years old, and during that time, the average headcount in IT is 10x staff. Then, given that, on average, IT professionals stay with a company for 2 years before moving on, this means you have about 100 people that know a password for at least one (likely more) privileged accounts on your network. For those trying to follow the math: 20xYRs ÷ 2xYRs * 10xPositions = 100xPeople.
And if that’s not scary enough, remember your vendors and MSPs will also have access to passwords for privileged accounts on your network related to the services they install or provide. Each one of those will have staff turnover similar to your organisation, therefore multiplying the number of people that have knowledge of a password for one or more privileged accounts within your network. You then start to think, how many privileged accounts do I have? And, how many people across my IT staff and any MSPs and Vendors I am working with (or have ever worked with) with know the passwords for one or more privileged accounts on my network? What can they do with those passwords?
When introducing a PAM platform, you force your IT staff, MSPs, and Vendors to adhere to good password management. Because with the PAM, passwords are changed frequently:
So, while you might not be in IT, as you can see, it is good to know about PAM as a technology. And to advocate the use of it after understanding the utility and function it serves.
First and foremost, PAM systems are indeed very broadly used by others in your industry. It’s possible that’s not the case for organisations you compare yourself to, but instead, never much indeed in use by the organisations you should be comparing yourself to.
It is also important to remember that support for a PAM platform needs to come from the top down. When board members understand the importance of privilege access management, they can mandate policies that IT can enforce. In short, your board members should be reading articles like this. Otherwise, they are just setting budgets. A lot of IT projects are competing for that budget, and so security tools almost always lose to automation and upgrades, therefore making a PAM deployment less likely.
IT Professionals like to feel appreciated and trusted. PAM platforms include a whole host of other features we haven’t covered here, like Discovery, Policy Management, and session recording, which aren’t always well-received by IT. My recommendation is, don’t be over-ambitious or over-zealous with your PAM initiatives. Start with a simple use case that onboards privileged credentials into your PAM. Then, create a mandate that says all new integrations should use credentials managed your PAM platform.
After that is done, in no time, you’re going to find that IT is going to lead the charge with greater adoption given their new-found enthusiasm in PAM.
The goal of this article was to raise awareness of the need to manage privileged accounts and access within your organisation. A lot of “hacking” within organisations are default passwords that are too well-known and never changed. Hopefully you’ve left with an understanding of how a PAM can help with that, and an article you can share with your IT staff.
BMT is an IBM Business Partner, so as you can imagine, IBM Security Privilege Vault (click here) is our preferred Privileged Access Management platform. If you would like more information about Privilege Vault, as always, feel free to contact me and I’d be happy to help.
In the interim, share this article with your colleagues to raise awareness about a very important and easy-to-deploy solution that everyone should have in their budgets and in their on-premise and cloud networks.
Subscribe for latest articles and resources
Sign up to receive updates, promotions, and sneak peaks of upcoming products. Plus 20% off your next order.
