Privileged access management (PAM) is a subset of identity and access management (IAM), developed as an added security measure to monitor privileged accounts—the limited user group granted access to critical network assets. Of course, no system is without its risks. Whether team members rely on existing passwords or share login credential information, user error is inevitable.
Below is acompilation ofthe most commonprivileged accessrisksthat affect accountand enterpriseintegrity to help you plan for and safeguard against them.
Why is privileged account security important?
PAM operates on the principle of least privilege, granting permissions on an as-needed basis, meaning there are fewer privileged accounts with access approval for restricted data. However, it only takes one misstep to leave your systemsvulnerableto cyber attacks. It’s imperative to address every vulnerability and consider all privileged access risks when developing your organizational strategy.
Default passwords
Often overlooked by larger enterprises, password hygiene—the use ofa unique and complex password for each account and application—is one of the most effective ways to stave off cyber threats. Default passwords are a common internal user-offense as they’re easy to use, but, unfortunately, they’re just as easy to hack. These could include user-defined, organization-instituted, and manufacturer- or vendor-supplied passwords alike,the latter of which are often readily available online, sold online from hacker to hackertoleverage.
Even one local insecure privileged account compromises the broader enterprise system.To keep your systems secure, conduct an enterprise assessmenttoidentify at-risk devices and applications. Then,implement or reinforce a company-wide practice of good password hygieneto educate your teams on its importancefordata security.Once completed, this (somewhat) simple risk-aversion tactic grants the greater reward of account security.
Stagnant credentials
It’s a best practice to update passwords within a designated cadence—changing them everythreeto six months to enable inscrutability.As we’ve said above, users often rely on existing passwords, and stagnant credentials increase the possibility of someone attempting and succeeding in infiltrating privileged accounts. By regularly updating passwords, users are less likely to fall prey to keylogging or similar attacks. And limited password periods reduce the risk of account exposure, meaning less time for hackers to conduct their attacks and gain access.
Of course, it would also be prudent to consider account stagnation—when inactive user accounts lie dormant and vulnerable to attack. Automating provisioning and deprovisioning mitigates this concern.
Shared credentials
The concept is seemingly obvious, but the more people who have access to something, the more likely it is that someone will abuse it. When a privileged user shares their credentials with another user, however well-trusted, it puts the account and the enterprise at risk.
If users share credentials for even a few designated privileged accounts, it can lead to a massive data breach with lasting effects. Doing so is especially detrimental if the user inputs the shared credentials on a non-secure device. Educate your teams on the importance of keeping their credentials to themselves and ask them to change all passwords they have already shared.
Misuse of credentials
The misuse of credentials oftenoccurs in two ways:from a lack of enforcing the principle of least privilegeand delayed or nonexistent deprovisioning.
Whether maliciously or unintentionally, the more users able to not only access but modify critical assets, the greater the risk to the enterprise.
By assigning permissions only to those who need it (and for theamount oftime they need it), organizations significantly reduce the risk ofinadvertentabuse. For deprovisioning, many companies do not have the process automation setup, allowing ex-employees to maintain access long after their departure date.In this case, automating deprovisioningisa reliable solution, allowing administrators to automatically remove access and permissions at the end of employment.
Stolen credentials
Credential theft isone of the most commonforms of cybercrime. Though there are many meansofcredential theft,the most widely practiced isphishing—requests for sensitivecompany or user information under the guise of legitimacy(e.g., a fraudulent email sent from “the CEO”). This approach, while deceptive, is highly efficientand can allow cybercriminals to bypass security measures.
To avoidphishing victimization, educate employees on recognizing phishingcommunicationsandconduct a consistent review to see which passwords are already compromised and available to external threats. Once completed, you canremediateas necessary.
Enabling a security culture
While there are many privileged access risks, knowing and naming them empowers you to defend your organization. Rest assured, PAM does equip administrators to flag indiscretions andwiththe visibility to detect possible threats as they occur. However,establishing a security culturewith password policies and educationwill further benefityourprivileged accounts and overall enterprise wellbeing.
Unleash the power of unified identity security
Mitigate cyber risk across the spectrum of access
