​Seven Questions to Ask When Evaluating Privileged Account Security Solutions

Author: Sam Ghebranious, Regional Director – Australia and New Zealand, CyberArk

Security breaches are a fact of business life. Nine in ten organisations* admit to having experienced breaches at least once within the space of a year and more than half say they have been exposed to two or more breaches in that time.

High profile breaches during the last two or three years show that no matter where they originate, skilled attackers tend to follow the same route. They look for sensitive, valuable data. To locate and gain access to this data, attackers first try to gain access to an internal account, preferably one with high value administrative privileges. They then leverage the compromised privileged account to continue escalating privileges, all the time moving laterally and gaining greater access to the network, where finding target systems or sensitive data becomes relatively easy.

The path seems obvious when you think about it from the attacker's perspective: Do I need access to a particular network segment or want to change firewall rules to enable external communication? Do I want to gain access to the domain controller? Or do I want to dump the database table to capture a competitor’s customer list?

Unprotected, unmonitored privileged accounts represent the keys to the IT kingdom – providing a means to unlock your organisation’s most sensitive assets – business critical systems, intellectual property, financial information, audit data and more. This is why one of the critical lines of defence for any corporate network must be to secure all privileged accounts and credentials.

There are security solutions designed for just this purpose but as with everything in IT, for greatest success (and security) you do need to match the right solution to your business needs. The best way to achieve this is by a thorough evaluation and prioritisation of your most critical assets and vulnerabilities. Here are seven questions to ask potential vendors:

1.Is the solution really secure? Select a solution that offers multiple layers of built-in protection including hierarchical encryption, session encryption, authentication and a built-in firewall. To further hamper attackers, consider systems that offer segregation of duties, ensuring users can only see and access data that is unique to their specific roles. Tamper-proof audit logs and session recordings also boost security.

2.Can the solution find and protect all of my accounts? A typical enterprise has at least three to four times as many privileged accounts as employees, so before you can protect them, you have to be able to find and inventory them all. The most effective way to achieve this is to use a tool specifically designed to scan your environment to find privileged user and application accounts, and associated credentials.

3.Can it protect all credentials? Unfortunately, the traditional view of privileged credentials is limited as it often overlooks SSH keys, which commonly provide users and applications with privileged access to UNIX accounts. When you realise that the average large enterprise can have up to one million SSH keys in their environment-- that is a major problem. The latest generation of security solutions addresses this issue by including end-to-end capabilities that allow organisations to securely store, manage and monitor all types of privileged credentials – including SSH keys.

4.Will it work in my environment? Your IT environment is tailored to your organisation’s particular requirements. Be sure that any solution you consider can protect accounts throughout most – if not all – of your IT environment, not just a few specific platforms, systems or databases.

Read more: New Sydney office anchors iSIGHT's Australian threat-intelligence expansion

5.What protections are provided? It’s important to establish an end-to-end life cycle approach to privileged account management. Key requirements include the ability to discover privileged accounts, pro-actively protect privileged account credentials, enforce access controls, automatically rotate passwords and SSH keys, monitor access to privileged accounts, monitor and record user activity, isolate privileged sessions, enforce least-privileges, remove plain text application credentials such as embedded passwords, and leverage behavioural analytics.

6.How can I minimise the cost of managing it? Rather than trying to integrate and manage multiple products, often the simplest and most cost-effective approach is to adopt a single-platform solution. However, it's essential to ensure the platform addresses all needs, from securing, managing, controlling and monitoring privileged accounts, to detecting active threats.

7.How reliable is the vendor? The only way to effectively break the attack chain is to pro-actively prevent attackers from gaining the elevated administrative privileges needed to reach sensitive data inside your organisation. That’s why it’s critical to ensure that any potential vendor treats privileged account security as its primary, strategic focus and is committed to on-going innovation in this fast-evolving environment.

Privileged accounts are everywhere -- and they make an attractive target for attackers. Given the damage that can be inflicted when the wrong people gain access these accounts, the protection and management of privileged accounts and credentials must now be considered a key priority for any CSO. How you choose to do it is up to you, but because as high profile attacks of the past have shown, incomplete security is like having no security at all.

* Ponemon Research survey

Join the CSO newsletter!

Error: Please check your email address.

Tags Opinionssecurity breachessecurity solutionsCSO Australiaprivileged account

More about CSOSSH

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Sam Ghebranious

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts