Security breaches are a fact of business life. Nine in ten organisations* admit to having experienced breaches at least once within the space of a year and more than half say they have been exposed to two or more breaches in that time.
High profile breaches during the last two or three years show that no matter where they originate, skilled attackers tend to follow the same route. They look for sensitive, valuable data. To locate and gain access to this data, attackers first try to gain access to an internal account, preferably one with high value administrative privileges. They then leverage the compromised privileged account to continue escalating privileges, all the time moving laterally and gaining greater access to the network, where finding target systems or sensitive data becomes relatively easy.
The path seems obvious when you think about it from the attacker's perspective: Do I need access to a particular network segment or want to change firewall rules to enable external communication? Do I want to gain access to the domain controller? Or do I want to dump the database table to capture a competitor’s customer list?
Unprotected, unmonitored privileged accounts represent the keys to the IT kingdom – providing a means to unlock your organisation’s most sensitive assets – business critical systems, intellectual property, financial information, audit data and more. This is why one of the critical lines of defence for any corporate network must be to secure all privileged accounts and credentials.
There are security solutions designed for just this purpose but as with everything in IT, for greatest success (and security) you do need to match the right solution to your business needs. The best way to achieve this is by a thorough evaluation and prioritisation of your most critical assets and vulnerabilities. Here are seven questions to ask potential vendors:
1.Is the solution really secure? Select a solution that offers multiple layers of built-in protection including hierarchical encryption, session encryption, authentication and a built-in firewall. To further hamper attackers, consider systems that offer segregation of duties, ensuring users can only see and access data that is unique to their specific roles. Tamper-proof audit logs and session recordings also boost security.
2.Can the solution find and protect all of my accounts? A typical enterprise has at least three to four times as many privileged accounts as employees, so before you can protect them, you have to be able to find and inventory them all. The most effective way to achieve this is to use a tool specifically designed to scan your environment to find privileged user and application accounts, and associated credentials.
3.Can it protect all credentials? Unfortunately, the traditional view of privileged credentials is limited as it often overlooks SSH keys, which commonly provide users and applications with privileged access to UNIX accounts. When you realise that the average large enterprise can have up to one million SSH keys in their environment-- that is a major problem. The latest generation of security solutions addresses this issue by including end-to-end capabilities that allow organisations to securely store, manage and monitor all types of privileged credentials – including SSH keys.
4.Will it work in my environment? Your IT environment is tailored to your organisation’s particular requirements. Be sure that any solution you consider can protect accounts throughout most – if not all – of your IT environment, not just a few specific platforms, systems or databases.
5.What protections are provided? It’s important to establish an end-to-end life cycle approach to privileged account management. Key requirements include the ability to discover privileged accounts, pro-actively protect privileged account credentials, enforce access controls, automatically rotate passwords and SSH keys, monitor access to privileged accounts, monitor and record user activity, isolate privileged sessions, enforce least-privileges, remove plain text application credentials such as embedded passwords, and leverage behavioural analytics.
6.How can I minimise the cost of managing it? Rather than trying to integrate and manage multiple products, often the simplest and most cost-effective approach is to adopt a single-platform solution. However, it's essential to ensure the platform addresses all needs, from securing, managing, controlling and monitoring privileged accounts, to detecting active threats.
7.How reliable is the vendor? The only way to effectively break the attack chain is to pro-actively prevent attackers from gaining the elevated administrative privileges needed to reach sensitive data inside your organisation. That’s why it’s critical to ensure that any potential vendor treats privileged account security as its primary, strategic focus and is committed to on-going innovation in this fast-evolving environment.
Privileged accounts are everywhere -- and they make an attractive target for attackers. Given the damage that can be inflicted when the wrong people gain access these accounts, the protection and management of privileged accounts and credentials must now be considered a key priority for any CSO. How you choose to do it is up to you, but because as high profile attacks of the past have shown, incomplete security is like having no security at all.
* Ponemon Research survey