Privileged Access Management (PAM) is a subset of Identity and Access Management (IAM), developed as an added security measure to monitor privileged accounts—the limited user group granted access to critical network assets. Of course, every system is not without its risks. Whether relying on existing passwords or sharing login credential information—user error is inevitable.
Below is a compilation of the most common privileged access risks that affect account and enterprise integrity to help you plan for and safeguard against them.
Why is privileged account security important?
PAM operates on the principle of least privilege, granting permissions on an as-needed basis, meaning there are fewer privileged accounts with access approval for restricted data. However, it only takes one misstep to leave your systems vulnerable to cyberattacks. It’s imperative to address every vulnerability and consider all privileged access risks when developing your organizational strategy.
Default passwords.
Often overlooked by larger enterprises, password hygiene—the use of a unique and complex password for each account and application—is one of the most effective ways to stave off cyberthreats. Default passwords are a common internal user-offense as they’re easy to use, but, unfortunately, they’re just as easy to hack. These could include user-defined, organization-instituted, and manufacturer- or vendor-supplied passwords alike, the latter of which are often readily available online, sold online from hacker to hacker to leverage.
Even one local insecure privileged account compromises the broader enterprise system. To keep your systems secure, conduct an enterprise assessment to identify at-risk devices and applications. Then, implement or reinforce a company-wide practice of good password hygiene to educate your teams on its importance for data security. Once completed, this (somewhat) simple risk-aversion tactic grants the greater reward of account security.
Stagnant credentials.
It’s a best practice to update passwords within a designated cadence—changing them every three to six months to ensure they’re inscrutability. As we’ve said above, users often rely on existing passwords, and leaving stagnant credentials increases the possibility of someone attempting and succeeding in infiltrating privileged accounts. By regularly updating passwords, users are less likely to fall prey to keylogging or similar means. And, limited password periods reduce the risk of account exposure, meaning less time for hackers to run their attacks and gain access.
Of course, it would also be prudent to consider account stagnation—when inactive user accounts lay dormant and vulnerable to attack. Automating provisioning and deprovisioning eliminates this concern.
Shared credentials.
While seemingly obvious, the more people who have access to something, the more likely it is that someone will abuse it. When a privileged user shares their credentials with another user, however well-trusted, it puts the account and the enterprise at risk.
If users share credentials for even a few designated privileged accounts, it can lead to a massive data breach with lasting effects. Doing so is especially detrimental if the user inputs the shared credentials on a non-secure device. Educate your teams on the importance of keeping their credentials to themselves and ask them to change all passwords they have already shared.
Misuse of credentials.
The misuse of credentials often occurs in two ways: from a lack of enforcing the principle of least privilege and delayed or nonexistent deprovisioning.
Whether maliciously or unintentionally, with more users able to not only access but modify critical assets, the greater the risk to your enterprise. By assigning permissions only to those who need it (and for the amount of time they need it), you will significantly reduce the risk of inadvertent abuse. As for deprovisioning, many companies do not have the process automation setup, allowing ex-employees to maintain access long after their departure date. In this case, automating provisioning and deprovisioning make a reliable solution, allowing administrators to assign privileges per role or project need and automatically remove access and permissions at the end of employment.
Stolen credentials.
Credential theft is one of the most common forms of cybercrime. Though there are many means of credential theft, the most widely practiced is phishing—requests for sensitive company or user information under the guise of legitimacy (e.g., a fraudulent email sent from “the CEO”). This approach, while deceptive, is highly efficient and allows cybercriminals to bypass any security measures.
To avoid phishing victimization, educate employees on recognizing phishing communications and conduct a consistent review to see which passwords are already compromised and available to external threats. Once completed, you can then remediate as necessary.
Final thoughts.
While there are many privileged access risks, knowing and naming them empowers you to defend your organization. Rest assured, PAM does equip administrators to flag indiscretions and with the visibility to detect possible threats as they occur. However, establishing a security culture with password policies and education will further benefit your privileged accounts and overall enterprise wellbeing.
SailPoint Privileged Access Management
SailPoint sets the industry standard on PAM and API integration for Identity and Access Management systems, allowing your organization to centrally manage access to both privileged and standard accounts—with ease. Find out how SailPoint can integrate with your privileged access management system.