The goal of achieving compliance is to make sure that an organization is meeting minimum standards to protect sensitive data. In order to be compliant, a business needs only to meet the outlined requirements.
However, this does not mean that its systems and data are secure. Unfortunately, there are companies that treat compliance merely as a checkbox. Even when the minimum standards are met, data and accounts with elevated access are still vulnerable. Instead, achieving compliance should be viewed as the by-product of sound security practices. This starts with protecting the attacker’s most sought-after prize: privileged accounts with elevated access across the network.
Why General User Accounts Can Be Extremely Lucrative
To the cybercriminal, compromising a general user account is the easiest way to gain access to a network. Instead of scanning ports and Web applications for vulnerabilities—actions that raise red flags—the attacker can compromise a user account with a well-crafted spear-phishing email. And, while it goes without saying that a privileged account with elevated access is highly sought-after, a skilled attacker has the ability to escalate the privileges of a regular user account or even create new ones if account management is not handled appropriately. Hackers use general accounts to gain access to privileged accounts—which provide access to the prize—data, IP, system control, secrets, etc.
If you are only focused on achieving compliance, you are not doing enough to safeguard these privileged accounts, making your company vulnerable to intruders. Protecting your organization starts with the mindset that hackers are already in your network, intent on escalating account access, and controls must be put in place to prevent them from stealing sensitive information or causing unchecked damage. By putting privileged access management (PAM) controls in place as part of your total Identity and Access Management solution, you are making it extremely difficult, if not impossible, to elevate the access of user accounts.
Criminals are also well-aware of the fact that it is rather easy for an organization to mismanage user accounts. And, oddly enough, the people responsible for securing the identities and access of others are often not as diligent about their own accounts. Out of sheer laziness, default administrator passwords are left in place for applications and hardware. IT administrators also tend to primarily use their administrator accounts instead of their standard accounts with limited access. Some even go so far as to share admin accounts or to unnecessarily provide 24/7 admin access to IT staff.
Privileged accounts for contractors and temporary workers are also targeted by savvy criminals. When IT departments neglect to deprovision accounts for temporary workers or outsourced help, they present a huge security risk because it could leave the door open to business-critical systems and confidential information. If compromised, these accounts are particularly dangerous because there is no legitimate user who is actively monitoring the account, so any changes go unnoticed and unreported. Frighteningly, research shows that nearly three-fourths of these temporary accounts are granted administrative access.
PAM controls not only prevents general accounts from being elevated to privileged access without proper authorization, but when working within an identity and access management (IAM) solution, audit and log trails can provide the necessary documentation that users are given the least amount of privilege needed: an essential part of any compliance and security program.
Managing Privileged Access
Upgrading to modern IAM solutions that provide greater privileged access management controls provides you with the tools necessary in order to keep sensitive information confidential, and as a result, achieve compliance. In order to ensure a security-first mindset, however, your IAM solution needs to:
- Implement least privilege
- Control authorization
- Enable auditing
- Improve accountability
In order to accomplish this, your IAM solution should be able to automate the provisioning and deprovisioning of user accounts across all of your connected systems for all users. This includes privileged accounts. This not only helps eliminate human error in granting higher levels of access than needed or forgetting to remove certain accounts when an employee leaves, but it also helps provide auditing and accountability by logging account activity. This documented proof is exactly what auditors need to see when they are checking to see whether or not your business is compliant.
If you are truly looking for a security-first mindset in your organization, then managing privileged access in your IAM solution should include time-based accounts and workflows for requesting admin access. Users who need administrator rights for a particular task can request on-demand access. When privileged access is required, the end user follows the procedures in place to request it. If on-demand access is granted, it is governed by a time constraint, after which the account expires in order to prevent it from being shared or falling into the wrong hands.
Implementing any privileged access management can help you achieve the basic compliance needs. However, if your intention is to keep your network resources, your intellectual property, and your customers’ data safe, then you need to look beyond compliance and shift to a security-first mindset.