If you leave your house, there’s a good chance that you always lock and bolt the front door. But would you leave the back door unlocked for anyone to just easily walk in?
If you wouldn’t do this at your home, why would you entertain this for your company?
Many organizations believe that Privileged Access Management (PAM) simply equates to having a password vault. In reality, they’re leaving the back door open, and are only half protected.
IT Toll Roads
A simple way to think about privileged access is like a collection of toll roads whose destinations are our internal assets. These assets include such things as financial reports, credit card data, health information, classified government files, and competitive drug formula research.
To navigate these toll roads, we need a vehicle and the appropriate toll. Login accounts are the vehicles and the accounts’ roles and rights represent the toll.
As you might imagine, some roads lead to low-value destinations. The toll or cost to use that road in the form of roles, is very low. Access is available to a broader group of people.
Other roads, however, lead to high-value destinations. We need a vehicle with extensive rights to use them – called a privileged account. Not surprisingly, these accounts are in the crosshairs of attackers looking to exploit and monetize your assets. According to Forrester, 80% of data breaches involve abuse of weak, default, or stolen passwords. This is also the primary reason why we need to take them off the road and garage them securely to prevent them from being stolen. By removing them from the equation, we can limit our risk; limit what an attacker — or a malicious insider — can do.
Storing these accounts inside a password vault certainly helps, but it isn’t enough. These accounts still exist on the computers; they’re still enabled for login; and although a password vault raises the barrier a little, they can still be compromised and abused.
You might be asking yourself, if I take these accounts away, how do legitimate administrators do their job? That’s where the concept of “least privilege” combined with “privilege elevation” comes into play.
In a least privilege world, all our vehicles now only have basic rights — a toll that gives access only to basic, common destinations such as email, web surfing, Office360 apps, etc. More sensitive destinations are blocked by default.
Privilege elevation, however, enables the legitimate increase in privilege, just-in-time, for a temporary period of time, to perform administrative tasks.
That word “legitimate” is key here. We need to tightly control who can pass through the toll gate.
For example, allowing a Web Administrator access to systems that run Web Servers and their associated management tools might be perfectly legitimate. However, logging into machines that process credit card transactions and using tools that give visibility to credit card data is likely not.
So, elevation means temporarily granting the user extra roles and rights to perform a legitimate job that’s aligned with their job function – just-enough privilege, just-in-time, for just the amount of time needed to do the job.
But what if the “user” is not who they should be? We can throw some additional gates in the path to better assure the user’s identity. One is to insist that the user explicitly request the additional access via a self-service access request function. The user fills out a form, providing context about what is being accessed, why, for how long, and perhaps a help-desk ticket reference. One or more approvers can then make an educated decision to grant or deny the access request based upon this context.
Another gate might be prompting the user for a second factor during login or step-up authentication during privilege elevation, such as a push notification to their registered mobile device. This is commonly known as multi-factor authentication (MFA). It’s unlikely an attacker (especially a human in another geography or a bot or piece of malware) would have physically compromised a mobile device, so this is a relatively simple roadblock to put in front of an unauthorized hacker. Since time is money for these hackers, a simple deterrent like this can easily result in them simply moving on to their next target. The legitimate user, however, would be able to respond and would thus gain access.
While a password vault can play an important role in helping to prevent identity-related data breaches, compared to privilege elevation that role is relatively minor in reducing your risk. For a comprehensive Privileged Access Management approach, vaulting can be a quick and simple beginning. However, least privilege with privilege elevation should be your top priority, with vaulting being used only for emergency break-glass situations where you absolutely must use a superuser account.
To learn more about privilege elevation and least privilege, download this complimentary Gartner report: “Best Practices for Privileged Access Management Through the Four Pillars of PAM.”