According to the 2016 Verizon Data Breach Investigations Report, more than 60 percent of attacks on businesses leverage privileged access – the root and administrator accounts most IT teams use daily – often without regard to the risk they represent. Passwords to these accounts are rarely changed; are known by multiple individuals, often including contractors and temporary employees; and are frequently reused on a range of systems, accounts and applications.
Managed Service Providers (MSPs) must help customers get a handle on out-of-control credentials.
Privileged access management, or PAM, is the part of identity management focused on administrative or root accounts within the IT infrastructure. PAM is frequently used as a data security and governance tool to help companies meet prevent internal and external data breaches stemming from abuse or misuse of privileged accounts. It’s a key component of vulnerability management – the practice of identifying, classifying, remediating and mitigating vulnerabilities on a continuous basis – and is a fundamental component of many regulatory-compliance initiatives.
It can also help solve six problems plaguing most customers today.
- Enabling anytime, anywhere secure access
Companies must be able to control access to data across all devices and environments, including traditional and virtual desktops, servers, databases and applications, Internet of Things devices and tablets and smartphones. With a managed-services offering for privileged access, an administrator or a contractor can authenticate against select assets remotely (or on premises) and provide sessions that are fully documented (session recording and keystroke logging); controlled via a documented workflow and approval process; and restricted based on policies around factors including time/date and location.
- Auditing and reporting on privileged activity
The ability to record and replay any activity – including mouse actions, keystrokes and user interface screen captures – by privileged accounts across network and cloud environments is essential to mitigating the risks of a data breach and proving compliance. Ensure that your PAM solution allows activity to be attributed to individuals, even when shared accounts are being used.
- Cycling employee and third-party passwords
Automatic, active enterprise password management and rotation and reconciliation, including on cloud-based platforms, are essential for closing password-security gaps across heterogeneous environments. If you have customers with complex needs and mobile workforces, ensure password changes can be performed with or without local agent technology.
- Securing third-party access
Many recent, high-profile data breaches have occurred due to attacks originating from non-employees. Strengthening the weak link in the security chain – remote access by third-party vendors and contractors – requires controlled network separation and activity monitoring. In fact, MSPs can help mitigate that risk with a focus on clearly defined access levels, secure connection gateways, proxied access, and auditing and recording of third-party sessions.
- Securing network devices
Chances are a customer is using weak passwords on networking devices, including firewalls, switches and routers. Common problems include:
- Default or common passwords
- Shared credentials across multiple devices
- Excessive password age (due to fear of changing configs or lack of management capabilities)
- Overly privileged accounts able to make changes to allow exfiltration of data or impact infrastructure availability
- Outsourced support services where changes in personnel, contracts and tools are outside of IT’s direct control, which could expose credentials to unauthorized individuals
Any one of these could lead to excessive risk. MSPs need to equip client infrastructures with complete control and auditing of privileged accounts, including shared administrative, application, local administrative, service, database, cloud and social-media accounts, as well as devices and SSH keys.
- Securing against privilege elevation
Employees, regardless of role, need elevated permissions from time to time. Maybe it’s for installing new software, troubleshooting a problem or running an essential application. Partners can minimize the need to have privileged credentials widely available by performing tasks that require admin access. Also consider a managed service providing auditing for any and all applications that need privileged access. This lowers the risk from hacking techniques, like pass-the-hash, that steal administrative credentials and allows a trusted independent party (the MSP) to monitor and report on all privileged access, regardless of platform.
It’s an increasingly complex world, and the advent of new technologies and IP-enabled devices only increases the chances of a cybersecurity breach. With an MSP helping to minimize the risk around privileged accounts, customer IT staff can spend more time on growing the business and less time on the never-ending process of vulnerability assessment, reporting and patch mitigation.
The more services you can offer to a client, the more you’ll become a part of their daily routine. The more technical roadblocks you can remove, the more likely they will continue to do business with you, recommend you to peers and add new services during periods of growth.
Editor's note: This blog was originally posted on November 3rd, 2016 on Channel Partners Online.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.