Leveraging complex, frequently updated passwords is a basic security best practice for protecting privileged accounts in your organization. But if passwords are such a no-brainer, why do so many data breaches tie back to improper use of credentials? In fact, according to the 2016 Verizon Data Breach Investigations Report, legitimate user credentials were used in most data breaches, with some 63% of them using weak, default, or stolen passwords.
The fact is that NOT all privileged password management strategies are created equal, so it’s critical to examine your current solution and process for common pitfalls. If you’re still managing shared enterprise passwords in spreadsheets, on sticky notes, or in physical lock boxes, it’s obvious that you’re sitting on a ticking time bomb. Even if you’re currently using privileged password management technology, it still may not be the most effective, efficient, or user-friendly solution.
Regardless of whether you are tackling your password problems manually, or have a technology solution in place but know you can do better, here are eight privileged password management strategies to ensure success:
1) Rotate stale passwords: Stale, static passwords are a serious liability and introduce a scary “honesty” factor for data security. Privileged employees with access to certain files become the gatekeepers and can distribute access to whomever they wish—effectively vaporizing security protocols. Additionally, when a privileged user leaves the organization, they don’t just forget passwords. But for businesses that have particularly complex infrastructures, manually changing passwords after every employee departure is difficult to keep up with, and may lead to a larger security issue. It’s critical to consistently rotate passwords, regardless of who may be coming or going within the organization, in order to maintain a secure environment.
2) Simplify deployments: If you’re ready to make the move to a privileged password management technology solution, make sure you understand just how many components you need to install, configure, and manage prior to sending in your purchase order. Some solutions require separate modules (and interfaces) for password storage, management, synchronization, and session monitoring and web access. Double these for high availability, and will find yourself juggling at least ten separate modules. Some vendors “solve” this problem with weighty professional services engagements. Needless to say, costs and frustration can pile up with these products. Fortunately, there are integrated solutions that are much easier to implement and maintain, requiring only a couple appliances for high availability and minimal professional services – even for large deployments.
3) Close gaps in coverage: Many products require IT administrators to rely on Active Directory or manually input new accounts for management. This is not only a drain on productivity, but also will miss standalone accounts, backdoors, and other “unknowns.” This is especially true of any organization experiencing growth. The more employees, systems and processes are incorporated, the more time and resources are needed to keep up with changes to your password management solution. A growing backlog of changes leaves sensitive information unsecured for prolonged periods of time and creates a significant security hazard. Solutions that feature auto-discovery solutions for new systems and accounts promote efficiency, while maintaining security
4) Avoid session (mis) management: If you have a solution for managing and distributing privileged access, it only makes sense to then facilitate, control, and monitor the user’s activities on the asset via privilege session management. It seems like every password management vendor has a different approach to this, so there are a couple of things to clarify with the vendor: First, find out whether the vendor offers native session management capabilities or relies on a partner solution (this can mean more complexity and cost). If they do offer native capabilities, are they included standard, or do they carry an extra cost?
5) Improve visibility: There’s a reason why it’s tough to find analytics and reporting screenshots on many password management vendors’ websites—it’s because what they offer can be pretty, well, hazy. Be sure to check out prior to purchase. For instance, it should be easy to understand identify aging passwords, view password update schedules, and generate audits of password changes for compliance purposes. Also, be wary of solutions that lack a foundational data warehouse for aggregating and correlating information over time. And make sure you can filter and drill-down to hone in on granular results for specific business and compliance needs.
6) Use broader threat analytics: Some privileged password management solutions offer analytics capabilities designed to reveal threats based on password and session activity. However, this only tells part of the story. Correlating password and session activity with data on asset changes (e.g., was software installed or were ports opened?) and asset vulnerabilities (e.g., unpatched operating systems and applications) provides a more holistic view of threats in your environment.
7) Connect silos: It’s common for an organization to rely on several vendors for different but related processes – such as enterprise password management software, Unix & Linux server privilege management, and least-privilege management for Windows servers and desktops — many of them claiming to work seamlessly with competitors’ solutions. Integrating siloed solutions from multiple vendors can be expensive and labor intensive, while inevitably leaving gaps in asset and account coverage. Using a single vendor for privilege and password management can streamline the privileged account management process, provide increased visibility into your environment’s risk posture, and centralize control over threat mitigation activities.
8) Remove humans as much as possible: While the fundamental driver behind privileged password management is security, a solution that always requires human intervention from an administrator to act as a gatekeeper can hamper scalability and productivity – especially in emergencies. Choose a solution that can not only involve humans when necessary, but also offer policy-based dynamic permissions and break-glass capabilities to streamline productivity and ensure business continuity.
Password protection – in conjunction with effective privilege management – is often the first line of defense for an organization’s intellectual property, business-critical servers and assets, future plans and financial data. Rely on a solution that can ensure security for the life-blood of your organization.
To discover how many assets with elevated privileges are in your organization, download our free discovery tool, DART. Or, request a trial of PowerBroker Password Safe, and see just how easy it is to protect your company’s most important assets.
Editor’s Note: The above post was originally published in April 2015. It has been revamped and updated for accuracy and timeliness.
Sandi Green, Product Marketing Manager, BeyondTrust
Sandi Green is the Product Marketing Manager for PowerBroker Password Safe, PowerBroker for Windows, and PowerBroker Mac at BeyondTrust. She has over 20 years of sales and solutions marketing experience with technology companies that served a variety of industries ranging from life sciences, human capital management, consumer packaged goods and most recently IT security. When she’s not following the latest trends in Cybersecurity, she’s busy following college football and basketball. Follow her on Twitter at @SandiGreen3.