Despite the billions of dollars spent every year on IT security products, countless organizations still fail at basic cyber security tasks. One of the most commonly overlooked cyber security fundamentals is enterprise password management. Too many companies don’t properly manage their credentials, exposing themselves to untold risk.
The only way to attack these problems, which often stay hidden within the IT shop, is to expose them for what they are. So here are five secrets about enterprise password management.
Let’s start by looking at how some organizations achieve that all-important rubber stamp of regulatory compliance.
The problem with many audits is that they only test security at a single point in time. Think about it. On February 1 you pass your PCI-DSS audit. Then, on February 15 you bring in new systems that are not included in your password management processes. Are you still compliant? Until another security auditor comes in, indeed you are. The state of your overall security, however, is a different matter.
The IT environment is a dynamic ecosystem. There are always new systems coming in and new employees gaining access. Cybersecurity tends to fall apart if the tools and processes around privileged password management don’t account for change.
Shutting Off Access
When employees leave your company, you need to change your administrative passwords to keep them out of your systems. Here’s just one example of what can happen when a malicious ex-employee maintains her login credentials.
Former IT employees are potentially serious security threats. They know your password secrets. And odds are these ex-employees retain access long after their employment ends. Many organizations maintain static administrative passwords for months, if not longer, giving former employees plenty of time to access their old systems and business applications.
Blind Faith in Provisioning
This secret is in line with the previous one. Many companies rely on Identity and Access Management (IAM) products to provision and de-provision users. But they don’t necessarily think about the difference between user accounts and privileged accounts.
Conventional IAM products are great for managing individual user identities. But they don’t handle the privileged identities used to access systems, run programs and change configuration settings.
To keep your critical systems in check, you need a Privileged Identity Management (PIM) solution to secure your privileged account passwords, in addition to an IAM solution for your user account passwords.
Privileged Account Stasis
We’ve touched on privileged accounts, so let’s explore that topic further.
Privileged accounts are more prevalent than you might think. As an example, take your database infrastructure. You likely have dozens, if not hundreds, of applications making connections to your databases. These applications use their own credentials to access the databases. If your organization doesn’t have a product to automatically manage and secure those credentials, you face a security and compliance nightmare.
Not only can any old person who happens to come across those credentials access your most precious data stores, there is no way to tell the difference between an application accessing the database and an unauthorized user accessing the database with the same credentials.
And if these credentials rarely change, there’s no way to close this password Pandora’s Box. The passwords are out there and your people won’t unlearn them – unless you have a PIM product to continuously change privileged credentials.
Cumulative Access Rights
Without privileged password management controls, most long-term employees collect credentials like a janitor collects keys.
This is how it works. Bob starts out working in accounts receivable (AR). He’s provisioned with access to AR systems. Then he moves over to accounts payable (AP). His AR credentials are never revoked, but now he’s also given access to AP systems. A couple years down the line, Bob is temporarily assigned to a cross-functional accounting task force. In this role he needs credentials to some of other specialized systems. After the task-force completes its mission, Bob maintains his access rights to those special systems. Now the organization has a user with a toxic combination of access rights into its critical financial systems.
Here’s what you should do. Implement a strict policy curbing unlimited privileged access. Even when there is valid purpose for elevated access, there should still be an approval process to check out privileged credentials, along with time-limited access to those credentials. That way your users still get the access they need to do their jobs - but only the right level of audited access, and only for a restricted period.
What password secrets are lurking in your enterprise? Find out with the free Bomgar Discovery Tool. You’ll get a report about the privileged credentials being used to access endpoints and systems on your network, including the ages of the credentials.