Part 3 in our series of 3 blogs covering privileged password management fundamentals, definitions, challenges, threats, best practices, benefits, and solutions.
Ultimately, the upshot of privileged password management is to effectively manage the lifecycle of privileged credentials to facilitate secure authentication for users and applications to resources and to perform special processes. Most organizations lie somewhere on the continuum between manual and automated processes in their enterprise password management approach. With threats in the form of insiders who’ve honed internal knowledge of systems and resources, and from attackers armed with automated hacking toolkits—organizations relying on manual processes to manage passwords are at considerable disadvantage.
In this section, you will discover eight core areas of focus to improve your management of privileged accounts and credentials. Most likely, achieving holistic enterprise password management will follow the course of a graduated approach. By reading on, you will discover insights on where to start and how to proceed.
Also, while you can tackle each of the eight areas piecemeal by applying a combination of manual and automated solutions, if you’re ultimately interested in a completely automated approach, don’t fret—you shouldn’t need eight different solutions. In fact, some privileged password management solutions will provide automated capabilities and a streamlined workflow across the entire password management lifecycle.
For holistic management of privileged accounts and credentials focus on these eight areas:
1) Discover all shared admin, user, application, and service accounts, SSH keys, database accounts, cloud and social media accounts, and other privileged credentials – including those used by third-parties/vendors– across your on-premise and cloud infrastructure. Discovery should include every platform (Windows, Unix, Linux, Cloud, on-prem, etc.), directory, hardware device, application, services / daemons, firewalls, routers etc. This process should also entail the gathering of user account details that will help assess risk, such as privilege level, password age, date logged on, and expired, and group membership and services with dependencies to the account. Discovery should illuminate where and how privileged passwords are being used, and help reveal security blind spots and malpractice, such as:
- Long-forgotten orphaned accounts that could provide an attacker with a backdoor to your critical infrastructure,
- Passwords with no expiration date
- Inappropriately use of privileged passwords—such as using the same Admin account across multiple service accounts
- SSH keys reused across multiple servers
Findings from the discovery allow you to rethink your policies and re-tune the access permissions for the accounts. Since new systems and enterprise applications can sprout up at any time, you will need to perform periodic discoveries to ensure every privileged credential is secure, centralized, and under management.
- Manual approach vs automated discovery solutions: Absent automation, comprehensive discovery is likely to be an inordinately time-consuming endeavor that relies on spreadsheets for recording, and draws on multiple scripting languages, APIs, etc. Even then, this approach will frequently result in missed credentials and security gaps (see more on applications password management below). With third-party solutions, you can automate scanning of IP addresses, ports, systems, services, applications, cloud, and even social media accounts. A process that could take eternity (as counted in human years) with a manual approach can be condensed into just minutes with an automated solution.
2) Bring privileged accounts and credentials under centralized management: Optimally, the onboarding process happens at time of password creation, or otherwise, shortly thereafter during a routine discovery scan. Silos of individuals or teams independently managing their own passwords are a recipe for password sprawl and human error. All privileged credentials should be centrally secured, controlled, and stored. Ideally, your password storage supports industry-standard encryption algorithms, such as AES 256 and Triple DES.
- Manual approach vs. automated solution: You could centralize storage of privileged credentials in an encrypted database, and also record values in an Excel spreadsheet. An automated enterprise password safe solution will provide an encrypted database from which you can manage the password lifecycle. An enterprise password safe can automatically enforce your privileged password management policy, such as password complexity, uniqueness (different passwords per asset, account, etc.) expiration, rotation, check in and check out, elimination of default passwords, and other rules. A password safe solution drastically simplifies discovery and onboarding of credentials for new privileged accounts as they’re created.
3) Implement password rotation across every account, system, networked hardware and IoT device, application, service, etc. As covered earlier, passwords should be unique, never reused or repeated, and randomized on a scheduled basis, upon check-in, or in response to specific threat or vulnerability.
- Manual vs automated password rotation: You can rotate privileged credential values in an Excel spreadsheet and then manually log in to the associated accounts and systems. While not highly scalable, this can provide some password management coverage in simple environments, but management and rotation of some types of credentials (i.e. hard-coded passwords and keys) will likely prove impossible. An automated, third-party approach relying on an enterprise password safe means you can rest assured that all of your privileged credentials (thousands to millions) are regularly rotated at intervals set by your policy. Additionally, with an enterprise password safe, you can seamlessly synchronize the password changes in the directory where the account resides with the changes in the system/device/application/service where the password is used, to avoid any downtime.
4) Bring application passwords under management: Simply put, this requires deploying a third-party application password management solution that forces applications and scripts to call (or request) use of the password from a centralized password safe. By implementing API calls, you can wrest control over scripts, files, code, and embedded keys,eliminating hard-coded and embedded credentials. Once this is accomplished, you can automate rotation of the password as often as policy dictates. And, by bringing the application password under management and encrypting it in a tamper-proof password safe, the credential and underlying applications are vastly more secure than when the passwords remained static and stranded within code.
5) Bring SSH keys under management: NIST IR 7966 offers guidance for businesses, government organizations, and auditors on proper security governance for SSH implementations that include recommendations around SSH key discovery, rotation, usage, and monitoring. Approach SSH keys as just another password, albeit accompanied by a key pair that must also be managed. Regularly rotate private keys and pass phrases, and ensure each system has a unique key pair.
- Manual vs automated SSH key management: To identify accounts set up to use SSH keys, you could manually pour through authorized keys file in the hidden .SSH user folder, but this still won’t help you identify who has the private key matching any of the public keys in the file. While manual SSH Key management is better than no management at all, in even modestly complex environments, manual rotation of SSH keys is an unsustainable strategy. If this is the case, look to a third-party solution to generate unique key pairs for each system, and perform frequent rotation. Automated, third-party SSH key management solutions will substantially simplify the process of creating and rotating SSH keys, eliminating SSH key sprawl, and ensuring SSH keys enable productivity without compromising security.
6) Implement Privileged Session Management to improve oversight and accountability over privileged accounts and credentials. Privileged session management refers to the monitoring, recording, and control over privileged sessions. IT needs to be able to audit privileged activity for both security and to meet regulations from SOX, HIPAA, GLBA, PCI DSS, FDCC, FISMA, and more. Auditing activities can also include capturing keystrokes and screens (allowing for live view and playback).
- Manual vs. third-party privilege session management solutions: While you can certainly manually implement some processes, such as screen recording, automated solutions allow you to accomplish it seamlessly and at the scale of hundreds or thousands of concurrent sessions. Moreover, some third-party solutions can provide automated workflows that give IT granular control over privileged sessions, such as allowing them to pinpoint an anomalous session and pause, lock, or terminate it until a determination is made that the activity is appropriate.
7) Threat Analytics – To mitigate risk, and evolve your policy as needed, you should continuously analyze privileged password, user, and account behavior, and be able to identify anomalies and potential threats. The more integrated and centralized your password management, the more easily you will be able to generate reports on accounts, keys, and systems exposed to risk. A higher degree of automation, can accelerate your awareness and orchestrated response to threats, such as enabling you to immediately lock an account or session, or change a password, such as when incorrect passwords (as with a brute force or dictionary attack) have repeatedly tried to gain access to a sensitive asset.
8) Automate Workflow Management: While you can certainly build your own internal rule sets to trigger alerts, and apply some policies around password management, third-party solutions provide robust capabilities that can streamline and optimize the entire password management lifecycle. Third party, privileged password management solutions can also help automate:
- Grouping and management of assets in accordance to Smart Rules.
- Workflows for device access, including an approval process for when administrative access is required. Consistent with least privileged access, you may want to implement context to workflow requests by considering, and potentially restricting access depending on the account, day, date, time, timeframe, and location (IP addresses) when a user accesses resources.
- Workflows to accommodate fire-call / break-glass requests to ensure access to password-managed systems afterhours, on weekends, or in other emergency situations.
- Check in and check out passwords from the password safe and automated authentication / Single Sign On (SSO) for the user without any manual log-in requirements. This means privileged credentials, including for cloud administrative consoles, are never revealed to the user.
- Logon of users for RDP and SSH sessions, without revealing passwords.
- Triggers requesting a supervisor’s approval in order to checkout highly sensitive credentials.
- Commencement of privileged session monitoring and alerting of any sensitive or suspicious activity.
How to Implement Privileged Password Management / Where to Start
As with any IT security and governance project, start with a scope. Once you’ve completely discovered of all of your privileged credentials and have a baseline of your privileged credential and asset risk, you can set priorities and flesh out a privileged password policy. Incrementally implement automation across your privileged password management lifecycle to help scale your efforts to enforce best practices around passwords.
As you know, tackling privileged password management doesn’t occur in a vacuum, you should have a strong handle on the principle of least privilege, and will need to implement it within an over-arching privileged access management framework. You can download a PDF of the entire Privileged Password Management Explained blog series.
Matt Miller, Director, Content Marketing
Matt Miller is Director, Content Marketing at BeyondTrust. Prior to BeyondTrust, he developed and executed marketing strategies on cyber security and cloud technologies in roles at Accelerite (a business unit of Persistent Systems), WatchGuard Technologies, and Microsoft. Earlier in his career Matt held various roles in IR, marketing, and corporate communications in the biotech / biopharmaceutical industry. His experience and interests traverse cyber security, cloud / virtualization, IoT, economics, information governance, and risk management. He is also an avid homebrewer (working toward his Black Belt in beer) and writer.