Managing Shared Accounts for Privileged Users: 5 Best Practices for Achieving Control and Accountability

Scott Lang, November 20th, 2014

Many IT organizations use shared accounts for privileged users, administrators or applications so that they can have the access they need to do their jobs. If managed incorrectly though, this practice presents significant security and compliance risks from intentional, accidental or indirect misuse of shared privileges.

Even for the savviest IT teams, the task of managing shared accounts introduces complexities and risks, including:

  • Embedded and hardcoded passwords present opportunities for misuse by both insiders and external attackers on the network.
  • Passwords for application-to-application and application-to-database access are often left out of management strategies.
  • Static passwords can easily leave the organization, and manual password rotation tends to be unreliable.
  • Auditing and reporting on privileged access is complex and time consuming.

Recent breaches exploiting privileged credentials have brought to light the imperative to improve control and accountability over access to shared accounts. So how do organizations ensure accountability of shared privileged accounts to meet compliance and security requirements without impacting administrator productivity? Consider these five best practices:

1. Deploy a single, hardened, appliance-based solution with broad platform support and functionality 

Ensure your solution provider deploys their privileged password and session management solution (it really should be one) in a single hardened or virtual appliance that features broad support of operating systems, databases, applications, devices and directories. Remember, it’s more than just user passwords. Consider the complexity and risk of managing privileged passwords for service accounts, between applications (A2A), and to databases (A2DB). Everything your solution provider does should be about reducing the interfaces and administration required.

2. Discover and profile to give greater control 

Leverage a distributed network discovery engine to scan, identify and profile all users and services – and then automatically bring the systems and accounts under management. Discovering and profiling all known and unknown assets, shared accounts, user accounts, and service accounts, and then placing them under intelligent rules gives greater control.

3. Monitor sessions with full playback 

Your solution should record privileged sessions in real time via a proxy session monitoring service for SSH and RDP without revealing the password. DVR-style playback provides detailed auditing of shared account access, helping to meet password protection and audit regulations for compliance mandates listed in SOX, HIPAA, GLBA, PCI DSS, FDCC, FISMA, and others.

4. Make it easy on yourself by using standard desktop tools 

Using standard desktop tools such as PuTTY and Microsoft Terminal Services Client ensures you can leverage commonly used management tools without the need for Java.

5. Gain greater insights through reporting and analytics 

Look for a single pane of glass to collect, correlate, trend and analyze key metrics. Gaining greater insights – for example information on password age – helps to identify areas that require action.

There a multitude of solutions available to address the need of gaining greater control and accountability over privileged access. BeyondTrust PowerBroker Password Safe automates password and session management, providing secure access control, auditing, alerting and recording for any privileged account – from local or shared administrator to service to application accounts. By improving the accountability and control over privileged access, IT organizations can reduce security risks and achieve compliance objectives.