Privileged Password Management is the secure storing, sharing, creating, and handling of privileged passwords. Privileged password management may alternatively be referred to as privileged credential management, enterprise password management, enterprise password management, enterprise password security. Privileged passwords are a subset of credentials that provide elevated access and permissions across accounts, applications, and systems.
Most organizations rely on some variation of a privileged password management “solution.” It could simply (but hopefully not) be an Excel spreadsheet for simple password tracking, or it could be an advanced enterprise password management solution that automates privileged account and credential discovery, onboarding, access control, centralized protection and storage, rotation, alerting, reporting, and oversight of all the enterprise’s credentials across an organization that provide elevated privileged access rights.
Privileged passwords are a subset of credentials that provide elevated access and permissions across accounts, applications, and systems. In modern IT environments, privileged credentials are needed for a multitude of different privileged account types (from root, to domain admin and sysadmin to workstations with admin rights), operating systems (Windows, Unix, Linux, etc.), directory services, databases, applications, cloud instances, networking hardware, internet of things (IoT), social media, and more.
Superuser privileged account passwords—such as Root in Linux and Unix, and Administrator in Windows can provide the authenticated user with almost unrestricted privileged access rights across an organization’s systems and data. Consequently, these types of privileged credentials are highly prized by external attackers and malevolent insiders alike. The Verizon Data Breach Investigations study implicated weak, default, or stolen passwords in 63% of confirmed data breaches, while Forrester Research estimates that 80% of security breaches involve privileged credentials.
Here’s an infographic on the keys to creating robust privileged credentials that can withstand common exploits and cyberattacks:
Human-managed passwords: With so many (constantly changing) passwords to remember, employees are prone to forget passwords, potentially locking them out of systems. To compensate, they may apply the same passwords for multiple accounts, select easy-to-guess passwords, or resort to recording passwords on paper or within electronic documents, such as MS Word or spreadsheets. One risk here is that hackers could correlate, along with email addresses and usernames, the password from one compromised account to other services or accounts that may be using the same password.
Lack of visibility and awareness: Of all of the privileged accounts and credentials across an enterprise poses a considerable challenge. Different teams may be separately managing—if managing at all—their own set of credentials, making it difficult to track all the passwords, let alone who has access to them and who uses them. An admin may have access to 100+ systems, possibly disposing them to take shortcuts in maintaining the credentials. And some types of credentials (embedded in applications for instance) may be virtually impossible to find, let alone bring under management, without third-party tools.
Lack of privileged credential oversight and auditability: IT teams commonly share root, Windows Administrator, and many other privileged passwords (i.e. DevOps secrets), which may make it impossible to trace actions performed with an account to a single individual, complicating auditing and accountability. For both compliance and security reasons, IT needs visibility into the activities performed during the privileged session (the period of time during which elevated privileges are granted to an account, service, or process).
Hard-coded/embedded credentials: Privileged credentials are needed to facilitate authentication for app-to-app (A2A) and application-to-database (A2D) communications and access. Applications, systems, and IoT devices, are commonly shipped, and often deployed, with embedded, default credentials that are easily guessable and pose a substantial risk until they are brought under management.
SSH keys: SSH key sprawl presents an oft-overlooked risk for thousands of organizations, which may have upwards of a million SSH keys—many long dormant and forgotten, but still viable backdoors for hackers to infiltrate critical servers. As with other privileged credentials, SSH keys are not necessarily tied to a single user—multiple people may share the private key and passphrase to a server, which holds the public key.
Privileged credentials and the cloud: Cloud and virtualization administrator consoles (as with AWS, Office 365, etc.) provide vast superuser capabilities, enabling users to rapidly provision, configure, and delete servers at massive scale. Within these consoles, users can spin-up and manage thousands of virtual machines (each with its own set of privileges and privileged accounts that needs to be brought under management) with just a few clicks
Third-party vendor accounts/remote access solutions: How do you ensure that the authorization provided via remote access or to a third-party is appropriately used? How do you ensure that the third-party organization is not sharing credentials, or otherwise exercising poor password hygiene?
Password attacks come from all angles. Some programs can even crack complex passwords, while Pass-the-Hash (PtH) toolkits can be lethal without even cracking the password.
Rotation of privileged account passwords after every use and least privilege enforcement (such as separating different types of privileged and non-privileged accounts, and even better, removing admin rights from endpoints) are important security controls to thwart password reuse attacks, such as PtH, Pass the Ticket (PtT), and Golden Ticket attacks, as well as many other exploit types.
Additionally, increased password length and the use of nonsensical characters help thwart brute force attacks and dictionary attacks.
For holistic management of privileged accounts and credentials, execute across these eight core strategies:
1. Discover all privileged credentials, such as shared admin, user, application, and service accounts, SSH keys, database accounts, cloud and social media accounts. Include those used by third-parties/vendors– across your on-premise and cloud infrastructure. Discovery should include every platform (Windows, Unix, Linux, Cloud, on-prem, etc.), directory, hardware device, application, services/daemons, firewalls, routers etc. Discovery should illuminate where and how privileged passwords are being used, and help reveal security blind spots and malpractice, such as:
Long-forgotten, orphan accounts that could provide an attacker with a backdoor to your critical infrastructure,
Passwords with no expiration date
Inappropriately use of privileged passwords—such as using the same Admin account across multiple service accounts
SSH keys reused across multiple servers
Since new systems and enterprise applications can sprout up at any time, perform periodic discoveries to ensure every privileged credential is secure, centralized, and under management.
2. Bring privileged accounts and credentials under centralized management: Optimally, the onboarding process happens at the time of password creation, or otherwise, shortly thereafter during a routine discovery scan. All privileged credentials should be centrally secured, controlled, and stored.
3. Implement password rotation: Across every account, system, networked hardware and IoT device, application, service, etc. Passwords should be unique, complex, never reused or repeated, and randomized on a scheduled basis, upon check-in, or in response to specific threat or vulnerability. The higher the security importance of the password, the more frequently it should be rotated. For instance, you may want to rotate superuser account (e.g., root, domain admin, etc.) and other highly privileged passwords after each use—known as one-time-passwords, or (OTPs).
4. Bring application passwords under management: Securing embedded passwords requires separating the password from the code, so that when it’s not in use, it’s securely stored in a centralized password safe, as opposed to being constantly exposed as when in plain text. This requires a third-party application password management or privileged password management solution that forces applications and scripts to call (or request) use of the password from a centralized password safe. By implementing API calls, you can wrest control over scripts, files, code, and embedded keys, eliminating hard-coded and embedded credentials. Once this is accomplished, you can automate rotation of the password as often as policy dictates.
5. Bring SSH keys under management: Approach SSH keys as just another password, albeit accompanied by a key pair that must also be managed. Regularly rotate private keys and passphrases, and ensure each system has a unique key pair. Automated, third-party privileged password and SSH key management solutions will substantially simplify the process of creating and rotating SSH keys, eliminating SSH key sprawl, and ensuring SSH keys enable productivity without compromising security.
6. Implement privileged session management: To improve oversight and accountability over privileged accounts and credentials. Privileged session management refers to the monitoring, recording, and control over privileged sessions. IT needs to be able to audit privileged activity for both security and to meet regulations from SOX, HIPAA, GLBA, PCI-DSS, FDCC, FISMA, and more. Auditing activities can also include capturing keystrokes and screens (allowing for live view and playback). Some third-party solutions can provide automated workflows that give IT granular control over privileged sessions, such as allowing them to pinpoint an anomalous session and pause, lock, or terminate it until a determination is made that the activity is appropriate.
7. Threat analytics: Continuously analyze privileged password, user, and account behavior, to detect anomalies and potential threats. The more integrated and centralized your password management, the more easily you will be able to generate reports on accounts, keys, and systems exposed to risk. A higher degree of automation can accelerate your awareness and orchestrated a response to threats, such as enabling you to immediately lock an account or session, or change a password, such as when incorrect passwords (as with a brute force or dictionary attack) have repeatedly tried to gain access to a sensitive asset.
8. Automate workflow management: While you can certainly build your own internal rule sets to trigger alerts, and apply some policies around password management, third-party solutions provide robust capabilities that can streamline and optimize the entire password management lifecycle.
Without end-to-end automation, enforcement of privileged password security best practices will likely be an inordinately time-consuming, virtually impossible, endeavor. Enterprise password management solutions can streamline and automate the entire privileged credential lifecycle, ensuring password best practices are always enforced.