Privileged Password Management Best Practices & Benefits
For holistic management of privileged accounts and credentials, execute across these eight core strategies:
1. Discover all privileged credentials, such as shared admin, user, application, and service accounts, SSH keys, database accounts, cloud and social media accounts. Include those used by third-parties/vendors– across your on-premise and cloud infrastructure. Discovery should include every platform (Windows, Unix, Linux, Cloud, on-prem, etc.), directory, hardware device, application, services/daemons, firewalls, routers etc. Discovery should illuminate where and how privileged passwords are being used, and help reveal security blind spots and malpractice, such as:
Long-forgotten, orphan accounts that could provide an attacker with a backdoor to your critical infrastructure,
Passwords with no expiration date
Inappropriately use of privileged passwords—such as using the same Admin account across multiple service accounts
SSH keys reused across multiple servers
Since new systems and enterprise applications can sprout up at any time, perform periodic discoveries to ensure every privileged credential is secure, centralized, and under management.
2. Bring privileged accounts and credentials under centralized management: Optimally, the onboarding process happens at the time of password creation, or otherwise, shortly thereafter during a routine discovery scan. All privileged credentials should be centrally secured, controlled, and stored.
3. Implement password rotation: Across every account, system, networked hardware and IoT device, application, service, etc. Passwords should be unique, complex, never reused or repeated, and randomized on a scheduled basis, upon check-in, or in response to specific threat or vulnerability. The higher the security importance of the password, the more frequently it should be rotated. For instance, you may want to rotate superuser account (e.g., root, domain admin, etc.) and other highly privileged passwords after each use—known as one-time-passwords, or (OTPs).
4. Bring application passwords under management: Securing embedded passwords requires separating the password from the code, so that when it’s not in use, it’s securely stored in a centralized password safe, as opposed to being constantly exposed as when in plain text. This requires a third-party application password management or privileged password management solution that forces applications and scripts to call (or request) use of the password from a centralized password safe. By implementing API calls, you can wrest control over scripts, files, code, and embedded keys, eliminating hard-coded and embedded credentials. Once this is accomplished, you can automate rotation of the password as often as policy dictates.
5. Bring SSH keys under management: Approach SSH keys as just another password, albeit accompanied by a key pair that must also be managed. Regularly rotate private keys and passphrases, and ensure each system has a unique key pair. Automated, third-party privileged password and SSH key management solutions will substantially simplify the process of creating and rotating SSH keys, eliminating SSH key sprawl, and ensuring SSH keys enable productivity without compromising security.
6. Implement privileged session management: To improve oversight and accountability over privileged accounts and credentials. Privileged session management refers to the monitoring, recording, and control over privileged sessions. IT needs to be able to audit privileged activity for both security and to meet regulations from SOX, HIPAA, GLBA, PCI-DSS, FDCC, FISMA, and more. Auditing activities can also include capturing keystrokes and screens (allowing for live view and playback). Some third-party solutions can provide automated workflows that give IT granular control over privileged sessions, such as allowing them to pinpoint an anomalous session and pause, lock, or terminate it until a determination is made that the activity is appropriate.
7. Threat analytics: Continuously analyze privileged password, user, and account behavior, to detect anomalies and potential threats. The more integrated and centralized your password management, the more easily you will be able to generate reports on accounts, keys, and systems exposed to risk. A higher degree of automation can accelerate your awareness and orchestrated a response to threats, such as enabling you to immediately lock an account or session, or change a password, such as when incorrect passwords (as with a brute force or dictionary attack) have repeatedly tried to gain access to a sensitive asset.
8. Automate workflow management: While you can certainly build your own internal rule sets to trigger alerts, and apply some policies around password management, third-party solutions provide robust capabilities that can streamline and optimize the entire password management lifecycle.