As organizations migrate to the cloud and adopt more “as-a-Service” technologies, identity and access have become the perimeter. Remote workforces mean that limiting access according to the principle of least privilege is a fundamental security control. As part of securing applications and networks, organizations need to focus on users with privileged access because they pose greater insider and credential theft risks. Understanding privileged access management (PAM) and the various privileged users in your organization can mitigate data security and privacy risk.
What is Privileged Access Management (PAM)?
Privileged access refers to identities - human or machine - who have more access to data and resources than standard users. Sometimes called “superuser” accounts, these accounts have nearly unrestricted access to data, files, directories, and resources.
Privileged access management is the identity and access lifecycle management process that includes:
- Providing access
- Setting baselines for expected use
- Monitoring behaviors
- Detecting anomalies
- Remediating risk
What cybersecurity risks does privileged access create?
Since users with privileged access can gain access to anything and make any changes they want, it can lead to several security risks.
Whether purposely or accidentally, internal users with privileged access create a unique insider threat risk. Since their permissions let them access any resources and have the ability to make any changes, they have few controls preventing them from stealing or changing sensitive data, including:
- Personally identifiable information (PII)
- Protected health information (PHI)
- Corporate financial information
- Intellectual property
For the same reason that uses or entities with privileged access are an increased insider threat risk, they are highly sought after by threat actors. If malicious actors can steal login and password information that gives them privileged access, then all sensitive data is at risk.
Advanced Persistent Threat (APT)
Finally, privileged access is often the end goal for malicious actors engaging in advanced persistent threats. If they gain access to an organization’s systems and networks using a standard user’s login information, they try to move laterally and elevate their privileges. Once they have privileged access, they can do anything and steal any data that they want.
Examples of Human Identities with Privileged Access
Within an organization, several different types of employees will require privileged access to complete their job functions.
As the name implies, super users are the accounts with the most access. These people usually work in the IT department and need this access to:
- Change system, network, and application configurations
- Add users
- Remove users
- Delete data
Super users are the only ones who have access that allows them to change configurations.
Domain admins have access to all workstations and servers connected to an organization’s network domain. These users need this access to:
- Add users
- Delete users
- Set privileges for other users within the organization
Local admins only have access to individual endpoints or workstations. They can make any changes to an individual workstation, but they cannot make changes across the network, such as changing user permissions.
Sometimes referred to as “break glass” access, emergency access is when a user is given temporary administrative access to respond to an issue. For example, a local admin may be granted short-term domain admin access if they need to provide remote IT help to someone working from home.
Privileged business user
These users are people who need access to change or modify sensitive information stored in databases. For example, someone in accounting may need this type of access to pay a vendor when they complete a contract.
Examples of Machine Identities with Privileged Access
As more organizations automate routine tasks, machine identities have become more common. These digital identities authenticate to a network or system and engage in machine-to-machine communication.
Service accounts are the most common machine identities with privileged access. Applications and services use these to make changes to operating systems. For example, a service account may be used to automate security update installations.
While service accounts make changes to operating systems, application accounts administer, configure, or manage access to the application software. Each application has its own application account. This can make managing this type of privileged access difficult because as organizations add more applications, they add an equal number of application accounts.
Serverless functions are code-based programs that enable agile development. Developers often use serverless functions to make changes to applications and databases.
Why is PAM difficult?
While PAM is important to implement, it’s also challenging. The same reason that organizations need privileged access is the same reason that managing it is difficult.
Hard to keep track
While you think you only have a few privileged users or accounts, it’s often difficult to keep track of them over time. When people leave the organization, you need to terminate their access. Additionally, managing machine identities is even more difficult because every application has its own application account.
Unable to limit easily
By nature, privileged users need a lot of access. This means that you can’t just apply the principle of least privilege without getting in the way of the work they need to do. Many organizations give users who need privileged access two accounts - a standard one and a privileged one. While this might limit some privileged access risk, it also creates additional accounts that need management.
Often, admins share privileged credentials with one another so that no one person needs to be responsible. However, this means that even if an organization detects unusual behavior on a privileged account, it isn’t able to trace that activity back to a specific person.
Unmanaged machine identities
Since machine identities aren’t people, they don’t have the same protections. For example, privileged human users might be able to use multi-factor authentication, but a serverless function can’t get a push notification. Since they often need to communicate across the network with other programs and processes, setting times when they can have access and when they can’t have access can create workflow problems.
SecurityScorecard Building Cyber Resilience
SecurityScorecard’s security ratings platform enables organizations to continuously monitor their environments and ecosystems for greater visibility into their security posture. Our platform provides an easy-to-read score using an A-F rating scale for at-a-glance visibility into your current security posture.