Posted on Oct 11, 2021
As organizations migrate to the cloud and adopt more “as-a-Service” technologies, identity and access have become the perimeter. Remote workforces mean that limiting access according to the principle of least privilege is a fundamental security control. As part of securing applications and networks, organizations need to focus on users with privileged access because they pose greater insider and credential theft risks. Understanding privileged access management (PAM) and the various privileged users in your organization can mitigate data security and privacy risk.
Privileged access refers to identities - human or machine - who have more access to data and resources than standard users. Sometimes called “superuser” accounts, these accounts have nearly unrestricted access to data, files, directories, and resources.
Privileged access management is the identity and access lifecycle management process that includes:
Since users with privileged access can gain access to anything and make any changes they want, it can lead to several security risks.
Whether purposely or accidentally, internal users with privileged access create a unique insider threat risk. Since their permissions let them access any resources and have the ability to make any changes, they have few controls preventing them from stealing or changing sensitive data, including:
For the same reason that uses or entities with privileged access are an increased insider threat risk, they are highly sought after by threat actors. If malicious actors can steal login and password information that gives them privileged access, then all sensitive data is at risk.
Finally, privileged access is often the end goal for malicious actors engaging in advanced persistent threats. If they gain access to an organization’s systems and networks using a standard user’s login information, they try to move laterally and elevate their privileges. Once they have privileged access, they can do anything and steal any data that they want.
Within an organization, several different types of employees will require privileged access to complete their job functions.
As the name implies, super users are the accounts with the most access. These people usually work in the IT department and need this access to:
Super users are the only ones who have access that allows them to change configurations.
Domain admins have access to all workstations and servers connected to an organization’s network domain. These users need this access to:
Local admins only have access to individual endpoints or workstations. They can make any changes to an individual workstation, but they cannot make changes across the network, such as changing user permissions.
Sometimes referred to as “break glass” access, emergency access is when a user is given temporary administrative access to respond to an issue. For example, a local admin may be granted short-term domain admin access if they need to provide remote IT help to someone working from home.
These users are people who need access to change or modify sensitive information stored in databases. For example, someone in accounting may need this type of access to pay a vendor when they complete a contract.
As more organizations automate routine tasks, machine identities have become more common. These digital identities authenticate to a network or system and engage in machine-to-machine communication.
Service accounts are the most common machine identities with privileged access. Applications and services use these to make changes to operating systems. For example, a service account may be used to automate security update installations.
While service accounts make changes to operating systems, application accounts administer, configure, or manage access to the application software. Each application has its own application account. This can make managing this type of privileged access difficult because as organizations add more applications, they add an equal number of application accounts.
Serverless functions are code-based programs that enable agile development. Developers often use serverless functions to make changes to applications and databases.
While PAM is important to implement, it’s also challenging. The same reason that organizations need privileged access is the same reason that managing it is difficult.
While you think you only have a few privileged users or accounts, it’s often difficult to keep track of them over time. When people leave the organization, you need to terminate their access. Additionally, managing machine identities is even more difficult because every application has its own application account.
By nature, privileged users need a lot of access. This means that you can’t just apply the principle of least privilege without getting in the way of the work they need to do. Many organizations give users who need privileged access two accounts - a standard one and a privileged one. While this might limit some privileged access risk, it also creates additional accounts that need management.
Often, admins share privileged credentials with one another so that no one person needs to be responsible. However, this means that even if an organization detects unusual behavior on a privileged account, it isn’t able to trace that activity back to a specific person.
Since machine identities aren’t people, they don’t have the same protections. For example, privileged human users might be able to use multi-factor authentication, but a serverless function can’t get a push notification. Since they often need to communicate across the network with other programs and processes, setting times when they can have access and when they can’t have access can create workflow problems.
SecurityScorecard’s security ratings platform enables organizations to continuously monitor their environments and ecosystems for greater visibility into their security posture. Our platform provides an easy-to-read score using an A-F rating scale for at-a-glance visibility into your current security posture.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You can’t manage what you can’t measure. Check out our list of the top 20 cybersecurity KPIs to track in 2021.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.