Today is World Password Day. Brian Chappell, Director, Product Management at BeyondTrust, explains the best practices and benefits of privileged password management.
Privileged password management refers to the practice and techniques of securely controlling credentials for privileged accounts, services, systems, applications, machines and more. The ultimate goal of privileged password management is to reduce risk by identifying, securely storing and centrally managing every credential that provides elevated access. Privileged password management works hand-in-hand with implementing least privilege and should be a foundational element of any organisation’s privileged access management (PAM) initiatives.
Whereas in decades past, an entire enterprise might be sufficiently managed through just a handful of credentials, today’s environmental complexity means privileged credentials are needed for a multitude of different privileged account types (from domain admin and sysadmin to workstations with admin rights), operating systems (Windows, Unix, Linux, etc.), directory services, databases, applications, cloud instances, networking hardware, Internet of things (IoT), social media and more.
Most likely, achieving holistic enterprise password management will follow the course of a graduated approach but it’s essential that you focus on these eight areas.
Discover all privileged accounts
This includes shared admin, user, application and service accounts, SSH keys, database accounts, cloud and social media accounts and other privileged credentials – including those used by vendors – across your on-premises and cloud infrastructure. Discovery should include every platform (Windows, Unix, Linux, Cloud, on-prem, etc.), directory, hardware device, application, services/ daemons, firewalls, routers etc. This process should also entail the gathering of user account details that will help assess risk, such as privilege level, password age, date logged on and expired and group membership and services with dependencies to the account. Absent automation, comprehensive discovery is likely to be an inordinately time-consuming endeavor that relies on spreadsheets for recording and draws on multiple scripting languages, APIs, etc. A process that could take eternity (as counted in human years) with a manual approach can be condensed into just minutes with an automated solution.
Bring Privileged credentials under centralised management
Optimally, the onboarding process happens at the time of password creation or otherwise shortly thereafter during a routine discovery scan. Silos of individuals or teams (i.e. DevOps) independently managing their own passwords are a recipe for credential sprawl and human error. All privileged credentials should be centrally secured, controlled and stored. Ideally, your password storage supports industry-standard encryption algorithms, such as AES 256.
Implement password rotation
Rotation policies should address every privileged account, system, networked hardware and IoT device, application, service, etc. This reduces the threat window for password reuse attacks. Passwords should be unique, never reused or repeated and randomised on a scheduled basis, upon check-in or in response to specific threat or vulnerability.
Implement privileged session management
These solutions ensure complete oversight and accountability over privileged accounts and credentials. Privileged session management refers to the monitoring, recording and control over privileged sessions. It needs to be able to audit privileged activity for both security and to meet regulations from SOX, HIPAA, GLBA, PCI DSS, FDCC, FISMA and more. Auditing activities can also include Dual Control (requiring two separate people to approve access or the execution of specific commands), the capturing of keystrokes and screens (allowing for live view and playback), the ability to record, lock and document suspicious behaviour without terminating sessions or productivity and other measures. You should be able to control, monitor and record every session across your privilege universe-whether initiated by employee or vendor, human or non-human.
Bring non-human/ machine credentials under centralsed management
Simply put, this requires deploying a third-party application password management or secrets management solution that forces applications and scripts to call (or request) use of the password from a centralised password safe. By implementing API calls, you can wrest control over scripts, files, code and embedded keys, eliminating hard-coded and embedded credentials. Once this is accomplished, you can automate management of the password as often as policy dictates. And by bringing the application password or DevOps secret under management and encrypting it in a tamper-proof safe, the credential and underlying applications/tools are vastly more secure than when the passwords remained static and stranded within code.
Bring SSH keys under management
NIST IR 7966 offers guidance for businesses, government organisations and auditors on proper security governance for SSH implementations that include recommendations around SSH key discovery, rotation, usage and monitoring. Approach SSH keys as just another password, albeit accompanied by a key pair that must also be managed. Regularly rotate private keys and passphrases and ensure each system has a unique key pair.
Utilise threat analytics
To mitigate risk and evolve your policy as needed you should continuously analyse privileged password, user and account behaviour and be able to identify anomalies and potential threats. The more integrated and centralised your password management, the more easily you will be able to generate reports on accounts, keys and systems exposed to risk. A higher degree of automation can accelerate your awareness and orchestrated response to threats, such as enabling you to immediately lock an account or session, or change a password, such as when incorrect passwords (as with a brute force or dictionary attack) have repeatedly tried to gain access to a sensitive asset.
Automate workflow management
While you can certainly build your own internal rule sets to trigger alerts and apply some policies around password management, third-party solutions provide robust capabilities that can streamline and optimise the entire password management lifecycle. As with any IT security and governance project, start with a scope. Once you’ve completely discovered all of your privileged accounts and have a baseline of your privileged credential and asset risk, you can set priorities and flesh out a privileged credential policy.