By: Brian Chappell, Director, Product Management at BeyondTrust
Privileged Password Management refers to the practice and techniques of securely controlling credentials for privileged accounts, services, systems, applications, machines, and more. The ultimate goal of privileged password management is to reduce risk by identifying, securely storing, and centrally managing every credential that provides elevated access. It works hand-in-hand with implementing least privilege and should be a foundational element of any organization’s privileged access management (PAM) initiatives.
Whereas in decades past an entire enterprise might be sufficiently managed through just a handful of credentials, today’s environmental complexity means privileged credentials are needed for a multitude of different privileged account types (from Domain admin and sysadmin to workstations with admin rights), operating systems (Windows, Unix, Linux, etc.), directory services, databases, applications, cloud instances, networking hardware, internet of things (IoT), social media, and more.
Most likely, achieving holistic enterprise password management will follow the course of a graduated approach but it’s essential that to focus on these eight areas.
This includes shared admin, user, application, and service accounts, SSH keys, database accounts, cloud and social media accounts, and other privileged credentials – including those used by vendors– across your on-premise and cloud infrastructure. Discovery should include every platform (Windows, Unix, Linux, Cloud, on-prem, etc.), directory, hardware device, application, services / daemons, firewalls, routers etc. This process should also entail the gathering of user account details that will help assess risk, such as privilege level, password age, date logged on, and expired, and group membership and services with dependencies to the account.
Optimally, the onboarding process happens at the time of password creation, or otherwise, shortly thereafter during a routine discovery scan. Silos of individuals or teams (i.e. DevOps) independently managing their own passwords are a recipe for credential sprawl and human error. All privileged credentials should be centrally secured, controlled, and stored. Ideally, the password storage supports industry-standard encryption algorithms, such as AES 256.
Rotation policies should address every privileged account, system, networked hardware, and IoT device, application, service, etc. This reduces the threat window for password reuse attacks. Passwords should be unique, never reused or repeated, and randomized on a scheduled basis, upon check-in, or in response to specific threat or vulnerability.
These solutions ensure complete oversight and accountability over privileged accounts and credentials. Privileged session management refers to the monitoring, recording, and control over privileged sessions. IT needs to be able to audit privileged activity for both securities and to meet regulations from SOX, HIPAA, GLBA, PCI DSS, FDCC, FISMA, and more.
Simply put, this requires deploying a third-party application password management or secrets management solution that forces applications and scripts to call (or request) use of the password from a centralized password safe. By implementing API calls, helps wrest control over scripts, files, code, and embedded keys, eliminating hard-coded and embedded credentials. Once this is accomplished, you can automate management of the password as often as policy dictates.
NIST IR 7966 offers guidance for businesses, government organizations, and auditors on proper security governance for SSH implementations that include recommendations around SSH key discovery, rotation, usage, and monitoring. Approach SSH keys as just another password, albeit accompanied by a key pair that must also be managed. Regularly rotate private keys and passphrases, and ensure each system has a unique key pair.
To mitigate risk, and evolve your policy as needed, you should continuously analyze privileged password, user, and account behavior, and be able to identify anomalies and potential threats. The more integrated and centralized your password management, the more easily you will be able to generate reports on accounts, keys, and systems exposed to risk.
While you can certainly build your own internal rule sets to trigger alerts, and apply some policies around password management, third-party solutions provide robust capabilities that can streamline and optimize the entire password management lifecycle.
As with any IT security and governance project, start with a scope. Once you’ve completely discovered all of your privileged accounts and have a baseline of your privileged credential and asset risk, you can set priorities and flesh out a privileged credential policy.
