Freely subscribe to our NEWSLETTER

Privileged password management, sometimes called enterprise password management,
refers to the practice and technique of securely controlling credentials for
privileged accounts, services, systems, applications, and more. But
unfortunately, with so much power inherent in privileged credentials, they are
ripe for abuse by insiders and are highly coveted by hackers. Password attacks
come from all angles. Some programs, such as John the Ripper and L0phtCrack, can
even crack complex passwords, while Pass-the-Hash toolkits can be lethal without
even cracking the password. In fact, according to the 2017 Verizon Data Breach
Investigation Report (DBIR), (http://www.verizonenterprise.com/verizon-insights
– lab/dbir/2017/) a whopping 81% of hacking-related breaches leveraged either
stolen and/or weak passwords.

For holistic management of privileged accounts and credentials, there are eight
core areas that you should focus on. Most likely, achieving holistic enterprise
password management will follow the course of a graduated approach but let me
share some insights on where to start and how to proceed.

Discover all shared admin, user, application, and service accounts, SSH keys,
database accounts, cloud and social media accounts, and other privileged
credentials - including those used by third-parties/vendors-across your on
– premise and cloud infrastructure. Discovery should include every platform
(Windows, Unix, Linux, Cloud, on-prem, etc.), directory, hardware device,
application, services / daemons, firewalls, routers etc. This process should
also entail the gathering of user account details that will help assess risk,
such as privilege level, password age, date logged on, and expired, and group
membership and services with dependencies to the account. Discovery should
illuminate where and how privileged passwords are being used, and help reveal
security blind spots and malpractice, such as:

· Long-forgotten orphaned accounts that could provide an attacker with a
backdoor to your critical infrastructure
· Passwords with no expiration date
· Inappropriately use of privileged passwords-such as using the same Admin
account across multiple service accounts
· SSH keys reused across multiple servers

Bring privileged accounts and credentials under centralized management:
Optimally, the onboarding process happens at time of password creation, or
otherwise, shortly thereafter during a routine discovery scan. Silos of
individuals or teams independently managing their own passwords are a recipe for
password sprawl and human error. All privileged credentials should be centrally
secured, controlled, and stored. Ideally, your password storage supports
industry-standard encryption algorithms, such as AES 256 and Triple DES.

Implement password rotation across every account, system, networked hardware and
IoT device, application, service, etc. Passwords should be unique, never reused
or repeated, and randomized on a scheduled basis, upon check-in, or in response
to specific threat or vulnerability.

Bring application passwords under management: Simply put, this requires
deploying a third-party application password management solution that forces
applications and scripts to call (or request) use of the password from a
centralized password safe. By implementing API calls, you can wrest control over
scripts, files, code, and embedded keys, eliminating hard-coded and embedded
credentials. Once this is accomplished, you can automate rotation of the
password as often as policy dictates. And, by bringing the application password
under management and encrypting it in a tamper-proof password safe, the
credential and underlying applications are vastly more secure than when the
passwords remained static and stranded within code.

Bring SSH keys under management: NIST IR 7966 offers guidance for businesses,
government organizations, and auditors on proper security governance for SSH
implementations that include recommendations around SSH key discovery, rotation,
usage, and monitoring. Approach SSH keys as just another password, albeit
accompanied by a key pair that must also be managed. Regularly rotate private
keys and pass phrases, and ensure each system has a unique key pair.

Implement Privileged Session Management to improve oversight and accountability
over privileged accounts and credentials. Privileged session management refers
to the monitoring, recording, and control over privileged sessions. IT needs to
be able to audit privileged activity for both security and to meet regulations
from SOX, HIPAA, GLBA, PCI DSS, FDCC, FISMA, and more. Auditing activities can
also include capturing keystrokes and screens (allowing for live view and
playback).

Threat Analytics: To mitigate risk, and evolve your policy as needed, you should
continuously analyze privileged password, user, and account behavior, and be
able to identify anomalies and potential threats. The more integrated and
centralized your password management, the more easily you will be able to
generate reports on accounts, keys, and systems exposed to risk. A higher degree
of automation, can accelerate your awareness and orchestrated response to
threats, such as enabling you to immediately lock an account or session, or
change a password, such as when incorrect passwords (as with a brute force or
dictionary attack) have repeatedly tried to gain access to a sensitive asset.

Automate Workflow Management: While you can certainly build your own internal
rule sets to trigger alerts, and apply some policies around password management,
third-party solutions provide robust capabilities that can streamline and
optimize the entire password management lifecycle. Third party, privileged
password management solutions can also help automate:

· Grouping and management of assets in accordance to Smart Rules
· Workflows for device access, including an approval process for when
administrative access is required. Consistent with least privileged access, you
may want to implement context to workflow requests by considering, and
potentially restricting access depending on the account, day, date, time,
timeframe, and location (IP addresses) when a user accesses resources
· Workflows to accommodate fire-call / break-glass requests to ensure access
to password-managed systems afterhours, on weekends, or in other emergency
situations
· Check in and check out passwords from the password safe and automated
authentication / Single Sign On (SSO) for the user without any manual log-in
requirements
· Logon of users for RDP and SSH sessions, without revealing passwords
· Triggers requesting a supervisor’s approval in order to checkout highly
sensitive credentials
· Commencement of privileged session monitoring and alerting of any sensitive
or suspicious activity

The ultimate goal of privileged password management is to reduce risk by
identifying, securely storing, and centrally managing every credential that
provides elevated access. Privileged password management works hand-in-hand with
implementing least privilege, and should be a foundational element of any
organization’s privileged access management (PAM) initiatives.