Seven Steps to Secure Privileged Access

December 7, 2018
  1. Eliminate Network Takeovers: Attackers that gain access to domain controllers can take over your network and cause long term damage. Privileged credentials associated with these assets should be moved to a centralized and automated PAM system with MFA to protect it.
  2. Control and Secure Infrastructure Accounts: Privileged credentials in on-premised and cloud infrastructure accounts are some of the riskiest in any organization, from server admin to database instance accounts, these credentials should be vaulted with passwords automatically rotated periodically and after every use.
  3. Limit Lateral Movement: Lateral movement is critical to advance attacks – this is when attackers study your infrastructure and find its weak spots. To limit attackers’ movement, remove local admin rights on IT Windows workstations to stop credential theft.
  4. Block the Third Party Backdoor: Attackers attack third-party vendors and supply chain partners as a way to infiltrate target organizations. To minimize risk, it’s important to vault all privileged credentials used by third-party applications and vendors and to rotate credentials frequently.
  5. Secure SSH keys: SSH keys are gold to attackers, and can be exploited to log in with root access and take over the *NIX (Linux and Unix systems) technology stack. These keys should be vaulted and routinely rotated based on policy. Automating this process to eliminate human error is a best practice.
  6. Defend DevOps: DevOps secrets are the newest ‘privileged credentials’ and exist in cloud and on-premises. Vault and automatically rotate all public cloud privileged accounts, keys and API keys. Additionally, secure secrets used by CI/CD tools such as Ansible, Jenkins and Docker in a vault, while allowing them to be retrieved on the fly, automatically rotated and managed.
  7. Secure SaaS Admins and Privileged Business Users: Exploited privileged credentials for SaaS applications could give attackers high-level and stealthy access to sensitive systems. All shared access to these systems should be isolated and require MFA.
prestitial ad