Poorly managed privileged credentials represent a huge compliance and security risk, leaving organizations just as vulnerable as a hole in a firewall. The more people with such credentials and the more systems they can access, the greater the threat.
According to a recent global security survey, three-fourths of organizations surveyed say they have been hit by a security breach within the past 12 months. Clearly, these trends are unsustainable, yet most companies attempting to improve their data security profile focus solely on external threats and ignore the proliferation of internal ones, especially privileged users and accounts.
Eliminating this threat, however, doesn't have to be particularly arduous or expensive. Organizations can take steps to mitigate the security risks associated with privileged accounts and users.
First, it's important for IT administrators to take inventory of privileged users and accounts. It's impossible to mitigate the risks of privileged accounts if an organization doesn't know how many it has or who needs access to them. Privileged accounts exist for almost every device and application within the organization. Creating a list of where these accounts are and who or what systems access them can help an organization identify where it is most vulnerable to internal security breaches.
Additionally, organizations should enforce strict change management processes to privileged passwords. Most organizations do a better job at this for regular users than for privileged accounts, but enforcing strong passwords and changing them regularly is even more important for privileged accounts. Privileged passwords should also be stored securely. When an inventory of all accounts and passwords is created, it is immediately put at risk of being compromised.
Whenever possible, organizations should ensure individual accountability and the lowest level of privileged access. Many of the compliance regulations in the industry today require that organizations know exactly who has access to what and when they have it. In addition, it's necessary to provide only the level of access a user needs in order to perform the task at hand—the lower the level the better.
Most importantly, organizations need to audit and report on privileged access on a regular basis. Simply controlling what privileged users are allowed to do is not enough; it is also necessary to audit what they are doing. Regular reporting helps to identify when privileged passwords are changed and which users have used potentially harmful commands. Continual auditing and reporting is mandatory for understanding the state of security for privileged access and identify areas that require improvement.
While there is no simple silver bullet for securing an organization's resources, combining each of these practices can dramatically reduce the risks associated with privileged access while providing a better understanding of where any security gaps may be.