Privileged Account Management
Managing the privileged account lifecycle
By Gerard Taylor, Senior Consultant, Ubusha Technologies

Companies are increasingly becoming aware of the security risks posed by the presence of privileged accounts within their organisations. Products have emerged to assist businesses in discovering existing privileged accounts, auditing their state and monitoring usage. Organisations have started to manage assigned access to privileged accounts and ensure that passwords are regularly changed, but have failed to understand that there is a bigger picture where the full lifecycle of a privileged account involves much more than mere password and usage management; it does, in fact, need to explain and substantiate the account from its inception, through to de-provisioning.

This understanding is crucial, as privileged accounts are often incorporated in systems typically with a level of privileged access necessary to implement and run an application or to connect to databases and other data stores - and often these accounts operate without upper management knowledge or approval. This situation occurs because these systems and applications are mainly implemented at department or business unit level and not at the corporate level.

In addition, most privileged accounts are not linked to a specific accountable person, and are often utilised by multiple users which, without effective lifecycle management and audit awareness, exposes an organisation to unnecessary risk. This also applies to unmanaged privileged accounts that remain active within the corporate system after the application becomes obsolete.

Managing the existence of the account itself

Businesses are under increasing pressure to be able to identify who is using privileged accounts and what they are being used for. While it is important to manage, and audit, users permissions, usage and access to a privileged account, most companies, even those with effective password and assignation controls, experience issues around managing the existence of privileged accounts.

The means are not always available to determine which accounts have been created and whether these accounts are still in use or should be de-provisioned. Over time, a business may enable a large number of privileged accounts, and without visibility around these accounts, corporates expose themselves to significant security risks and possible breaches if these accounts are not timeously de-provisioned. Most noticeably this is especially relevant where personnel with an intimate knowledge of IT systems leave the organisation and retain the ability to access sensitive systems and data that leaves the business open to serious breaches and damage.

Five key questions

To negate these risks, it is crucial to ensure that these privileged accounts exist only as long as they are needed for and no longer. Mature management of privileged accounts means that a business will be able to answer the following five questions:
•    Why does this privileged account exist?
•    Who is accountable for its existence?
•    Who approved the existence and why?
•    When was the approval granted?
•    When last was the existence of this privileged account reviewed?

Ultimately, The most important reason for ensuring complete and effective lifecycle management over privileged accounts boils down to ensuring the safety and security of the business as a whole. Bad privileged account management inevitably leads to a greater probability of attack both external and internal. The question remains - can any organization afford to leave the back door wide open and unsecured?

Interested to learn more? Click on the following links to view copies of the full article on  ITWeb, or a serialised blog on the international CyberArk website.