Privileged accounts exist in every organization, just as vaults exist at every local bank branch. Both vaults and privileged accounts have several things in common. They have the responsibility for protecting vital assets, and, if you have the right password or combination, you can get access to all that is stored in or on them. In the case of the bank vault, this includes things like gold bars, jewelry, and lots of cold hard cash. Similarly, access to privileged accounts allows you to obtain all kinds of data – from personal financial and medical records to business and government trade secrets. It’s debatable which of these would be better to have access to, but, as far as which is easier to access, the hands down winner is privileged accounts.
So, what lessons can we learn from the bank about protecting privileged accounts? Typically, there is a privileged account that provides complete access to the device, along with all the critical applications and data on it. Organizations often focus a lot of effort on protecting the perimeter of their network, and neglect to secure the privileged access to devices. Don’t get me wrong, protecting the perimeter is very important, but not securing privileged access is similar to a bank leaving the vault open just because they have secured the building. So, take a lesson from your bank and make sure you have a secure process for providing access to the privileged accounts through which your critical data and applications are accessed.
Banking organizations also know that even though they must trust someone with the combination to the vault, they still have to monitor the vault with a surveillance system. This point is even more crucial when it comes to privileged accounts. Unlike a bank, which might have only one or two individuals who need access to the vault, there are several individuals – both inside and outside of an organization – who need access to the company’s infrastructure assets. Obviously, IT administrators need access to them, but so do help desk associates, developers, vendors, and even some applications and scripts. Making sure you know which users have accessed those privileged accounts, and when, is vitally important. It’s equally important to have the capability to actually see what they are doing, or have done, with that access, especially for individuals outside of the organization.
I have rarely heard about a bank vault being robbed; but, I know of more than a dozen breaches last year alone that involved misuse or theft of privileged credentials. I would contend that taking the steps for privileged accounts outlined above puts your organization on a more level playing field by both securing your vault and installing cameras.