Skip to content

    Privileged Access Management Best Practices

    For the past two years, Gartner has named Privileged Access Management (PAM) the top IT security priority. Privileged account credentials for domain admins, service, application, and root accounts are valuable targets. When attackers gain these credentials, they can exploit your most sensitive information and critical systems. Privileged access gives them the power to alter data, change configurations, or even shut down your operations. Masquerading as privileged users, they can cover their tracks and go undetected for months or longer. Still, 85% of organizations fail to meet even basic PAM security hygiene.

    Want to own your PAM journey? Observing the PAM best practices described in this post will get you going in the right direction.

    However, we recommend you also view one of these—select one based on your comfort level:
    Get better acquainted with PAM basics in our PAM for Dummies e-book
    Take your existing program to the next level with our Expert’s Guide to Privileged Access Management

    So what should be on your list to protect your privileged accounts and protect your organization?
    Here are our best practices for Privileged Access Management.

    PAM Best Practices

    Understand your internal PAM landscape: Without knowing where privileged accounts exist, organizations may be leaving in place backdoor accounts that allow users to bypass proper controls and auditing. External attackers may create user accounts for later access that can go undetected for months.

    Start by identifying what a privileged account is for your organization. It’s different for every company so it’s crucial you map out what important business functions rely on data, systems, and access. Gain a working understanding of who has privileged account access and when those accounts are used, because you can’t manage privileged accounts that you don’t know about.

    Write a formal privileged account password policy: It’s critical to have privileged account password protection policies in place to prevent unauthorized access and demonstrate security compliance. You can use this Privileged Access Management policy template, which was developed according to best practice standards from SANS, NIST, GLBA, ISO17799, and ISO9000.

    Your policy should include requirements for both human and non-human accounts. For human accounts, you should use passphrases, which are a type of password that while still complex is easier to remember. Just this year the National Institute of Standards and Technology (NIST) removed its recommendations around complexity requirements for human accounts.

    It’s critical that all privileged account passwords can be updated automatically and simultaneously

    You should also choose the timing by which all privileged passwords are changed. Generally, non-human or system-based account passwords should be changed frequently; human accounts secured with multi-factor authentication may not need to be changed as frequently or could be changed only when a known risk or breach is uncovered. It’s critical that all privileged account passwords can be updated automatically and simultaneously, both on a regular basis to meet compliance mandates, and on an ad-hoc basis, such as when an admin leaves or if a security breach occurs.

    Change default usernames and passwords: This may seem obvious but using default usernames and passwords creates significant risk as they are an exceptionally easy target for cyber criminals to compromise. Default software configurations for systems, devices, and applications often include simple, publicly documented passwords. These systems usually don’t have a user interface to manage these passwords, and the default passwords are typically identical within all systems from a specific vendor or a product line. These default passwords are intended for initial installation, configuration, and testing operations, and must be changed before deploying the system in a production environment.

    Manage shared accounts: Shared accounts are another easy target for cyber criminals and provide little to no accountability. Shared accounts lack access control and cannot be properly attributed to incidents because one user can’t be directly linked to specific account activity due to the shared nature of the account. This adds to the security risk. PAM security solutions are critical here to manage these accounts with full auditing of access and usage.

    Monitor activity on privileged accounts: Privileged accounts should be protected through session monitoring, recording, and auditing. This helps enforce proper behavior and adherence to security protocols and can help avoid mistakes by employees and other IT users because they know their activities are being monitored. Security teams must be able to see at a glance which policies are implemented and exceptions that require closer attention or additional user education. If a breach does occur, monitoring privileged account use helps digital forensics identify the root cause and identify critical controls that can be improved to reduce your risk of future cybersecurity threats.

    Auditing privileged accounts also give you cybersecurity metrics that provide executives, such as the Chief Information Security Officer (CISO), with vital information to make more informed business decisions. Auditors also use this information to see who had access to what information and why.

    Removing local administrative privileges on endpoints … reduces your attack surface

    Implement least privilege: Least privilege is a security model whereby once a user is verified, the user’s access is limited to only what’s necessary to accomplish their specific task or job. If any user action requires more access than granted via policy rules, permissions to elevate privileges are strictly controlled and monitored. This means no more full local administrator access to endpoints and helps minimize the risk associated with compromised endpoints, the most common entry point for attack. Removing local administrative privileges on endpoints blocks that common attack vector and reduces your attack surface. Utilizing application control behind the scenes to enable the applications users to need to do their jobs allows least privilege to be successful, with no downtime or loss of productivity.

    Establish privileged access governance: Governance ensures that privileged account access is properly controlled and monitored throughout the entire lifecycle. It defines the roles, policies, and mechanisms for access requests, as well as the workflow for privileged access approvals and delivery. It also ensures that account permissions remain appropriate over time. PAM governance can also intersect with other IT security systems, such as IT ticketing systems, identity governance tools, and identity and access management solutions.

    Ensure buy-in across your organization: Cybersecurity and Privileged Access Management must be visible and a positive experience for all employees across departments, including your executive team.  Proper security awareness training is a good way to share your organization’s security policies and build an understanding of the associated risks when those policies are not followed. Training also helps your staff become better employees by empowering them to do their jobs better.

    We know that PAM is not a simple fix and the approach to PAM is not the same for every organization. The PAM Lifecycle approach provides a framework to help PAM experts manage privileged access as a continuous process. The key stages of the Lifecycle include:

    • Define: define what ‘privileged access’ means and identify what a privileged account is for your organization
    • Discover: identify your privileged accounts and implement continuous discovery to curb privileged account sprawl, identify potential insider abuse, and reveal external threats
    • Manage & Protect: proactively manage and control privileged account access, schedule password rotation, audit, analyze, and manage individual privileged session activity
    • Monitor: Monitor and record privileged account activity
    • Detect Usage: ensure visibility into the access and activity of your privileged accounts in real-time to spot suspected account compromise and potential user abuse
    • Respond: take action to protect compromised accounts and systems based on defined policy and breach intelligence
    • Review & Audit: help identify unusual behaviors that may indicate a breach or misuse through continuous observation of how privileged accounts are being used

    We want to make you a self-sufficient security champion so you can own your PAM journey, and observing these PAM best practices will get you going in the right direction. Then, depending on your level of PAM maturity, you can either get better acquainted with PAM basics in the aforementionePAM for Dummies ebook, or take your existing program to the next level with our PAM Expert’s Guide