Privileged Account

What is a Privileged Account?

A privileged account is a login credential to a server, firewall, or another administrative account. Often, privileged accounts are referred to as admin accounts. Your Local Windows Admin accounts and Domain Admin accounts are examples of admin accounts.

When we talk about privileged accounts, we’re talking about the actual username and password; these two things together make up the account.

Privileged accounts are used to access sensitive IT resources such as servers, databases, applications, or workstations. With a privileged account, users not only gain initial access but can also adjust permissions, make backdoor accounts, or change, delete, and extract sensitive, private data. In most organizations, IT staff have one account with standard-level permissions and another account for performing operations that require privileged access.

Privileged accounts within an enterprise environment typically include:

Domain Admin accounts that control Active Directory users.
System Admin accounts that manage servers, cloud platforms, and databases.
Root accounts for superusers that manage Unix/Linux platforms.
Accounts that run and manage applications, services, and scheduled tasks, IIS application pools (.NET applications), and networking equipment such as firewalls, routers, and switches. These are typically called service or workload accounts and often run without direct human oversight.
Local administrative accounts on workstations allow users to install printers, change languages, or execute other commands.

A privileged account is allowed to do more things (i.e. it has more privileges) than a normal account. Privileged accounts are doorways to an organization’s “kingdom”—the place where sensitive information is stored—and as such, they need to be very secure. Examples of sensitive information include medical records, credit card details, social security numbers, government files, and more.

What are the risks of unmanaged privileged accounts?

Every unknown or unmanaged privileged account increases your organization’s vulnerability and presents an opportunity for intrusion.

An employee may access a privileged account to perform unauthorized tasks, intentionally or unintentionally, breaking compliance regulations and increasing your liability.
A disgruntled ex-employee who retains access to the privileged account can cause harm.
A cybercriminal can find the privileged account and penetrate your organization, steal information, and wreak untold havoc.

If a single privileged account is used across your organization to run many services or applications, when that account is breached, your risk increases exponentially. An attacker can gain access to virtually any information within your organization’s IT network with only one compromised privileged account.

How do privileged accounts become unmanaged?

Organizations often have two to three times more privileged accounts than they have employees. Virtually all organizations have some unknown or unmanaged privileged accounts, significantly increasing their risk of a cyberattack. Some have thousands of these unmanaged accounts.

This can happen for various reasons:

An ex-employee’s privileged account was never disabled, resulting in an orphaned account.
A privileged account is utilized less and less often until it becomes obsolete and is abandoned.
Default accounts for new devices were never disabled.
Accounts are granted too much access and then forgotten or left unmonitored.
Privileged accounts provided to third parties or contractors for specific projects were never removed after the work was completed.
Service accounts operate without human oversight or documentation of the systems or processes that depend on them. Teams are hesitant to disable these types of privileged accounts because they don’t want to risk disruption.

How does PAM protect privileged accounts?

With Privileged Access Management (PAM), privileged accounts are managed via a PAM vault. The vault creates and stores “secrets” (passwords, keys, certificates) that unlock privileged accounts.

Privileged users must check out those secrets to gain access to privileged accounts and thus target systems. In addition, PAM provides accountability and oversight of how privileged accounts are used. Privileged session management and recording at the vault/gateway level monitors and reports on the use of privileged accounts throughout your organization.