Hikers have a saying that goes, “The terrain is not the map.” Upon finding, for instance, that a bridge no longer exists, one might ask, “Wait a minute… you mean a US Geological Survey map from 1953 doesn’t reflect current conditions?” “Yup. The terrain is not the map.” So it goes in IT as well.
The topology of a network, application architecture, and user access settings will inevitably change over time. It’s quite likely, too, that some of these changes have not been caught by those responsible for protecting information assets from unauthorized use. The IT terrain is not the IT map. Robust security comes from protecting the actual terrain. In the context of privileged access, this reality is especially significant.
Security needs will evolve and change over time.
The Privileged Access Risk
A privileged, or admin, user has the authority to access the administrative back ends of critical systems. In this role, a privileged user can set up, modify, or delete system configurations, data, user accounts, and so forth. They can sometimes override other security controls, perhaps erasing the fact that they were even there. A privileged user can be anyone, or indeed, anything. While most privileged users are employees, some are contractors, outside vendors, or even automated third-party services.
It’s a trusted role, for good reason. Either through error or malicious intent, a privileged user can cause serious security risk exposure. Attackers frequently impersonate privileged users to gain access to confidential data or otherwise protected system settings. Misusers of privileged accounts include hackers, malicious insiders, former employees who have retained privileged access rights, and outside personnel. Without effective management and monitoring, privileged accounts are vulnerable to abuse.
Unmonitored privileged accounts are one of your biggest security risks.
Privileged Access Management (PAM)
Privileged Access Management (PAM)—sometimes called “Privileged Account Management”—is the work of mitigating privileged access risk. Typically achieved through a combination of processes and tooling, PAM aims to control privileged access and monitor privileged account sessions. PAM is an important countermeasure for potential abuses of privileged accounts.
A PAM solution, such as the WALLIX Bastion, offers security managers a way to manage access to any administrative back end. With WALLIX in effect, a privileged user must go through the Access Manager to conduct an administrative session.
The Access Manager contains rules for who can access what, and when. It enables managers to grant, revoke, and modify privileges. For example, if an email administrator is transferred to a different role, he or she will no longer need privileged access to the email server. With Access Manager, this privilege can quickly be terminated.
How a Privileged Account Discovery Module Works
PAM works best when security managers understand the full depth and breadth of the systems they are supposed to protect. To achieve this goal, they may use a privileged account discovery module, such as WALLIX Discovery. This free module assists administrators in finding all the privileged and service accounts that have authorized access to a network.
A discovery module helps security teams proactively address potential and future security risks.
A discovery module helps security managers identify potential security failures related to privileged access. It automatically maps the entire network and component systems, looking for points of privileged access. It creates reports about the status of privileged accounts. In the case of WALLIX Discovery, the reports can be imported into the WALLIX Bastion, making it easy to make sure that all privileged accounts are properly managed.
5 Reasons to Do Privileged Account Discovery
Why is a privileged account discovery module recommended? Done right, the discovery process can be a first step toward truly robust cybersecurity. Here are five reasons why this is the case:
1. Strengthen the root of many security controls
When privileged access is well managed, it becomes easier to control other cybersecurity factors. For example, if a preset “hardening” is required for certain types of servers, a PAM solution can tell admins who are authorized to do the hardening. The solution can also notify admins when someone has conducted a privileged session for hardening. Without PAM, it might be possible for a malicious actor to gain unauthorized access and weaken the hardened settings. The discovery process reveals where such vulnerabilities might arise.
2. Secure the PAM terrain, not the map
Understand your entire environment by running automated discovery of privileged accounts. The results may be surprising.
3. Fix security weaknesses before they cause problems
The best time to respond to a security threat is before it causes any impact. Privileged account discovery can reveal privileged accounts that are lacking effective control. With discovery, it’s possible to add needed controls over privileged access before their risk exposure causes a security incident.
4. Spot hidden privileged users
Discovery can reveal previously hidden holders of administrative privileges. With the pace of change in IT, combined with personnel and vendor turnover, it’s highly probable that former employees, ex-contractors and third-party services that were long since assumed to have been deactivated are still holding privileged access rights. Discovery offers an automated way to stay on top of this accidental cause of risk exposure.
5. Keep PAM up to date
PAM topology is not static. It will change over time, so it pays to adopt the best practice of regularly automated discovery to show changes in privileged accounts. This way, it’s possible to integrate discovery into security reviews and planning.