Taking the First Steps for Privileged Access Management
Assessing what’s on a network helps with security audits.
The recent wave of high-profile cyber attacks on federal government agencies and the businesses that support them has gotten organizations thinking about security. A key part of any organization’s security strategy is access management—determining who can access certain kinds of information and resources and when and/or where they can do so.
But determining where to start can often be delayed by indecision due to over-analysis and caution, explains Ross Johnson, director of federal sales for Thycotic Software Ltd. The first and most important thing an organization can do is to make the decision to take inventory of all their data assets.
“Sometimes just knowing what you have is half the battle,” Johnson told SIGNAL Magazine Senior Editor Kimberly Underwood during a SIGNAL Executive Video Series interview.
One issue many Department of Defense organizations have is managing old user accounts. These include privileged access management (PAM) and non-human service accounts. Part of this requires a change in culture regarding security. He notes that often in these organizations, users have pre-set accounts that often aren’t changed from their initial settings, even after the users have rotated in and out of their duty stations.
Besides user accounts, another thing organizations should take stock of are system accounts. Johnson explains that this is something to take into consideration because in several recent cyber attacks, hackers used these accounts and their access privileges to get into the target’s network.
Another step agencies and businesses can take is to examine their audit processes for such old or unattended accounts to determine what PAM steps are needed. “Who’s reviewing this? How are you feeding this additional data or touchpoints into your SIM [security information management] product or analytics tool? Those kinds of things are important,” Johnson says.
When selecting a PAM tool from a vendor, organizations also need to look at its lifecycle aspects. These include factors such as how difficult is something to install into a system, how it interacts with legacy systems and software and its ease of use.
“If this thing is like a year [long] project just to get it up and going, it’s not really helping you a whole lot,” Johnson says.
Likewise, ease of use for users—especially warfighters—is important. This can be done with simple tools like launchers that allow users to securely access systems. He notes that automation is important here because it lets users activate the account only when its needed instead of it being available all the time, which helps enhance an organization’s overall security status.