Privileged Account Management

Privileged accounts are those that give access to the system with very broad permissions. For example, root on Unix or Administrator on Windows. The login and password for the home router with which to configure is also a privileged account. In short, these are such accounts, using which you can do (almost) anything with a system or device. Sometimes they are called “keys of the kingdom”, because they provide an opportunity to get full access to information and system operation parameters. Using privileged access, you can do something useful, or you can do something harmful. Everything, as usual, depends on who does it and for what purpose.

Why manage?

If you have 3 computers, one router and a bored administrator, then most likely no special management will be required. The need for privileged access control usually arises in large companies (for example, banks, insurance companies), which have an extensive client base. The information systems of such companies manage financial and personal data, the work of which is dangerous to let go of their own accord. There are regulatory documents that describe some of the requirements that processes in an organization must meet. In particular, it is important to ensure:

1. A clear understanding of exactly who and at what time could have access to the system
2. The ability to get information about who was accessing the system at a particular point in time, what he was doing there and why

All this is necessary, mainly, for readiness for the debriefing, if something suddenly happens.
An important point - the answers to these questions allow not only to find the guilty, but also to prove the innocence of specific people.



For example, a database of bank customers with their phone numbers, addresses, etc., leaked into the network. There are 10 administrators who, theoretically, could have access to the bases at any time of the day. The logs show that someone under the Administrator account logged in and backed up the database. But who exactly this was is unknown. Moreover, in the absence of explicit access control, it is not safe to say that this is one of the 10 administrators. After all, someone else could find out the password by eavesdropping on a conversation, seeing on a piece of paper or simply picking it up.

So, I hope that the question of whether privileged access should be controlled no longer arises.
We now have another question.

How to manage?

Managing privileged accounts is different than managing regular, personal accounts.

Each user of the information system is issued his personal account in the system for which the necessary access rights are assigned. To gain access to the system using this account, you need to know a password, the management of which is almost entirely on the user's conscience. An organization can influence this process only indirectly by introducing password management policies that force the user to create passwords of the required level of complexity and change them at specified intervals. It is assumed that no one knows the password except the user, so if his name flashes when analyzing flights in the protocols, then he is to blame. Either that he did something wrong, or that he did not provide due diligence to protect his password. Multifactor authentication methods are used to combat password theft, but that's another story.

With privileged accounts, the situation is slightly different. Management of privileged accounts is reduced to the organization of such a process in which it is always reliably known who exactly and at what point in time worked under the administrator account. As a rule, several people use the same account at once. At the same time, determining who exactly can know the administrator password is quite difficult. People come and go, but the password remains. To ensure control, it is necessary that at every moment of time full access to the system (even theoretically) have a minimum of employees, ideally no one.

Thus, we come to an unexpected decision: passwords from privileged accounts should not be handed out to anyone. The employee will receive the password only for the time when he needs to do something in the system. And as soon as he did his job, the password changes and nobody knows him again. And if he does not know, then he cannot do anything, even theoretically. And so that no one can pick up the password in a reasonable time, it changes to something indigestible, cryptographically complex, etc. An alibi is ensured for administrators (see the data leak example above).

In practice, such a process is usually implemented in one of two ways: administrative or automated.

The first method is administrative, by introducing administrative regulations. The company introduced a special position as a password keeper. His tasks include storing passwords in a secret locker, issuing it at the request of administrators and recording all events in a log so that you can later restore who worked with this account at a specific time. Upon completion of work, he changes the password in the system, and hides the new password (which no one knows now) again in the locker. This approach is applicable to systems that are rarely accessed. For critical systems, when you need to quickly connect in the middle of the night to restore functionality, this approach does not apply - too slow.

If access to the systems is often performed by many employees, and you do not want to lose control over what is happening, use automated systems that make the privileged access control process simple and straightforward. Instead of a secret locker, passwords are stored in a secure database. Employees request and receive passwords via the Web interface, after logging in under their personal account (multi-factor authentication can be used for additional protection). Upon completion of work (or after a certain period of time), the password is automatically changed, the new password is written to the database and lies there until the next use. An important advantage of automated solutions over the administrative method is the ability to quickly generate reports,

Here, in fact, almost everything that can be said about managing privileged accounts. In conclusion, I only note that in addition to basic password management actions, such systems often have a number of useful functions that greatly simplify the lives of both administrators and security personnel. For example, remote access to the system can be provided in a transparent manner, without showing the password on the screen. The system itself, hidden from the user, will transmit the password to the remote computer and immediately open the remote access screen. The access password will change immediately after the session is closed. Remote access sessions can be automatically recorded as videos. Some systems can scan the network and automatically detect systems and applications for which access must be controlled.