Privileged Accounts in the Zero Trust Security Model

IAM, Identity and Access Mgmt, Security Ops

Cyber attacks are making headlines nearly every day and often the attacks involve privileged user accounts. These powerful accounts can be misused by their owners or hijacked by malicious outsiders to steal an organization’s valuable data. 

A privileged user is typically an admin type user that has complete and unrestricted access to an IT system or application.  A privileged user has permissions to create, modify, or delete other accounts.  Further, privileged users have permissions to change system configuration and can bypass the applications built-in security controls.  In some cases a privileged user can access the data stored within the application or system.  There is no question privileged accounts pose a number of potential security risks to the organization so it’s critically important for any company to have a strategy for protecting their most valuable credentials.

In the world of agile and devops it’s imperative for security to not act as a roadblock but enablers.  At the same time we still need to protect ourselves and maintain the ability to go back in time to investigate anomalous activities.  

Here are 10 best practices for securing and protecting your privileged accounts:

  1. Maintain an up-to-date inventory of privileged accounts.   At Code42 we make this process less  daunting by enforcing account naming conventions (see # 3). 
  2. Do not assign privileged access to day-to-day user accounts.  Instead create purpose built admin accounts that are only used for the single purpose of managing the tool.
  3. Implement and enforce an account naming standard so that it is easy to distinguish between privileged and non-privileged users. For example, a privileged user account MUST follow the naming standard adm-<user initials> or admin-<name of tool/application>.
  4. Enforce multi-factor authentication (MFA) on privileged accounts whenever possible.
  5. Use a credential management system to store and track usage of shared privileged accounts.
  6. Rotate the password for shared privileged accounts after each usage, and enforce long complex passwords/passphrases.
  7. Leverage system logs or a SIEM to monitor the usage and activities performed by privileged accounts.
  8. Establish a baseline usage pattern for each account and implement alerting for anomalous behavior.
  9. Perform regularly scheduled access review of all privileged accounts
    1. remove excessive access
    2. disable inactive accounts
  10. Adhere to least user access principle, this is especially important for privileged accounts!

At Code42 we follow the above guidelines to safeguard the admin accounts to our Active Directory environment and root accounts for cloud systems.  In order to manage these systems an individual must first “check out” a privileged account from our Credential Management system, and all actions performed by the privileged user are logged and monitored.   When the work is complete the credentials are checked back in and the password is rotated.  If anomalous activity is noticed, we are then able to look back and see who had the credentials checked out at the time of the event. 

What processes or best practices have you built to support the Zero Trust Model way of working?