“Rank does not confer privilege or give power. It imposes responsibility.”
When it comes to privileged account management, Peter Drucker isn’t wrong. Privileged accounts aren’t about power, they’re about responsibility – mainly the responsibility of protecting them to prevent their abuse by bad actors.
Privileged Account Management (PAM) is a headache for security teams everywhere. It means differentiating between privileged users who can access highly sensitive data and standard users, but the former are like honey to a bear for hackers. If they can get their hands on privileged account credentials the entire system is open to them.
Privileged accounts are everywhere. They may belong to a corporate VIP, like the Chief Financial Officer, or be a generic root account. What they have in common is holding administrative rights on systems and software. Controlling them allows hackers to infiltrate systems faster and do more damage before being detected.
It is estimated that 80 percent of data breaches involve compromised privileged accounts, driving a need to protect privileged access more effectively. Because people reuse passwords so much, compromised credentials for one account puts multiple systems at risk. The simplest solution – locking down these accounts, reducing their access, or restricting them in other ways – would increase safety but make them too inconvenient to use. Protecting these accounts requires changing how you approach identity and access management, implementing best practices and new technologies to enhance security.
Privileged Account Management Best Practices
- Use secure passwords that aren’t used for any other account.
- Apply proper credential maintenance to root and service accounts that aren’t directly managed.
- Stop tracking privileged accounts on spreadsheets. Yes, you know you still do it.
- Only grant access to systems and data that are actually required by a privileged account, and regularly update it.
- Track which devices are used by privileged account users.
- Make sure users aren’t sharing privileged account access.
Biometrics & PAM
That’s the bare minimum. To go beyond that requires using tools built specifically to handle identity and authentication. One of these is biometric authentication. Adding in biometrics for two-factor authentication or replacing passwords entirely with single-step multi factor biometrics will significantly reduce the likelihood of any credentials – privileged or not – from being compromised.
Biometric authentication, using who you are to access systems and data, also eliminates the risk of shared credentials because each user has to use a unique physical characteristic to log in. Furthermore, a secure biometric authentication platform will help track the devices a privileged user logs in from, and provide tracking and logging of exactly who is accessing what.
The main benefit of using biometrics for PAM, however, is replacing passwords. Compromised passwords have been the leading cause of data breaches for several years running, according to Verizon’s annual Data Breach Investigations Report.
Securing privileged accounts won’t be a simple process, but adopting biometrics and enforcing best practices can make it a little easier to get started.