Privileged Password Management – Best Practices and Benefits

Brian Chappell, Director, Product Management at BeyondTrust, delving into the eight areas that organizations need to focus on for holistic enterprise password management.

Privileged Password Management refers to the practice and techniques of securely controlling credentials for privileged accounts, services, systems, applications, machines, and more. The ultimate goal of privileged password management is to reduce risk by identifying, securely storing, and centrally managing every credential that provides elevated access. Privileged password management works hand-in-hand with implementing least privilege and should be a foundational element of any organization’s privileged access management (PAM) initiatives.

Whereas in decades past an entire enterprise might be sufficiently managed through just a handful of credentials, today’s environmental complexity means privileged credentials are needed for a multitude of different privileged account types (from Domain admin and sysadmin to workstations with admin rights), operating systems (Windows, Unix, Linux, etc.), directory services, databases, applications, cloud instances, networking hardware, internet of things (IoT), social media, and more.

Most likely, achieving holistic enterprise password management will follow the course of a graduated approach but it’s essential that you focus on these eight areas.

Discover all privileged accounts
This includes shared admin, user, application, and service accounts, SSH keys, database accounts, cloud and social media accounts, and other privileged credentials – including those used by vendors– across your on-premise and cloud infrastructure. Discovery should include every platform (Windows, Unix, Linux, Cloud, on-prem, etc.), directory, hardware device, application, services/daemons, firewalls, routers etc. This process should also entail the gathering of user account details that will help assess risk, such as privilege level, password age, date logged on, and expired, and group membership and services with dependencies to the account. Absent automation, comprehensive discovery is likely to be an inordinately time-consuming endeavour that relies on spreadsheets for recording and draws on multiple scripting languages, APIs, etc. A process that could take an eternity (as counted in human years) with a manual approach can be condensed into just minutes with an automated solution.

Bring Privileged credentials under centralized management
Optimally, the onboarding process happens at the time of password creation, or otherwise, shortly thereafter during a routine discovery scan. Silos of individuals or teams (i.e. DevOps) independently managing their own passwords are a recipe for credential sprawl and human error. All privileged credentials should be centrally secured, controlled, and stored. Ideally, your password storage supports industry-standard encryption algorithms, such as AES 256.

Implement password rotation
Rotation policies should address every privileged account, system, networked hardware, and IoT device, application, service, etc. This reduces the threat window for password reuse attacks. Passwords should be unique, never reused or repeated, and randomized on a scheduled basis, upon check-in, or in response to specific threat or vulnerability.

Implement Privileged session management
These solutions ensure complete oversight and accountability over privileged accounts and credentials.
Privileged session management refers to the monitoring, recording, and control over privileged sessions.
IT needs to be able to audit privileged activity for both security and to meet regulations from SOX,
HIPAA, GLBA, PCI DSS, FDCC, FISMA, and more. Auditing activities can also include Dual Control (requiring two separate people to approve access or the execution of specific commands), the capturing of keystrokes and screens (allowing for live view and playback), the ability to record, lock, and document suspicious behaviour without terminating sessions – or productivity, and other measures. You should be able to control, monitor and record every session across your privilege universe—whether initiated by employee or vendor, human or non-human.

Bring non-human/machine credentials under centralized management
Simply put, this requires deploying a third-party application password management or secrets management solution that forces applications and scripts to call (or request) use of the password from a centralized password safe. By implementing API calls, you can wrest control over scripts, files, code, and embedded keys, eliminating hard-coded and embedded credentials. Once this is accomplished, you can automate the management of the password as often as policy dictates. And, by bringing the application password or DevOps secret under management and encrypting it in a tamper-proof safe, the credential and underlying applications/tools are vastly more secure than when the passwords remained static and stranded within code.

Bring SSH keys under management
NIST IR 7966 offers guidance for businesses, government organizations, and auditors on proper security governance for SSH implementations that include recommendations around SSH key discovery, rotation, usage, and monitoring. Approach SSH keys as just another password, albeit accompanied by a key pair that must also be managed. Regularly rotate private keys and passphrases, and ensure each system has a unique key pair.

Utilize threat analytics
To mitigate risk, and evolve your policy as needed, you should continuously analyze privileged password, user, and account behaviour, and be able to identify anomalies and potential threats. The more integrated and centralized your password management, the more easily you will be able to generate reports on accounts, keys, and systems exposed to risk. A higher degree of automation can accelerate your awareness and orchestrated response to threats, such as enabling you to immediately lock an account or session or change a password, such as when incorrect passwords (as with a brute force or dictionary attack) have repeatedly tried to gain access to a sensitive asset.

Automate workflow management
While you can certainly build your own internal rule sets to trigger alerts and apply some policies around password management, third-party solutions provide robust capabilities that can streamline and optimize the entire password management lifecycle.

As with any IT security and governance project, start with a scope. Once you’ve completely discovered all of your privileged accounts and have a baseline of your privileged credential and asset risk, you can set priorities and flesh out a privileged credential policy.