5 Tips for managing privileged shared accounts

Michael Byrnes, director – solutions engineering, iMEA, BeyondTrust, shares five best practices to ensure accountability of shared privileged accounts for better security and compliance without undue impact on IT productivity.

GCC nations have established themselves, of late, as leaders in cyber-readiness. Saudi Arabia was ranked second and the United Arab Emirates was fifth, in the International Telecommunication Union’s Global Cybersecurity Index of 2020. The UAE made particular strides, having leapt from 33rd in the 2019 edition of the index. And yet both Gulf nations saw spikes in cyber incidents during the pandemic. Some 88% of UAE respondents to a KPMG survey reported upticks in threat activity as a direct result of COVID-19, and Saudi Arabia was said to have suffered more than 7 million attacks in the first two months of 2021, most centered on the remote-access protocols used by WFH employees.

As we get to the end of the first quarter of 2022, we are already seeing more of the same and regional security experts will hope to avoid being counted among the victims. The data shows us that even leaders have not fully mastered themselves, so enterprises must take special care to avoid the traps of threat actors.

One key area of focus over the next 9 months should be the management of shared accounts. Many IT companies use them for granting access to privileged users, administrators, services, or applications. But using the same credentials for multiple users without proper management creates risk. One of the reasons regional countries are scoring so highly on maturity indexes is because of the work of regulators, many of which are putting increasing pressure on private enterprises. These businesses also must contend with global requirements such as the European Union’s GDPR. But substandard shared-account management can lead to intentional, accidental, or indirect misuse that can undercut compliance efforts.

From embedded and hardcoded passwords to those used for message-passing between two applications, or from an application to a database, gaps exist and need to be managed. Password rotation is, of course, a best practice, but when left to a user’s own discretion it can be unreliable. With shared accounts, this becomes even more problematic, since there may be confusion as to who changes the credentials, and the communication of the updated password may be less than secure. Additionally, auditing and reporting on session activities from shared accounts results in incomplete information, because the individual responsible cannot be identified.

We must do better. Here are five best practices that ensure accountability of shared privileged accounts for better security and compliance without undue impact on IT productivity.

1. Implement a flexible, appliance-based solution
Organizations need a security solution that offers privileged password and session management within a single hardened or virtual appliance. They need broad compatibility, covering a range of OS, database, application, device, and directory options. IT should be able to manage accounts for services, application-to-application (A2A), and application-to-database (A2DB), through a minimum of effort and dashboard-hopping.

2. Implement a comprehensive, automatic inventory system
With the right distributed network discovery engine, IT and security teams can identify and profile all users and services automatically and corral them into unified management. Many strong security policies go unenforced because policymakers are unaware of an asset or account. Consistency comes from control, and control from knowledge. Automated discovery solutions are by far the best way of ensuring no stone goes unturned.

3. Implement full session monitoring
Any platform that claims to deliver control into the hands of IT should record every activity initiated by a privileged session. Real-time information can be relayed through a proxy session monitoring service for Secure Shell or remote access protocols, without revealing passwords. Such monitoring capabilities should be rich enough to allow threat assessors to view a playback of the session for auditing or forensic purposes, thus meeting a range of compliance standards. Full control also requires having the ability to identify suspicious activity as it happens and lock or terminate sessions as needed.

4. Implement standard desktop tools
Standardization is an argument that spans many subsections of the IT function. When it comes to security, an enterprise-wide threat posture comes from having policies and practices that are easy to follow for all employees. Therefore, complex new workflows are to be avoided where possible. Continual authentication to a security layer when accessing different applications is not ideal. The account management system should support standard tools such as PuTTY, RDP, SSH and Microsoft Terminal Services Client.

5. Implement strong analytics and reporting
All decision makers prefer single points of reference for their information. Whatever your metrics are, they should be presented in a single dashboard, in a clear, intuitive format. Everything about privileged accounts, password expiry dates, remote access tools, SSH keys, service accounts, and user accounts should be right there in front of the security team so they can take timely action to prevent issues.

Get it right
Securing shared privileged accounts is a complex task if you do not have the right solution in place. So many elements, from discovery to policy enforcement, are subject to omission in a manual approach. Automating password and session management must be a priority in the world of hybrid work, as should secure access control, auditing, alerting, and recording for all privileged accounts, be they user, service or other.

Compliance will continue to be a stumbling block without robust management of the fundamentals, and shared accounts present a vulnerability. Get it right and trust will flow from regulators and customers alike.