Five steps to improve the security of your shared privileged accounts

Sharing of privileged accounts is a technique used by many IT teams, but one that can leave organisations vulnerable to a cyberattack.

Often used as a way to provide access for teams of privileged users, administrators, or applications, shared accounts involve a group of people using the same credentials to gain access. Unfortunately, lax shared-account management can lead to intentional, accidental, or indirect misuse that can undercut compliance efforts.

From embedded and hardcoded passwords to those used for message-passing between two applications, security gaps exist and they need to be managed. Password rotation is, of course, a best practice, but when left to a user’s own discretion it can be unreliable.

With shared accounts, changing passwords becomes an even bigger problem. There could be confusion about who changed the credentials, and the communication of updated passwords may be less than fully secure.

In addition, auditing and reporting information on session activities from shared accounts may be incomplete, because the individual responsible cannot be identified. This again reduces the overall security posture of the IT infrastructure as it is difficult to track accountability.

Improving shared account security

Thankfully, there are a range of ways shared account security can be improved without any unwanted impact on user productivity. Five ways this can be achieved are:

  1. Deploy an appliance-based or cloud-based solution to overcome the challenge:
    Organisations require a security solution that offers privileged password and session management within a single hardened or virtual appliance. The chosen appliance needs to have wide-ranging compatibility covering a range of operating systems, databases, applications, and devices. The security team should be able to manage accounts for services, application-to-application (A2A), and application-to-database (A2DB), without the need to juggle multiple tools. Using appliances offers organisations a solution that is much easier to implement and maintain over the lifecycle of the solution.

 Alternatively, cloud-based PAM solutions are becoming more commonly considered.  In this case it should offer comparable if not the same level of functionality and support a distributed implementation that can be applied across separated networks.

  1. Have a system that allows automatic inventory workflows:
    Once a distributed network discovery engine has been put in place, an organisation’s security team can identify and profile all users and services automatically and monitor their activity through unified management.

Many strong security policies go unenforced because policymakers are unaware that an asset or account even exists. Consistency comes from control, and control from knowledge.  An automated discovery solution to regularly check for systems and accounts is the best way to ensure that nothing is missed.

  1. Monitor all active sessions:
    For a platform to put full control into the hands of the security team, it needs to record every activity initiated by a privileged session. Real-time information can be relayed through a proxy session monitoring service for Secure Shell or remote access protocols, without revealing passwords at any stage. Such monitoring capabilities should be rich enough to allow threat assessors to view a playback of the session for auditing or forensic purposes, therefore meeting a range of compliance standards.
  2. Deploy the right desktop tools:
    Standardisation is an argument that spans many subsections of the IT world. When it comes to security, there can be an enterprise-wide threat posture caused by having policies and practices that are not easy to follow for all employees. For this reason, complex new workflows should be avoided wherever it’s possible to do so. Continual authentication to a security layer when accessing different applications is not ideal, so the account management system should support standard tools such as PuTTY, RDP, SSH and Microsoft Terminal Services Client.
  3. Ensure comprehensive analytics and reporting capabilities are in place:
    All key decision makers prefer to have single points of reference for their data. Whatever metrics are being used to monitor security, they should be presented in a single dashboard, in a clear, intuitive format. Everything from details about privileged accounts and passwords to expiry dates, remote access tools, SSH keys, and service accounts should be readily accessible by the security team. This will allow the team to take timely action to prevent issues before they cause disruption or losses.

Effectively securing shared privileged accounts can be a complex thing to achieve, but it can be made much easier if the right management tools are in place. Once this has been achieved, the benefits of shared accounts can be enjoyed while security gaps are minimised.

Scott Hesford
Scott Hesford is Director Solutions Engineering APAC for BeyondTrust. Based in Melbourne, Scott has more than 15 years’ experience in the IT industry and in his current role supports organisations to mitigate the risk of security breaches by securing privileged identities across the hybrid enterprise