TECH TALK
“Silos of
individuals
or teams
independently
managing their
own passwords
is a recipe for
password sprawl
and human
error.”
John Hathaway, Regional Sales
Director, Middle East, BeyondTrust,
says: “All privileged credentials
should be centrally secured,
controlled, and stored.”
businesses, government organisations,
and auditors on proper security
governance for SSH implementations
that include recommendations around
SSH key discovery, rotation, usage, and
monitoring. Approach SSH keys as just
another password, albeit accompanied
by a key pair that must also be
managed. Regularly rotate private keys
and pass phrases, and ensure each
system has a unique key pair.
84
INTELLIGENTCIO
Implement Privileged Session
Management to improve oversight and
accountability over privileged accounts
and credentials. Privileged session
management refers to the monitoring,
recording, and control over privileged
sessions. IT needs to be able to audit
privileged activity for both security
and to meet regulations from SOX,
HIPAA, GLBA, PCI DSS, FDCC, FISMA,
and more. Auditing activities can also
include capturing keystrokes and screens
(allowing for live view and playback).
Threat Analytics: To mitigate risk,
and evolve your policy as needed,
you should continuously analyse
privileged password, user, and account
behaviour, and be able to identify
anomalies and potential threats. The
more integrated and centralised your
password management, the more easily
you will be able to generate reports on
accounts, keys, and systems exposed
to risk. A higher degree of automation
can accelerate your awareness and
orchestrated response to threats,
such as enabling you to immediately
lock an account or session, or change
a password, such as when incorrect
passwords (as with a brute force or
dictionary attack) have repeatedly tried
to gain access to a sensitive asset.
Automate Workflow Management:
While you can certainly build your own
internal rule sets to trigger alerts, and
apply some policies around password
management, third-party solutions
provide robust capabilities that can
streamline and optimise the entire
password management lifecycle. Third
party, privileged password management
solutions can also help automate:
• Grouping and management of assets
in accordance to Smart Rules
• Workflows for device access, including
an approval process for when
administrative access is required.
Consistent with least privileged
access, you may want to implement
context to workflow requests
by considering, and potentially
restricting access depending on the
account, day, date, time, timeframe,
and location (IP addresses) when a
user accesses resources
• Workflows to accommodate fire-call /
break-glass requests to ensure access
to password-managed systems
afterhours, on weekends, or in other
emergency situations
• Check in and check out passwords
from the password safe and
automated authentication / Single
Sign On (SSO) for the user without
any manual log-in requirements
• Logon of users for RDP and SSH
sessions, without revealing passwords
• Triggers requesting a supervisor’s
approval in order to check out highly
sensitive credentials
• Commencement of privileged session
monitoring and alerting of any
sensitive or suspicious activity
The ultimate goal of privileged
password management is to reduce
risk by identifying, securely storing, and
centrally managing every credential
that provides elevated access. Privileged
password management works hand-in-
hand with implementing least privilege,
and should be a foundational element
of any organisation’s privileged access
management (PAM) initiatives. n
“The ultimate
goal of
privileged
password
management is
to reduce risk
by identifying,
securely storing,
and centrally
managing every
credential
that provides
elevated
access.”
www.intelligentcio.com