As the number of cyber-attacks increase, the need for organizations to increase their security posture has become more evident. Securing and managing privileged accounts by implementing a robust Privileged Identity & Access Management (PIM or PAM) must be a high priority.
Privileged Users
Privileged Users are identities that have the capability of performing administrative functions, configuration changes, install, and execute programs. Unmanaged privileged accounts often put an organization at risk through the following:
- Lists of passwords circulating in an organization
- Passwords that have never been changed
- Employees that have left the organization and know the passwords
- No entitlements process to verify that users should have necessary privileges
- Change in job or roles where additional privileges are granted
- Employees copy and share SSH keys
- Users inadvertently granting access to the wrong people
- Difficulty identifying the number of privileged accounts currently within a network
- Insider threats
At a minimum, to mitigate some of these risks organizations should enforce:
- Strong Password Policy (Uppercase and lowercase letters, numbers and special characters, 16 characters or more, and random patterns)
- Password rotation
- Unique passwords
It is also vital for organizations to discover and manage privileged account credentials for root and super user.
Super Users
Root Super user accounts are basically the default accounts that come pre-built with the Unix operating system. These accounts have unlimited access to do anything on the system. These accounts have full read, write, and execute access to perform the following:
- Installing
- Modifying
- Deleting
- Running Programs
Sudo Users
(aka. Superuser do)
- Members of the Sudoers file
- Can elevate their account privileges
- Sudo users can be setup with a specific security policy
Controlling Privileged User Access
Access privileges for each of these can be controlled using techniques such as:
- Commands only from a certain terminal
- Requiring password
- Permit passing arguments
- Allow execution of multiple commands