EXPERT SPEAK
Inappropriate use of privileged
passwords, such as using the same admin
account across multiple service accounts
SSH keys reused across multiple servers
Bring privileged accounts and
credentials under centralised
management: Optimally, the onboarding
process happens at the time of password
creation, or otherwise, shortly thereafter
during a routine discovery scan. Silos
of individuals or teams independently
managing their own passwords are a recipe
for password sprawl and human error. All
privileged credentials should be centrally
secured, controlled and stored. Ideally,
your password storage supports industry-
standard encryption algorithms, such as
AES 256 and Triple DES.
Implement password rotation across
every account, system, networked hardware
and IoT device, application, service, etc.
Passwords should be unique, never reused
or repeated, and randomised on a scheduled
basis, upon check-in, or in response to a
specific threat or vulnerability.
Bring application passwords
under management: Simply put, this
requires deploying a third-party application
password management solution that forces
applications and scripts to call (or request)
use of the password from a centralised
password safe. By implementing API calls,
you can wrest control over scripts, files,
code and embedded keys, eliminating hard-
coded and embedded credentials. Once this
is accomplished, you can automate rotation
of the password as often as policy dictates.
And, by bringing the application password
under management and encrypting it in a
tamper-proof password safe, the credential
and underlying applications are vastly more
secure than when the passwords remained
static and stranded within code.
Bring SSH keys under
management: NIST IR 7966 offers
guidance for businesses, government
organisations and auditors on
proper security governance for
SSH implementations that include
recommendations around SSH key
discovery, rotation, usage and monitoring.
Approach SSH keys as just another
John Hathaway, Regional Sales Director,
Middle East, BeyondTrust.
password, albeit accompanied by a key
pair that must also be managed. Regularly
rotate private keys and pass phrases, and
ensure each system has a unique key pair.
Implement Privileged Session
Management to improve oversight
and accountability over privileged
accounts and credentials. Privileged
session management refers to the
monitoring, recording and control over
privileged sessions. IT needs to be able to
audit privileged activity for both security
and to meet regulations from SOX, HIPAA,
GLBA, PCI DSS, FDCC, FISMA and
more. Auditing activities can also include
capturing keystrokes and screens (allowing
for live view and playback).
Threat Analytics: To mitigate risk, and
evolve your policy as needed, you should
continuously analyse privileged password,
user and account behaviour, and be able to
identify anomalies and potential threats.
The more integrated and centralised your
password management, the more easily you
will be able to generate reports on accounts,
keys and systems exposed to risk. A higher
degree of automation can accelerate your
awareness and orchestrated response to
threats, such as enabling you to immediately
lock an account or session, or change a
password, such as when incorrect passwords
(as with a brute force or dictionary attack)
have repeatedly tried to gain access to a
sensitive asset.
Automate Workflow
Management: While you can certainly
build your own internal rule sets to trigger
alerts and apply some policies around
password management, third-party
solutions provide robust capabilities that
can streamline and optimise the entire
password management life cycle. Third
party, privileged password management
solutions can also help automate:
Grouping and management of assets in
accordance to Smart Rules.
Workflows for device access, including
an approval process for when
administrative access is required.
Consistent with least privileged access,
you may want to implement context to
workflow requests by considering, and
potentially restricting, access depending
on the account, day, date, time,
timeframe and location (IP addresses)
when a user accesses resources.
Workflows to accommodate fire-call/
break-glass requests to ensure access
to password-managed systems after
hours, on weekends, or in other
emergency situations.
Check in and check out passwords
from the password safe and
automated authentication/Single Sign
On (SSO) for the user without any
manual log-in requirements.
Logon of users for RDP and SSH
sessions, without revealing passwords.
Triggers requesting a supervisor’s
approval in order to checkout highly
sensitive credentials.
Commencement of privileged session
monitoring and alerting of any sensitive
or suspicious activity.
The ultimate goal of privileged
password management is to reduce
risk by identifying, securely storing and
centrally managing every credential
that provides elevated access. Privileged
password management works hand-in-
hand with implementing least privilege,
and should be a foundational element
of any organisation’s privileged access
management (PAM) initiatives.
53