Privileged Account Management

Privileged accounts are accounts that give access to the system with very wide powers. For example, root on Unix or Administrator on Windows. The login and password for the home router with which the setting is made is also a privileged account. In short, these are such accounts, using which you can do (almost) anything with the system or device. Sometimes they are called “keys of the kingdom” (keys of the kingdom), because they provide an opportunity to get full access to information and parameters of the system. Using privileged access, you can do something useful, but you can do something harmful. Everything, as usual, depends on who does it and for what purpose.

Why manage?

If you have 3 computers, one router and a bored administrator, then you will probably not need any special management. The need to manage privileged access usually arises in large companies (for example, banks, insurance companies), which have an extensive client base. The information systems of such companies manage financial and personal data, the work with which is dangerous to let go. There are regulatory documents that describe some of the requirements that must be met by the processes in the organization. In particular, it is important to ensure:

1. A clear understanding of who exactly and at what time could have access to the system
2. The ability to get information about who exactly turned to the system at a certain point in time, what he did there and why

All this is necessary, mainly, for readiness for debriefing, if suddenly something happens.
The important point is that the answers to these questions allow not only to find the guilty, but also to prove the innocence of specific people.
')


For example, the database of the bank’s clients with their phone numbers, addresses, etc. has flowed into the network. There are 10 administrators who, theoretically, could have access to the databases at any time of the day. In the logs you can see that someone under the Administrator account logged into the system and copied the database. But who exactly it was was unknown. Moreover, in the absence of explicit access control, it cannot be said with certainty that this is one of these 10 administrators. After all, someone else could have recognized the password, having overheard the conversation, saw it on a piece of paper, or simply picked it up.

So, I hope, the question of whether to manage privileged access does not arise.
We now have another question.

How to manage?

Managing privileged accounts is different from managing regular, personal accounts.

Each user of the information system is given his personal account in the system for which the necessary access rights are assigned. To gain access to the system for this account, you need to know the password, which control is almost entirely on the user's conscience. An organization can influence this process only indirectly, by introducing password management policies that force the user to create passwords of the required level of complexity and change them at specified intervals. It is assumed that no one knows the password except the user, so if his name flashes during the debriefing in the protocols, then he himself is to blame. Either that he did something wrong, or that he did not ensure due diligence to protect his password. Multifactor authentication methods are used to combat password theft, but this is another story.

With privileged accounts, the situation is slightly different. The management of privileged accounts is reduced to the organization of such a process, in which it is always reliably known who exactly and at what point in time worked under the administrator account. As a rule, several people use the same account at once. At the same time, it is quite difficult to determine who exactly can know the administrator password. People come and go, but the password remains. To ensure control, it is necessary that at every moment of time full access to the system (even theoretically) has a minimum of employees, ideally no one.

Thus, we come to an unexpected decision: no one needs to distribute passwords from privileged accounts. The employee will receive the password only at the time when he needs to do something in the system. And as soon as he did his work, the password changes and again nobody knows him. And if he does not know, he cannot do anything, even theoretically. And so that no one can pick up a password in a reasonable time, it changes to something that is indigestible, cryptographically complex, and so on. Alibi administrators provided (see above example about data leakage).

In practice, such a process is usually implemented in one of two ways: administrative or automated.

The first method is administrative, through the introduction of administrative regulations. The company introduces a special post of password keeper. Its task is to store passwords in a secret locker, issue administrators at the request, and record all events in the log so that you can recover who worked with this account at a certain time. Upon completion, he changes the password in the system, and the new password (which no one knows now) hides again in the locker. This approach is applicable to systems that are rarely accessed. For critical systems, when you need to quickly connect in the middle of the night to restore performance, this approach is not applicable - it is too slow.

If access to systems is often performed by many employees, and you don’t want to lose control over what is happening, use automated systems that make the process of managing privileged access simple and straightforward. Instead of a secret locker, passwords are stored in a secure database. Employees request and receive passwords through a Web interface, previously logged into the system under their personal account (for additional protection, multi-factor authentication can be used). Upon completion (or after a certain period of time), the password is automatically changed, the new password is recorded in the database and lies there until the next use. An important advantage of automated solutions in comparison with the administrative method is the ability to quickly generate reports required during audits.

Here, in fact, almost everything that can be said about the management of privileged accounts. In conclusion, I would just like to note that in addition to elementary actions for managing passwords, such systems often have a number of useful functions that greatly simplify life for both administrators and security personnel. For example, remote access to the system can be provided transparently, without displaying the password on the screen. The system itself, hidden from the user, will transfer the password to the remote computer and immediately open the remote access screen. The access password will change immediately after the session is closed. Remote access sessions can be automatically recorded as videos. Some systems can scan the network and automatically detect systems and applications that need to be controlled. All these useful functions are a useful addition to the main task - access control.