Track, Authenticate, Secure: 6 Best Practices for Successful PAM


Tech Insights for ProfessionalsThe latest thought leadership for IT pros

Tuesday, November 15, 2022

What best practices should you be following to protect your most powerful and privileged user accounts?

Article 5 Minutes
Track, Authenticate, Secure: 6 Best Practices for Successful PAM
  • Home
  • IT
  • Security
  • Track, Authenticate, Secure: 6 Best Practices for Successful PAM

Hackers who have access to login details for your business can cause major problems. Whether they have acquired usernames and passwords through phishing attacks, other data breaches or from insider threats, compromised accounts can be one of the biggest vulnerabilities for any business.

But not all accounts are equal. There will always be a few, such as admin accounts, that provide especially high levels of access, so protecting these from threats must be a top priority for any cyber security strategy. To do this, an effective PAM plan is essential.

What is PAM?

Privileged access management, or PAM, covers all the processes and protections you put in place for accounts that can access your most sensitive and mission-critical systems. This includes access to domain admins, services, applications and root accounts that are likely to be highly valuable targets for hackers.

With access to these systems, criminals or malicious insiders could do huge amounts of damage. Therefore, it's vital that privileged accounts are held to the highest possible standards in order to protect systems and data from threats - both those from outside the business and from malicious insiders.

6 best practices to make PAM a success

In order to ensure PAM efforts are working, there are a range of best practices that you should be following. Here are a few essential steps that must be a part of this.

1. Keep track of every privileged account

Step one should always be to ensure you have a complete overview of every privileged account on your network. This needs to be a continuous process rather than a one-off audit, as change is a constant for any complex network and new privileged accounts will frequently be required.

Your inventory should detail who is the owner of each account and exactly what its capabilities are, as well as keeping track of how it's being used. Then, if noncompliance with usage policies is detected, you should have the ability to instantly revoke any privileges.

2. Adopt the principle of least privilege

The principle of least privilege - where an account is only permitted access to the minimum resources required for a user to do their job and no more - is at the heart of any PAM strategy. But it is rarely as simple as assessing an individual's needs and responsibilities.

Occasionally, a user may need a higher level of access than normal. In such cases it's important to use temporary escalations that are then revoked after a fixed period. Requests for raised access levels should include a detailed description of the access needed and why, and a clear end date. Without this, it can be easy for escalated privileges to be neglected and leave you with many accounts that have overly-privileged access that you may not be fully aware of.

3. Ensure your password policy is enforced

Strong password policies are a must-have for any login details, but privileged accounts should demand an especially tough range of factors. These include:

  • A minimum password length
  • Use of multiple special characters
  • No use of default or reused passwords
  • Passwords changed regularly
  • Multi-factor authentication

The use of a password manager may be highly useful in maintaining these standards as it removes much of the manual work for the individual user. But by setting out clear rules for passwords as part of this, it can also ensure policies are being followed, for example by mandating a change after a set period or refusing to accept weak passwords.

4. Keep comprehensive audits of activity

Ongoing monitoring of activity is another vital step. This should look at which accounts are attempting to access sensitive resources, when they're doing so, how long they remain logged in for and any activities they complete. Where possible, full session recording tools should be deployed to guarantee full visibility.

This can be used to raise alerts if any suspicious activity is spotted. Red flags may be anything from multiple failed login attempts to connecting from unusual locations or adjusting configurations in odd ways. Automatic responses can then shut down the account before damage is done while investigations are carried out.

5. Avoid using shared accounts

Shared admin accounts can be an easy shortcut for an IT team, but they come with a range of problems. The more people who know access credentials, the more vulnerable the system may be to phishing attempts, for example. What's more, it also means there’s no-one to take responsibility for any actions on the account, whether this is careless handling of credentials or malicious actions within a system. By personalizing privileged accounts, this can ensure admins take better ownership of them.

6. Compare assigned privileges to actual usage

Finally, it also pays to ensure that you're comparing the information you get from your monitoring and alert system to the expected roles and responsibilities of privileged account holders. This can ensure you're not inadvertently giving access levels to people who don't actually need it.

For instance, a user may be able to read, create, destroy and modify data on a cloud storage platform. But if all they ever do in practice is read, you can comfortably revoke the higher-level privileges - and thereby minimize your security risk - without affecting someone's day-to-day work. This avoids the risk of over-privileged legacy accounts if someone's role has changed, for example, while retaining the option for temporary permissions to be added when needed.

Tech Insights for Professionals

Insights for Professionals provide free access to the latest thought leadership from global brands. We deliver subscriber value by creating and gathering specialist content for senior professionals.


Join the conversation...