The Inbox / 5 rules for effective privileged user account management
5 rules for effective privileged user account management
15 February 2016 |
The quarter of organisations set to review privileged activity by 2018 are also set to cut data leakage by a third, according to a new report by the cyber security experts at Gartner. Here are five ways to manage your accounts effectively.
1. Inventory privileged accounts and assign ownership
First, know what you have an make sure somebody’s looking after it. “Organisations should start by using free autodiscovery tools offered by some PAM vendors to enable automated discovery of unmanaged systems and accounts across the range of infrastructure — but even those autodiscovery tools will not find everything,” says Gartner research director Felix Gaehtgens.
2. Make sure shared account passwords are not shared
Organisations must make sure that even approved users do not share their passwords, because this reduces accountability and compromises the accounts system. According to Gartner, this is a best practice and demanded by regulatory compliance. It also makes it less likely that passwords will leak to others.
3. Minimise the number of privileged accounts
By cutting the number of accounts with privileged access, an organisation can make its IT team’s job easier and make it easier to keep an eye on those that remain. Gartner says migrating to shared privileged accounts is recommended, although this requires the right tools to manage the risk and control issues that arise from their use.
4. Establish processes and controls for managing shared account use
As with all elements of cyber security, users must be clear on their duties and processes and the business must be able to detect who is doing what. By implementing the right privileged account management tools, organisations can create an audit trail that holds individuals to account and meets regulatory compliance requirements.
5. Use privilege elevation for users with non-privileged access
Users should have accounts with minimal rights for day-to-day work. “Never assign superuser privileges to these accounts, because these might exacerbate accidental actions or malware that can cause drastic consequences when used in a privileged environment,” says Gaehtgens. “Instead, use privilege elevation to allow temporary execution of privileged commands.”
For more on how efficient privileged account management can cut data loss, see our full report.