Okay, you have a password vault. Now what?

By David Geer

When you look at the major breaches over the past few years, two things have become abundantly clear.

First, attackers are no longer “hacking” in; they’re logging in using weak, stolen, or default passwords. Why go up against sophisticated technology when human fallibility and laziness is so much easier?

Second, the credentials they are after are the ones where they can do the most damage, or access the most sensitive information. Those are privileged credentials which are used to access critical systems, infrastructure, and data: the “keys to the kingdom.” A recent survey by Centrify revealed that these privileged accounts are involved in 74% of data breaches.

Password vaults to the rescue?

 A password vault is one way to secure these privileged credentials. Vaults help discover and register all machines and then vault all shared, alternate admin and service accounts. Subsequently, authorized privileged users can check out the password, perform the task required, and then check it back in, sometimes with brokered access so they never even see the user name and password for that machine or account.

Fifty-two percent of 1,000 IT decision makers surveyed by Centrify indicated their organizations don’t even have a password vault. So if you do, congratulations! You’re already ahead of the majority of your peers.

But password vaults and legacy PAM alone can’t cut it in an age where everything from containers to machines to services gets their own credentials. Google started new containers at a rate of more than two billion per week, and that was five years ago! How many new credentials can your vault create and assign per week securely? But more importantly, by vaulting away passwords, organizations don’t reduce the attack surface but leave many gaps to be exploited.

PAM has to be about a lot more than password vaults. Otherwise, how are you going to defend modern attack surfaces against nation-states and cybercrooks who have enough cash, tools, and elite hacker chops to find the weakest link in your organization and exploit their weak security hygiene?

Where to start?

One of the questions that often comes up with any project, but especially with one this critical, is where to start?

Start by using Centrify’s PAM Maturity Model as a roadmap to identify where your organization is now and where to focus your PAM efforts. Let it guide you on your journey beyond the vault and legacy PAM to solid ground. There you can nurture advanced technology environments in the cradling arms of Centrify’s Cloud-Ready Zero Trust Privilege.

To beat the assault, go beyond the vault!

So, you have a password vault.  But password vaults have limitations. They don’t reduce the attack surface. They don’t offer the level of accountability that strict regulatory compliance requires. Criminal hackers can easily exploit password vaults by creating SSH keys to open up backdoors. How do you ensure that users don’t abuse these privileges? It can be difficult to limit their access once they have it, but they can extend their access by leveraging vulnerabilities in the software they can touch.

You need to move beyond password vaults to phase two of Centrify’s PAM Maturity Model. There you can reduce the attack surface by consolidating identities and eliminating local accounts. Then you can implement privilege elevation controls and workflow for just-in-time privilege access. You can apply basic MFA for all privileged users to ensure the user is genuine.

You can integrate Just-In-Time Access (access right when you need it, for only as long as you need it) with your ITSM solution or IGA platform workflow as necessary to meet governance mandates. You can enforce Multi-Factor Authentication (MFA) at NIST Assurance Level-2, so the user must show something they know and present something they have to authenticate for privileged access.

If you’re one of the 21% of organizations still not using MFA for privileged admin access, you need to get out from under that statistic! That’s low-hanging fruit that can significantly harden your security posture.

Going all-in

Once you’ve taken your PAM maturity to Identity Consolidation with Least Access and Privilege, you’re in a much better place to stop privileged credential abuse.

But why stop there? Forty-five percent of organizations aren’t securing public and private cloud workloads with privileged access controls. Fifty-eight-percent aren’t securing privileged access to Big Data. Sixty-eight-percent aren’t securing privileged access to network devices. And, nearly three-fourths, a whopping seventy-two percent are not securing privileged access to those ever-multiplying containers!

If you plan on protecting modern attack surfaces – Big Data, the Cloud, DevOps, Containers, etc. – as well as your infrastructure, databases, and network devices, you’d better think about your endgame. Follow the Centrify PAM Maturity Model to its final stage as you Harden Your Environment with High Assurance. Here’s what that means.

You need to centralize management and security for service and app accounts. Criminal hackers usurp authority over any account that will get them what they want. App and service accounts that automate activities including those associated with Big Data environments allow cybercriminals to move laterally in your network to get to your most valuable data. Here’s how you stop them.

Host-based session, file, and process auditing and integration with SIEM tools enable high assurance that no one has skirted your privileged access controls.

Application secrets that programmers add to software in plain text are easy pickings for savvy cyber thugs. Centrify secures all application passwords and secrets, from IP addresses to SSH keys, by vaulting them away from prying cyber eyes that scan your application code. 

Centrify also leverages machine learning to assess all access behavior, including privilege elevation requests and use of applications, commands, and logins. Machine learning generates a risk score based on observations of user behavior and context so you can use policies to automate decisions to stop questionable activities in real-time when the risk is too high.

In this final stage of PAM maturity, apply MFA at NIST Assurance Level-3 whenever it’s feasible. At this level, MFA includes two-factor authentication including your password and a crypto-based hardware token such as a FIDO key or smart card.

Centrify has your back

Privileged credentials are the #1 attack vector based on findings from Forrester and now Centrify. Centrify is laser-focused on securing privileged credentials in the face of modern technological and environmental complexities, attack surfaces, and threats. At least 51% of IT leaders have a strong desire to adhere to PAM implementation best practices. Take stock of your data and the protection you get with a password vault, then consider Centrify Cloud-Ready Zero Trust Privilege to go beyond the vault to help secure your future.