Combat the insider threat with next-gen privileged access management
- By Dan Conrad
- Sep 23, 2019
Insider threats have the potential to cause great harm to national security. Fortunately, government continues to prioritize the insider threat, with the Center for Development of Security Excellence laying out new frameworks and even going as far as declaring September National Insider Threat Awareness Month.
Agencies can defend against insider threats by focusing on controlling privileged access, which enables administrators to manage all parts of enterprise IT environments, but also is inherently difficult to control. Here are three ways to implement stronger privileged access management (PAM).
1. Audit all privileged accounts
First, take an inventory of all privileged accounts. To mitigate risks of privileged accounts, agencies must know how many there are and who has access to them. Agency leaders should take careful inventory of their privileged accounts and make sure all access to them is properly managed.
Once an inventory is established, privileged access should be audited on a regular basis. Automated audits can provide detailed, real-time governance reports to ensure compliance with changing policies and regulations. In many cases regular audits are a requirement, making automating essential, but this capability can go beyond checking the box for compliance. It allows the agency to see where it is most vulnerable to internal security breaches and unveils opportunities to reduce risk.
PAM solutions that generate reports can give system administrators visibility into when privileged passwords were changed and what potentially harmful commands were used and by whom. This audit capability can also be critical to determining the root cause of a breach after it happens, limiting the damage.
2. Establish a zero-trust policy
Strong security and compliance also require a least-privilege approach, which is why many agencies are focused on the concept of zero trust. This practice requires granting the least access necessary for users to do their jobs and is based on verifying access requests, the context of the request and the risk of the access environment. Doing so limits harmful actions -- malicious or unintentional. Solutions should provide granular delegation and control, meaning privileged accounts get appropriate access -- nothing less and nothing more.
Another way to minimize the risk of data compromise is to deploy one-time password functionality. This means that users like third-party contractors, who are often targeted by external attackers, can’t share privileged credentials to IT resources.
The zero-trust approach goes beyond just the user. Agencies should not, for example, connect a laptop that has been recently used in foreign countries to its IT network.
3. Track user behavior
Behavioral analytics can also help defend against insider threats. This technology uses machine learning to monitor and analyze user behavior and develop a baseline of normal activity. If a specific user or entity deviates from the baseline, the system flags the anomalous behavior so immediate action can be taken to prevent a breach.
This technology is of utmost importance for privileged accounts, which are prime targets for an insider attack, or a breach that takes advantage of user credentials. With its contextual information and risk-based prioritization of privileged sessions, behavior analytics technology shortens the time to detect a security incident. With this in mind, agencies should closely track the behavior of individuals with privileged access so they can quickly spot unusual activity.
Every action taken on a privileged account, from sharing passwords to executing commands on remote servers, must be monitored in today’s sophisticated threat environment. PAM -- particularly when coupled with emerging approaches to identity access management like behavioral analytics -- can help agencies stay secure and keep their IT networks aligned with evolving compliance requirements. When equipped with the right tools and technology, government stands a better chance of preventing privileged ID theft and insider threat attacks.
Dan Conrad is federal CTO and field strategist at One Identity.