Maintaining an accurate active directory of privileged access users is a growing challenge for businesses and government with huge potential consequences.
In April, a U.S. federal jury ordered Tata Consultancy Services to pay Epic Systems Corp. $940 million after a TCS employee used credentials from a previous contract to illegally access confidential data. The employee reportedly accessed an Epic Web portal using prior TCS credentials for more than two years and even shared the credentials with other TCS employees.
In addition to the long-term unauthorized access, other people used the TCS employee’s credentials to download more than 6,000 documents and 1,600 files between June 2012 to June 2014.
Clearly, failing to maintain an accurate active directory can present significant security concerns. Yet many companies and government agencies aren’t effectively addressing the issue.
A report released in June from the State Department’s inspector general found the agency had more than 2,600 inactive user accounts remaining on the agency's networks. And according to the recently released 2016 State of Privileged Account Management Report conducted by Thycotic, more than half of companies surveyed fail to properly enforce privileged credential control. Weak privileged account management (PAM) is a "rampant epidemic" within companies and governments globally, the report found.
"The most damaging cyberattacks occur when privileged credentials are stolen, giving attackers the same level of access as internal people managing the systems," said Jim Legg, CEO of Thycotic. "This puts an organization at the mercy of an attacker’s motivation — be it financial, ransomware or other harm to the business."
A primary way to fight against breaches and to stay on top of compliance, therefore, is to protect and control privileged user access. Locking down privileged accounts is more critical now than ever, because these types of attacks are on the rise.
"If you look at 2015 compared to 2014, there was about a 38% increase in the number of enterprise security incidents," said Colin Murphy, vice president and business unit executive for Privileged Access Management at CA Technologies.
Murphy said recent data also revealed that 1.3 million data records are lost or stolen each day due to breaches. That equates to 56,000 breached records every hour, 943 every minute, and 16 every second.
"The common thread is that many of those breaches occur because people are able to access and abuse a privileged account," said Murphy.
Privileged access management solutions have been around for a long time. However, recent high-profile breaches like the ones at Home Depot, JP Morgan and Target have brought more attention to the importance of protecting privileged accounts.
"In general, organizations are doing a lot better job today than they were three or four years ago," said Murphy. "But we are still seeing enterprise customers that don't have solutions in place to control privileged user access. There is still a long way to go."
Know what you are protecting
Preventing cyberattacks or stopping malicious actors from entering a system starts with ensuring an organization knows who has system access.
"You need to first understand where your network is, where your critical applications are and which applications your enterprise employees are using," said Murphy.
Organizations can start by conducting an inventory of their information assets.
This can be harder for organizations using public cloud services like Amazon Web Services or Microsoft Azure, because not all potentially sensitive enterprise data is stored within the confines of the company’s data center anymore.
"A lot of Fortune 1,000 enterprise information environments are getting more and more complicated by the day," said Murphy. "But you need to take inventory of where your information assets are, because only then you can understand the identities that are trying to access that data and where those identities are held."
Next, Murphy suggests setting up a system of controls around privileged access so that all privileged user traffic can be managed through one location.
Murphy also recommends companies use the "least privileged" approach to setting up privileged user access. In other words, only provide privileged user access to those that truly need it.
"The default should be to provide no privileged access, or very limited access. Then, based on an administrator's job or need to access certain systems, expand access to those systems as appropriate," he said.
Setting up this type of system, as well as enforcing strong multi-factor authentication and a program to monitor, record and audit all privileged activity happening within the organization, can give an enterprise a huge leg up in protecting itself from unauthorized access by hackers or internal bad actors.
PAM as a Service
The privileged account management report also found nearly two-thirds of companies still depend on manual methods to manage privileged accounts. Only 10% of companies have purchased a solution to automate PAM, the study found.
Automated PAM, or PAM as a Service, are other approaches companies can consider to bolster privileged access management, though Murphy believes wide adoption of true PAM as a Service is still a few years off.
"It’s going to be a while before most large enterprises are going to be comfortable with letting someone else manage the keys to their kingdom," he said. "There are certain enterprises that are ahead of the game and will be looking at it sooner, but we think broad adoption is still some ways off."