Humanizing Non-Human High Privileged Accounts

Tuesday, February 10, 2015



By: Walt Witucki

Every IT environment has them. They are called by a variety of names: Non-human accounts; system accounts; service accounts; administrator accounts; shared accounts; group accounts; and the list goes on. What is common is that they have exceedingly high privileges to often the most critical areas of an IT environment.

In fact, the list of acronyms describing IT management tools for these accounts is almost as long: Privileged User Management (PUM); Privileged Identity Management (PIM); Privileged Account Management (PAM); and Privileged Account Security to name a few.

Unlike our personal account, that are tied to each of us individually by our HR system and managed by our Identity Management Systems, these non-human accounts present a management challenge when it comes to security in general and compliance in particular. The electricity sector is especially challenged with NERC-CIP management requirements around non-human accounts.

Why should I care?
The ninth annual Cost of Data Breach Study: Global Analysis by the Ponemon Institute found:

  • The average cost of a data breach increased by 15% to an average of $3.5 million per breach.
  • On a per record cost, each compromised record in the US is $246, the highest of all countries.
  • The most common causes of data breaches are from a malicious insider and criminal intent.

So insiders are already inside your security perimeter. But your IDM system manages their accounts. But what about those system administrators – the ones that use non-human accounts? This is precisely the problem statement.

The challenges?

Simply, put: How do I remove an individual’s ability to use a non-human account? How do I implement my (NERC-CIP, SOX, HIPAA, etc.) required password management requirements? Any solution, of course, has to preserve the integrity of the operational environment while efficiently managing the account. Who wants to explain to our business colleagues that all databases were shut down so we could change passwords due to a DBA resigning?

The path forward?

  1. Extend your IDM solution with Privileged Account Management (PAM) software. Your IDM solution already has many of the mechanisms in place to provide for this functionality. A PAM solution will “humanize” those non-human accounts and hence, extend your identity controls further across your environment.
  2. Pick a PAM solution that meets your needs. What level of control do your compliance auditors require? NERC-CIP, HIPAA and SOX require access to data be granted on a needs to know. This includes both users (the easy part) and IT system administrators. Additionally, outsiders are a risk. Defense in depth security strategies dictate access management of high privileged accounts be in place in case perimeter security defenses are breached. Recent news accounts of hacks and data breaches drive this point home. 
  3. Justifying the purchase using dollars and sense. A PAM solution can be acquired and implemented far less than the cost of an insider data breach.

Privileged Account Management is the next step in your IDM build out. Let the identity management experts at Identropy help you manage all accounts with access to critical data and infrastructure. 

Global Cost of Data Breach Study:

This was cross-posted from the Identropy blog.

General Budgets Enterprise Security Policy Security Awareness Security Training
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.