PAM or Privileged Access Management is a technology that companies need to optimally secure their data and systems in this rapidly changing world. Especially now that the proliferation of cloud and mobile applications makes it no longer possible to build a protective wall around the company’s most important assets. However, technology alone is not enough. Implementing PAM also requires a strict privileged account policy.

To adopt PAM, these are seven essential questions to ask:

1. What privileged accounts exist in your organization?

Every company is different, so you must first map all privileged accounts in the organization. Which accounts carry higher risk and how are they related to the company’s activities? Once you have enough visibility, you can make better decisions and put the right security controls in place.

2. Who needs access to privileged accounts?

There are different types of privileged accounts. Some relate to human users, others to applications, systems or infrastructure. By grouping accounts based on this, you can determine the level of interaction and security controls that apply to each account. For example, should human users have administrative rights on their laptops? To open certain applications, do they need to know the password and how often it changes, or can the system transparently grant access?

Sometimes the greatest risk of breaches lies not in the organization, but in the supply chain.

Vincent Malfroid, Business Development Manager Arrow Electronics

Sometimes the greatest risk of breaches lies not in the organization, but in the supply chain. If third parties gain access to privileged accounts, you no longer have control over how they use those accounts. If misused, a lot of sensitive data can become public. It’s good to know that some of the most high-profile data breaches stem from a supply chain attack. Therefore, make sure you see which external parties can use privileged accounts.

3. Can you set time windows for using privileged accounts?

You need to have a clear idea of ​​what will open and when. For example, some accounting systems are only used at the end of a month or quarter. Backup systems run at preset times. And integration validation and vulnerability scanning are usually the result of a pre-planned penetration test. This type of information helps you identify when access to a privileged account is required. These time windows allow you to quickly identify what behavior appears normal and what could indicate account abuse.

4. What to do if a privileged account falls into the hands of a hacker?

Many organizations are unprepared and do not have an incident response plan in place for situations where a privileged account is compromised. They are often limited to replacing the password or closing the affected account. But that’s not enough. Once cybercriminals gain access to a privileged account, they can use it to gain even more privileges, steal data, install malware, and cover their tracks.

For example, if a domain administrator’s account is compromised, you should assume that the entire Active Directory is vulnerable and needs to be restored. Failure to do this risks creating a loophole that allows hackers to come back and do even more damage.

5. What is the risk of an account being misused by an insider?

Misuse by internal users can have just as devastating consequences as an attack from outside. Most employees do not need access to all critical systems (production systems, backup systems, financial systems) in the organization. Therefore, only grant access to systems that you really need for your tasks. Don’t forget to close this access when someone takes on a new role in the organization and no longer uses their old role’s privileged accounts.

6. Does your organization have to follow certain rules?

Depending on the industry and company, some organizations may be required to undergo regular audits, demonstrate compliance, and demonstrate that privileged accounts are adequately secured. Especially when these accounts can give cybercriminals access to sensitive information and personal data.

7. Are privileged accounts explicitly part of your IT security policy?

Most organizations now have an IT security policy, but it often describes the use and responsibilities of privileged accounts. Always determine what is acceptable in terms of usage, what responsibilities are associated with privileged accounts, and what to do in the event of an anomaly. When written well, after an incident it is easier to determine the root cause of an attack and what you need to do to prevent future incidents.

Once you’ve answered the questions above, you can invest in technology that will strengthen your PAM policy. In the final article in this three-part series, you’ll learn why security needs to be part of your company’s culture and delve deeper into the human aspect of a strong privileged account security policy.

This article is contributed by Vincent Malfroid, Business Development Manager at Arrow Electronics. Discover how Arrow and Delinea software helps you implement an effective PAM policy here.