A post by Josh Conroy, Support Engineer at Thycotic Software.
When setting up security policies to protect your privileged accounts, administrators have to walk the fine line of providing security while still being convenient for the user.
Both security measures that are inconvenient for the user and those that present lack of security may pose a liability. These are also two reasons security precautions are dismissed by management. Here are four steps you can take to help properly secure your privileged accounts.
Changing Passwords Regularly and Using Strong Passwords. Passwords on privileged accounts should be updated system-wide on a regular basis. Rotating passwords regularly reduces the odds of passwords being cracked and helps mitigate the damage should an account be compromised.
Passwords for privileged accounts should be complex, difficult to guess and not repeated among accounts. The biggest hurdle when using complex passwords is they are difficult to remember and that difficulty encourages bad security practices, such as writing passwords down on paper, reusing passwords and choosing weak passwords.
Central Access to Privileged Accounts. Keeping one centralized, protected source of credential data is more secure than keeping logins written on paper or saved in Excel files in multiple areas across your network. A centralized location will assist in tracking your accounts. It helps to limit access to this information while still providing easy access for administrators.
Auditing Access. It is important to know who has access to privileged accounts and how often these accounts are being used. This helps to clarify which accounts need special attention so their security settings are adjusted. For example, some accounts may require stricter access control, stronger passwords or a more aggressive password change schedule.
Restricting Access. Being that privileged accounts have access to sensitive data and are used to run company critical applications, you will want to limit who accesses these accounts. Only users that work directly with an account should have access to the password. This creates accountability when using accounts that are not directly tied to a user. Additionally, having a mechanism in place to restrict privileged account access greatly improves the level of security a company has over its accounts. For example, employee account usage can be monitored, which is often important when employees leave an organization.
Following these steps will help with the protection of your privileged accounts, but implementation is always an important. Using a credential storage system specifically focused on corporate use, such as Secret Server, can help accomplish these security points as well as make the transition from the current policy to a more secure policy as painless as possible.