BreachExchange mailing list archives
5 rules for effective privileged user account management
From: Inga Goddijn <inga () riskbasedsecurity com>
Date: Tue, 16 Feb 2016 09:19:42 -0600
http://business-reporter.co.uk/2016/02/15/5-ways-to-effectively-manage-privileged-user-accounts/ *The quarter of organisations set to review privileged activity by 2018 are also set to cut data leakage by a third, according to a new report by the cyber security experts at Gartner. Here are five ways to manage your accounts effectively.* *1. Inventory privileged accounts and assign ownership *First, know what you have an make sure somebody’s looking after it. “Organisations should start by using free autodiscovery tools offered by some PAM vendors to enable automated discovery of unmanaged systems and accounts across the range of infrastructure — but even those autodiscovery tools will not find everything,” says Gartner research director Felix Gaehtgens. ------------------------------ *2. Make sure shared account passwords are not shared *Organisations must make sure that even approved users do not share their passwords, because this reduces accountability and compromises the accounts system. According to Gartner, this is a best practice and demanded by regulatory compliance. It also makes it less likely that passwords will leak to others. ------------------------------ *3. Minimise the number of privileged accounts *By cutting the number of accounts with privileged access, an organisation can make its IT team’s job easier and make it easier to keep an eye on those that remain. Gartner says migrating to shared privileged accounts is recommended, although this requires the right tools to manage the risk and control issues that arise from their use. ------------------------------ *4. Establish processes and controls for managing shared account use *As with all elements of cyber security, users must be clear on their duties and processes and the business must be able to detect who is doing what. By implementing the right privileged account management tools, organisations can create an audit trail that holds individuals to account and meets regulatory compliance requirements. ------------------------------ *5. Use privilege elevation for users with non-privileged access *Users should have accounts with minimal rights for day-to-day work. “Never assign superuser privileges to these accounts, because these might exacerbate accidental actions or malware that can cause drastic consequences when used in a privileged environment,” says Gaehtgens.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which vendors to trust. Contact us today for a demo.
Current thread:
- 5 rules for effective privileged user account management Inga Goddijn (Feb 17)