Do Your Agencies’ Users Know Too Much? Develop a Strategy for Privileged Accounts

There’s one in every family: The person who knows all the secrets. From helpful information like who to turn to for the cookie recipe that’s been passed down for generations to the financial, health and other personal details that need to be kept within the family. Luckily, there is no way to hack into the knowledge of your grandpa or mom. Government systems, however, aren’t always so secure. 

Grandpa would be considered a privileged user in IT – privy to everything, whether he needs access to the information or not. In government, gaining access to privileged accounts is a hacker’s dream. Without proper management, these accounts offer unlimited access to a wealth of valuable information. When the sensitive information includes national security details or the PII of millions of citizens, special measures need to be put in place. As threats evolve and the perimeter becomes more difficult to protect, agencies need to focus data access, especially for privileged user accounts.

Where to start? There are three steps to stronger privileged account management that can keep critical data secure. Agencies must be aware of and appropriately secure user accounts, take a least-privileged approach to access and monitor activities occurring within privileged accounts. Here’s what this looks like in action:

First, agencies must begin by ensuring appropriate identity access management (IAM) is applied to privileged accounts. This starts with knowing how many of these accounts exist within your agency, to provide an idea of where vulnerabilities lie. Once accounts are inventoried, multifactor authentication and secure credential storage become top priorities. This ensures users are who they say they are, thanks to not just a username and password combination, but also a physical token or a biometric qualifier.

Even with these measures in place, a least-privileged approach to access is essential. For an agency that deals with a large pool of citizen PII, this might mean only allowing access to a certain data set during a limited time period, so the user can perform a specific task. This means users only have access to what they need, no more and no less. To make this approach effective, it’s important that user privilege starts at the right level. Too much access creates vulnerabilities for the agency, but too little can create productivity challenges by requiring frequently issued temporary requests.

Lastly, while users are granted this access, agencies should log and monitor all user activity, especially on privileged accounts. From keystrokes to access attempts, having an audit trail of activity isn’t just necessary for compliance and reporting, but can help identify patterns that may suggest suspicious behavior or realize adjustments to privilege levels that could increase productivity. From a security perspective this is critical – misuse of information or access from locations where the user should not be can flag potential breaches and allow agencies to thwart damaging usage.

The reality of today’s IT environment dictates the need for a new approach to managing information and system access. Learn more about One Identity identity and access management solutions by listening to our webcast, Focusing on Activities, Not Just Access and gaining more information about better managing privileged accounts and creating a plan to stop hackers from accessing your agency’s privileged accounts.

 
Anonymous