NIST Creates New Guidelines for Managing Privileged Accounts
Developed with industry partners, government draft guidelines for privileged account management are already being used in the financial sector to harden defenses against cyberattacks and misuse.
The draft guidelines from the National Cybersecurity Center of Excellence, part of the National Institute of Standards and Technology, are available for public comment until Nov. 30, but are solid enough that organizations can take advantage of them now, said two of the publication’s authors.
“We view it as a how-to guide,” says Harry Perper, a cybersecurity engineer for the NCCoE and co-author of the guidelines. “You can apply it in whatever way makes sense in your organization, in each organization, because every organization is different.”
How Organizations Can Effectively Manage Privileged Accounts
The draft guidelines outline a system that organizations can use to manage privileged accounts, which can be difficult to control and frequently have little oversight — those who control the accounts by definition have broader access and authority than the average user.
Such accounts are “often described as the ‘keys to the kingdom,’” the guidelines’ executive summary notes. These can include accounts that permit the transfer of funds, that contain personally identifiable information on employees or are simply the passwords to a company’s social media page.
“I daresay we all have accounts that have high-value data that you would want privileged access only to it,” says Karen Waltermire, an NCCoE cybersecurity engineer and lead author. “We don’t dictate what is considered privileged.”
NCCoE’s draft guidelines apply to nearly any sector, Waltermire says, “but we focused on financial services because privileged account management there is mature, and they’re a very aware sector.”
The draft guidelines were developed in collaboration with financial service industry experts and technology companies, such as RSA and Splunk, and tested in a hybrid virtual/physical space.
Implementing the privileged access management (PAM) solution involves adding a new layer of security between the users and the accounts; organizations can also read scenarios that outline the challenges presented by privileged access accounts and propose solutions.
Put Privileged Access Management into Practice
In one scenario, a company develops a new app that needs access to a database. The directory administrator — who may be one of several people with privileged access — adds the app via a shared account, but there’s no record of which admin made that change or how.
A PAM solution for this would include strong authentication procedures, possibly even changing the password after each session, so that if mistakes are made, they can be more easily investigated without having to search through logs or rely on administrators’ memories.
The solutions are designed to work with a company’s available resources and not with any specific products, Waltermire says, even though they were developed with the assistance of specific commercial partners.
“We make these practice guides modular so that it is a solution, not the solution,” she says. “So you would be able to read the document and swap out Cisco for Juniper if your organization already has Juniper.”