Which user account security recommendation enhances user sign-in security?

Privileged access management (PAM) consists of the cybersecurity strategies and technologies for exerting control over the elevated (“privileged”) access and permissions for users, accounts, processes, and systems across an IT environment. By dialing in the appropriate level of privileged access controls, PAM helps organizations condense their organization’s attack surface, and prevent, or at least mitigate, the damage arising from external attacks as well as from insider malfeasance or negligence.

While privilege management encompasses many strategies, a central goal is the enforcement of least privilege, defined as the restriction of access rights and permissions for users, accounts, applications, systems, devices (such as IoT) and computing processes to the absolute minimum necessary to perform routine, authorized activities.

Alternatively referred to as privileged account management, privileged identity management (PIM), or just privilege management, PAM is considered by many analysts and technologists as one of the most important security projects for reducing cyber risk and achieving high security ROI.

The domain of privilege management is generally accepted as falling within the broader scope of identity and access management (IAM). Together, PAM and IAM help to provide fined-grained control, visibility, and auditability over all credentials and privileges.

While IAM controls provide authentication of identities to ensure that the right user has the right access as the right time, PAM layers on more granular visibility, control, and auditing over privileged identities and activities. PAM is at the core of identity security, which is now widely recognized by analysts and IT leaders as central to protecting enterprise assets and users in an increasingly perimeterless, work-from-anywhere (WFA) world.

In this glossary post, we will cover: what privilege refers to in a computing context, types of privileges and privileged accounts/credentials, common privilege-related risks and threat vectors, privilege security best practices, and how PAM is implemented.

What Are Privileges and How Are They Created?

Privilege, in an information technology context, can be defined as the authority a given account or process has within a computing system or network. Privilege provides the authorization to override, or bypass, certain security restraints, and may include permissions to perform such actions as shutting down systems, loading device drivers, configuring networks or systems, provisioning and configuring accounts and cloud instances, etc.

In their book, Privileged Attack Vectors, authors and industry thought leaders Morey Haber and Brad Hibbert offer the basic definition; “privilege is a special right or an advantage. It is an elevation above the normal and not a setting or permission given to the masses.”

Privileges serve an important operational purpose by enabling users, applications, and other system processes elevated rights to access certain resources and complete work-related tasks. At the same time, the potential for misuse or abuse of privilege by insiders or outside attackers presents organizations with a formidable security risk.

Privileges for various user accounts and processes are built into operating systems, file systems, applications, databases, hypervisors, cloud management platforms, etc. Privileges can be also assigned by certain types of privileged users, such as by a system or network administrator.

Depending on the system, some privilege assignment, or delegation, to people may be based on attributes that are role-based, such as business unit, (e.g., marketing, HR, or IT) as well as a variety of other parameters (e.g., seniority, time of day, special circumstance, etc.).

What Are Privileged Accounts?

A privileged account is considered to be any account that provides access and privileges beyond those of non-privileged accounts. A privileged user is any user currently leveraging privileged access, such as through a privileged account. Because of their elevated capabilities and access, privileged users/privileged accounts pose considerably larger risks than non-privileged accounts / non-privileged users.

Special types of privileged accounts, known as superuser accounts, are primarily used for administration by specialized IT employees and provide virtually unrestrained power to execute commands and make system changes. Superuser accounts are typically known as “Root” in Unix/Linux and “Administrator” in Windows systems.

Superuser account privileges can provide unrestricted access to files, directories, and resources with full read / write / execute privileges, and the power to render systemic changes across a network, such as creating or installing files or software, modifying files and settings, and deleting users and data. Superusers may even grant and revoke any permissions for other users. If misused, either in error (such as accidentally deleting an important file or mistyping a powerful command) or with malicious intent, these highly privileged accounts can easily wreak catastrophic damage across a system—or even the entire enterprise.

In Windows systems, each Windows computer has at least one administrator account. The Administrator account allows the user to perform such activities as installing software and changing local configurations and settings.

macOS, on the other hand is Unix-like, but unlike Unix and Linux, is rarely deployed as a server. Users of Mac endpoints may run with root access as a default. However, as a macOS security best security practice, a non-privileged account should be created and used for routine computing to limit the likelihood and scope of privileged threats.

In a least privilege environment, most users are operating with non-privileged accounts 90-100% of the time. Non-privileged accounts, also called least privileged accounts (LUA) general consist of the following two types:

• Standard user accounts have a limited set of privileges, such as for internet browsing, accessing certain types of applications (e.g., MS Office, etc.), and for accessing a limited array of resources, which is often defined by role-based access policies.
• Guest user accounts possess fewer privileges than standard user accounts, as they are usually restricted to just basic application access and internet browsing.

Types of Privileged Accounts

While most non-IT users should, as a best practice, only have standard user account access, some IT employees may possess multiple accounts, logging in as a standard user to perform routine tasks, while logging into a superuser account to perform administrative activities.

Because administrative accounts possess more privileges, and thus, pose a heightened risk if misused or abused compared to standard user accounts, a PAM best practice is to only use these administrator accounts when absolutely necessary, and for the shortest time needed.

Examples of privileged accounts typically in an organization:

• Local administrative accounts: Non-personal accounts providing administrative access to the local host or instance only.
• Domain administrative accounts: Privileged administrative access across all workstations and servers within the domain.
• Break glass (also called emergency or firecall) accounts: Unprivileged users with administrative access to secure systems in the case of an emergency.
• Service account: Privileged local or domain accounts that are used by an application or service to interact with the operating system.
• Active Directory or domain service accounts: Enable password changes to accounts, etc.
• Application accounts: Used by applications to access databases, run batch jobs or scripts, or provide access to other applications.

Increasingly, privileged accounts are associated with a machine identity, rather than a human one. The proliferation of machine accounts, such in RPA and other automated workflows, adds significant security complexity to IT environments and provides an important use case for PAM systems.

Privileged Threat Vectors—External & Internal

Hackers, malware, partners, insiders gone rogue, and simple user errors—especially in the case of superuser accounts—comprise the most common privileged threat vectors.

External hackers covet privileged accounts and credentials, knowing that, once obtained, they provide a fast track to an organization’s most critical systems and sensitive data. With privileged credentials in hand, a hacker essentially becomes an “insider”—and that’s a dangerous scenario, as they can easily erase their tracks to avoid detection while they traverse the compromised IT environment.

Hackers often gain an initial foothold through a low-level exploit, such as through a phishing attack on a standard user account, and then achieve lateral movement through the network until they find a dormant or orphaned account that allows them to escalate their privileges.

Unlike external hackers, insiders already start within the perimeter, while also benefitting from know-how of where sensitive assets and data lie and how to zero in on them. Insider threats take the longest to uncover—as employees, and other insiders, generally benefit from some level of trust by default, which may help them avoid detection. The protracted time-to-discovery also translates into higher potential for damage. Many of the most catastrophic breaches in recent years have been perpetrated by insiders.

How PAM Is Implemented / Key Solutions

Organizations with immature, and largely manual, PAM processes struggle to control privilege risk. Automated, enterprise-class PAM solutions can scale across millions of privileged accounts, users, and assets to improve security and compliance. The best solutions can automate discovery, management, and monitoring to eliminate gaps in privileged account/credential coverage, while streamlining workflows to vastly reduce administrative complexity.

The more automated and mature a privilege management implementation, the more effective an organization will be in condensing the attack surface, mitigating the impact of attacks (by hackers, malware, and insiders), enhancing operational performance, and reducing the risk from user errors.

While PAM solutions may be fully integrated within a single platform and manage the complete privileged access lifecycle, or be served by a la carte solutions across dozens of distinct unique use classes, they are generally organized across the following primary disciplines:

Privileged Account and Session Management (PASM): These solutions are generally comprised of privileged password management (also called privileged credential management or enterprise password management) and privileged session management components.

Privileged password management protects all accounts (human and non-human) and assets that provide elevated access by centralizing discovery, onboarding, and management of privileged credentials from within a tamper-proof password safe. Application-to-application password management (AAPM) capabilities are an important piece of this, ensuring credentials used for application-to-application and application-to-databases are appropriately managed and secured. This includes automatically removing embedded credentials from within code, vaulting them, and applying best practices as with other types of privileged credentials. Secrets management capabilities for DevOps and CI/CD workflows may sometimes be offered via standalone tools, or included as part of privileged credential management / PASM solutions.

Privileged session management (PSM) entails the monitoring and management of all sessions for users, systems, applications, and services that involve elevated access and permissions. As described above in the best practices session, PSM allows for advanced oversight and control that can be used to better protect the environment against insider threats or potential external attacks, while also maintaining critical forensic information that is increasingly required for regulatory and compliance mandates.

Which of the following Azure security features can help protect user accounts in the event that their password is compromised by an attacker?

How to secure identities with Azure Active Directory and implement users and groups?

What type of authentication technique is Microsoft Azure conditional access?

What are the authentication methods in Azure?