Since privileged account allow users to perform sensitive functions that could cause grave damage to the organization if misused, whether maliciously or accidentally, issuing privileged access must be rigorously controlled.
Creating and Issuing Privileged Accounts
Privileged access should be issued according to policies and procedures that do the following:
- Define a list of the positions/roles that need privileged access rights and specifically to which information systems and components of each system the access is needed.
- Require unique, identifiable accounts for attribution/nonrepudiation and prohibit the use of shared accounts and generic account names like Administrator.
- Define expiration of privileged access rights wherever possible. Discourage issuing privileged access indefinitely by default, and encourage and enable issuing these rights on an as-needed basis, for the minimum necessary period. All privileged access should necessarily be temporary and renewed only according to operational needs.
- Assign privileged access rights to a separate account from those used for daily activities; each privileged user should also have a nonprivileged account.
- Every privileged access to a data set should be granted/revoked by the data owner.
Protecting Privileged Accounts
Privileged access accounts should be protected according to policies and procedures that do the following:
- Require users to log out of their privileged access accounts when performing any functions that do not require privileged access
- Require the use of multifactor authentication for network access to privileged accounts
- Implement replay-resistant authentication mechanisms for network access to privileged accounts, such as Transport Layer Security (TLS) and challenge-response one-time authenticators
- Use stronger password restrictions than are mandated for regular user accounts; this can include elevated password complexity, more frequent change requirements, and lower threshold for lockout as a result of failed login attempts.
- Employ increased logging and monitoring of privileged activity compared to basic user access
Reviewing and Monitoring Privileged Accounts
Privileged accounts need to be monitored and reviewed regularly. Consider the following:
- Verify that the documentation that maps positions/roles to specific privileged access rights is current and accurate.
- Define a process and mechanism to collect and aggregate the current list of privileged account holders across all platform.
-
- Perform a review of current users with privileged access rights:
- Do their current tasks and skillsets align with the rights they have?
- For all systems where access is applicable, have they used the privileged access recently? Do they still need privileged access?
- Based on audit logs, have they used their privileged access account to perform daily tasks that did not require the permission level of the account?
- Perform a review of current users with privileged access rights:
Data owners should review privileged access to all data stores/systems under their purview more frequently than normal user access accounts.