Privileged Account Management (PAM) is the idea that special attention must be paid to user with elevated rights and priviliges. The PAM Users have an enormous amount of power. All Organizations have some basic controls in place to limit or audit PAM activity.
But, are you doing everything you should? Here are the best practices you can follow to take control over privilege users across your IT environment.
Type of Privileged Accounts
Privileged accounts exist in many forms across an enterprise environment, and they pose significant security risks if not protected, managed and monitored. Also, Privileged User Accounts require special access.
The types of privileged accounts typically found across an enterprise environment may include:
- Domain Administrative Accounts have privileged administrative access across all workstations and servers within the domain.
- Emergency Accounts provide unprivileged users with administrative access in the case of an emergency
- Service Accounts are privileged local or domain accounts. These accounts that are used by an application or service to interact with the operating system
- Active Directory or domain service accounts admnister the Microsoft Active Directory and all related services
- Application Accounts are accounts used for application management or function
These privileged accounts usually have broad access to underlying company information that resides in applications and databases.
Privileged Account Management (PAM)
The Information Security Officer will enforce and ensure compliance.
Users with access privileges will have with the minimum requirements as per their job requirements. Non-administrative users will not have access to administrative system software or utilities.
Privileged or administrative accounts are intendende for persons responsible for managing systems, databases and applications. All PAM Systems will be centrally tracked. Systems logging PAM info will be properly configured and secure.
Additionally, there are other considerations for Secure Account Management
Implement Secure Account Management Practices
Also, the following Secure Account Management practices for privileged accounts will be maintained
- Password-protected screen savers should be activated upon a maximum of 15-minute timeout on all systems
- Automated account lockout should be enabled after a maximum of five attempts
- Authentication Failures failure and success should be logged and reviewed for security violations
- Accounts must have an expiration period of 12 months and will be reviewed every month
- Administration rights must be reviewed monthly
- A process must be established for notification for expired passwords
- Logical access control must be in place to identify a user
- Sharing User id and/or password is prohibited
- A complex password policy will be enforced
- Users will be provided with a unique initial password’
- Users will change their password during the first logon
- Revalidation of all approved admin and user privileges will occur every 6 months