If privileged account management is the number one cyber security priority, why are financial institutions still using manual processes?
With an alarming series of cyber breaches being perpetrated using compromised privileged credentials, regulators now expect financial institutions to be able to demonstrate the effectiveness of their privileged account management (PAM) controls. But few institutions are currently following PAM best practice.
EY teams are helping the region’s banks, insurers and asset managers to help implement new PAM solutions that streamline compliance, reduce risk and lower the cost of auditing and monitoring.
Why organizations should be concerned about privileged accounts
‘Privileged accounts’ give people full access to and control over your organization’s most valuable and confidential information: customer identities, financial information, strategic information and personal data.
If privileged accounts are not managed with appropriate controls, they can be compromised by external, malicious actors (e.g. a cyber-criminal) or internal actors (e.g. a rogue administrator). Both can lead to destructive damage unless they are spotted and stopped quickly.
Not surprisingly, the passwords, tokens, keys and certificates that come with privileged access are prime targets of cyber criminals. And, unfortunately, these accounts are often protected by weak passwords that can be changed manually and easily shared with colleagues and teams.
Forrester estimates that at least 80% of data breaches have a connection to compromised privileged credentials.1 One of them was the SingHealth breach, which affected more than 1.5 million Singaporeans, including Prime Minister Lee Hsien Loong.
In today’s increasingly complex IT environment, PAM is arguably a financial institution’s most critical cyber security control – more important than standard identity and access management. Businesses that are not securing and managing these high-value targets have an increased risk of insider threat and fraudulent employee activity. Considering the potential magnitude of a breach, for two years in a row, Gartner has nominated PAM as the first security project CISOs should focus on as part of its Top 10 Security Projects.
Who has a privileged account in your institution?
Privileged accounts can be used by a human (DBAs, SysOps, network administrators, ITSecAdmins, helpdesk operators, data center technicians, change managers, release managers, website administrators, bloggers, brand ambassadors, and outsourced teams) or by software applications with high privileges (application accounts, service accounts or accounts embedded in a script or code).
New regulatory focus on privileged access management
In the past five years, financial services regulators have started focusing on privileged access management. Already, the region’s institutions need to be mindful of:
- MAS TRM Guidelines, Singapore
- NIST Special Publication 800-53A Rev 4, US
- HIPAA, PCI DSS, FISMA and SOX compliance regulations, global
- GDPR Privacy by Design Intention, Europe
- Mandatory Data Breach Notification Laws, Australia
- APRA’s CPS234 prudential Standard, Australia
Are you at risk?
- Do you have visibility of how privileged accounts are managed, created and decommissioned?
- Do you monitor the actions of privileged accounts?
- Do your admins have continuous access to privilege accounts?
- How are you controlling privilege application accounts, service accounts and accounts with “password never expire”?
- Are people sharing passwords of privileged accounts?
- Do you have approval mechanisms or expiry set for shared accounts to achieve accountability?
How can you strengthen PAM controls?
Deploying a PAM solution is a highly complex process, which requires appropriate planning, execution and appropriate product. To remain compliant and avoid catastrophic breaches, institutions need to start now.
To manage privileged accounts effectively, you need PAM controls that align within an integrated IAM process and technology framework. The starting point for identifying and moving towards a compliant target state requires:
- Make PAM not an IT-only initiative, especially when it addresses regulatory/audit concerns. Appoint executive-level sponsors empowered to make decisions as required, supported by committed stakeholders.
- Align your PAM plans with auditors and compliance managers early and often. Plan early for ongoing support by designating an experienced operational manager as the service owner.
- Hire experienced staff. It can take a long time to become skilled in PAM tools, control implementation and process reengineering.
- Change management is key. Engage the business early and gain their buy in.
- Streamline PAM processes – Review existing PAM processes to confirm that the process aligns to industry standards and regulations. For example, remove unnecessary and unused privileged accounts, and make certain all privileged access accounts have both an assigned and a secondary owner. Also, maintain an asset inventory of human and non-human application or service accounts in the IT infrastructure. Business processes will likely need to change to segregate duties requirements and PAM tools.
- Use proactive communication and training – to make certain the business adopts these new processes.
- Setup discovery scans – to identify the privileged accounts in the IT infrastructure.
- Automate PAM-related processes – such as discovery scans and account onboarding.
- Adopt a common PAM solution that will help you to:
- Standardize access request processes to improve efficiency
- Restrict existing privileges – Restrict access rights for users and accounts to all devices that privileged accounts can be used for. By centrally managing role-based permissions for privileged access, PAM helps create a less complex and audit-friendly network environment for HIPAA, PCI DSS, FISMA, and SOX compliance regulations.
- Record and audit privileged activity – Record sessions and identify those with suspicious activities and correlate the information using solutions such as SIEM, which analyses system and user activity; PAM session recording; file integrity monitoring; and Database Monitoring and Leakage.
- Monitor new privileged accounts – Run periodic discovery to identify new or unauthorized privileged accounts. Flag inactive privilege accounts for periodic recertification.
- Align PAM-supported applications – Consider how your applications work in a privileged enabled environment. These include tools such as remote access, patch management and vulnerability scanning. There should be a single solution that covers all environments.
- Clean up data – Discovering a privileged account does not mean it should be automatically onboarded. Best practice dictates to clean up accounts prior to onboarding. This may be time consuming, but it is essential.
- Create an asset inventory – Multiple privileged accounts or orphan accounts are often created and forgotten about. Creating an asset inventory of all the existing privileged accounts will decrease the attack vector.
- Set up least privilege – Deploy policies to control permissions of privileged users and integrate with user behavior analytical solutions to improve security.
- Select an integrator well versed in both PAM processes and technology. A strong delivery framework and deep skills in the areas of change management are essential. Your integrator should have strong alliances with appropriate vendors and understand all the relevant regulations.
- Take a holistic approach. It’s vital to be able to account for what every privileged account has access to. Use a standard access matrix based on the account nature and industry policies, with on demand or just in time access. Set up tools, such as SIEM, multi-factor authentication, user behavior analytics and endpoint manager, to control and restrict access of privileged users.
What are the benefits of implementing a tailored PAM solution?
Find out how to reduce risk and improve compliance with PAM
As privileged accounts continue to be targeted and compromised, we expect regulators to increase control requirements. PAM is not a short journey. To ease transformation fatigue, it’s best to start early.
EY has been involved in numerous PAM transformations and has a team of dedicated resources based in Asia with hands on, strategy and implementation experience ready to help you.
To find out more, contact EY Financial Services team now.
1 The Forrester Wave™: Privileged Identity Management, Q4 2018Back to Top