It isn’t uncommon for IT organizations or businesses to use shared accounts for their privileged administrators to access the information they need to perform their jobs. If not handled carefully and appropriately, some very detrimental risks are associated with this that need to be addressed. What are the Risks of Shared Accounts with Shared Passwords?
With passwords in the hands of more users, there is more opportunity to misuse and abuse privilege, both internally and from external attacks to the network. If a static password, meaning a password has no expiration date and no attempt to rotate that password, is made, the risks multiply exponentially. That static password can easily leave the business if there is a staff changeover. Weak passwords are also often used in the event of password sharing, as it appears to be simpler and more efficient for multiple users to remember and keep track of that password. Even if there is no malicious intent within the organization, having more human hands accessing the shared account, and sharing passwords, leaves more opportunity for human error. As we all know, hackers and attackers will exploit the probability of human error and vulnerabilities to gain access to a system.
Another risk of unmanaged shared accounts with shared passwords is the lack of accountability. If multiple users access the same account, there is no means to monitor or track individual users. Not only does this present professional challenges in the event of errors or missteps, but it also makes it even more challenging to track external attacks from hackers. Many hackers who gain access to shared accounts can go unnoticed for several months until maximum damage has been done. With no means to track users accessing shared accounts, it is even easier for hackers to fly under the radar.
How PAM (Privileged Access Management) can help with managing shared accounts
Having a privileged access management strategy can minimize the risks associated with having shared accounts. Here’s how:
Password Rotation Based On Policy- keeping the lifespan limited for administrative passwords greatly reduces the risk of prolonged password sharing and static or weak passwords. This can include one-time exclusive use passwords for individual sessions to further minimize this risk. The password will only have the lifetime of a single-use, thus eliminating excessive access to the shared account.
Revoking Privilege– Having the ability to revoke privileged access to shared accounts keeps that account more secure by giving privilege only when necessary, to whom it is necessary, and for only as long as it is necessary. This will minimize the ability for users to access these accounts if their employment should be terminated from the organization or if misuse has occurred.
Adding an Audit Trail- Tracking and recording shared account usage to increase accountability and monitor the use of these shared accounts. This will reduce the risks of a hacker snooping around accounts undetected, as any suspicious activity can be flagged and recorded.
CyberArk is the leader in Privileged Access Management (PAM). Below is a high-level use case of how to handle shared accounts with the CyberArk CorePAS Solution. If you need more assistance with your CyberArk project rollout, contact us today.
Example Use Case – Functional Pool IDs
- Objective: Replace server local administrator access with Functional IDs managed by CyberArk
- Targets: Technical teams that have direct access to windows local administrator
- Password rotation (include one-time exclusive use)
- Revoking privileged from personal A-Accounts, and replace them with Pool-ID accounts
- RDP Access is recorded by Privileged Session Manager (PSM)
- Action Item:
- Onboard windows local administrators into CyberArk
- Define the functional group by expertise, system access, or organization group
- Create an elevated AD user in CyberArk, Platforms, and safes
- Revoke the elevated privileged from the personal account, and enforce the access via PSM
- Block the direct access to target servers from the team workstation in FireWall