Financial organizations rely on privileged accounts to enable authorized users to perform their duties with little to no direct oversight or technical control of their actions. Companies have difficulty managing these accounts, which, in turn, opens a significant risk to the business. If used improperly, these accounts can cause substantial operational damage, including data theft, espionage, sabotage, or ransom. Malicious external actors can gain unauthorized access to privileged accounts through a variety of techniques, such as leveraging stolen credentials or social engineering schemes. In addition, there are rare instances of disgruntled employees who abuse their accounts, as well as honest employees who make mistakes. Misuse and mistakes can affect both high-value applications (e.g., payment systems) and core systems (e.g., human resources, database access, access control).
Managing privileged accounts is an important, yet complicated, task. Financial institutions often operate highly complex infrastructure and disparate systems that run on multiple operating systems. Managing and controlling access to these privileged accounts is further complicated by the significant pace of workforce and responsibility changes over time. Lastly, changes made at a system level can be used to bypass controls, to hide activity, and to cause financial institutions to breach their stringent reporting and compliance requirements.
Privileged Account Management for the Financial Services Sector
Privileged Account Management (PAM) is a domain within identity and access management (IdAM) that focuses on monitoring and controlling the use of privileged accounts. Privileged accounts include local and domain administrative accounts, emergency accounts, application management, and service accounts. These powerful accounts provide elevated, often nonrestricted, access to the underlying IT resources and technology, which is why external and internal malicious actors seek to gain access to them. Hence, it is critical to monitor, audit, control, and manage privileged account usage. Many organizations, including financial sector companies, face challenges in managing privileged accounts.
The NCCoE, in collaboration with experts from the financial services sector and technology vendors, developed a PAM system that controls, monitors, logs, and alerts on the use of privileged accounts. The example implementation highlights how organizations can add a security layer between users and the privileged accounts they access. This guide outlines the practical steps to secure privileged accounts in your organization.
The goal of this project is to demonstrate a PAM capability that effectively protects, monitors, and manages privileged account access, including life-cycle management, authentication, authorization, auditing, and access controls.