Intrinsic Risks of Standing Privileged Accounts

Bart Allan

February 17, 2021

Most organizations continue to employ user accounts that indefinitely retain elevated privileges, despite increasing evidence that utilizing standing privileged accounts is inherently insecure. A recent poll from Enterprise Management Associates (EMA), sponsored by Hitachi ID, demonstrates the staggering reality: Ninety-seven percent of survey respondents maintain at least some standing privileged accounts. These accounts are prime targets for hackers and other bad actors because they enable a single access point that completely bypasses security controls allowing unrestrained activities. Furthermore, the sheer number of types of standing privileged accounts also proliferates risk. 

Most Common, Most Dangerous

By far, the most prevalent standing privileged accounts are those created for specific IT administrators. While the argument can be made these admins may require standing privileged accounts to support management tasks, this does not account for the relatively high frequency of rarely used or completely unused standing privileged accounts. An issue among survey respondents, 28% reported they maintained rarely used accounts, while 69% noted the existence of never used accounts. 

It’s not hard to see how unused standing accounts pile up. Organizations often fail to deactivate default pre-installed OS standing accounts even after alternative privileged access has been enabled. This is particularly problematic since default OS standing accounts are always the first privileged accounts targeted by attackers because the account names are well known and very commonly in use. They often remain, however, because IT decision makers may simply want a failsafe method of privileged access or simply lack an understanding of the intrinsic dangers. 

The Evidence

The stats demonstrate the clear and present danger of OS standing privileged accounts. Among survey respondents that maintain these accounts, 77% reported they experienced a privileged access policy violation in the preceding year. By comparison, only about 59% of respondents that did not rely on default OS standing accounts experienced the same.

Given these results, it’s no surprise that there is a direct correlation between the use of standing privileged accounts and the perception that they’re an effective security method. This reality is because standing accounts can exist undiscovered indefinitely unless specifically investigated during an audit process. In contrast, non-standing privilege accounts must be authorized each time they are required for use, ensuring records retainment and user accountability.

The Solution

The remedy to this problem is the use of just-in-time (JIT) privileged access authorization technologies. JIT solutions authorize privileged access tasks for users that would otherwise not be allowed to do so and only elevate permissions for a predetermined time (after which the privileged authorization is rescinded). A new authorization process is required for any future privileged access activities. 

This authorization expiration demonstrated greater security, with 43% of organizations utilizing this ability experiencing no policy violations in the previous year vs. 13% without this capability. While this JIT methodology may sound laborious, implementing a self-service portal for requests can significantly reduce time-spent and security risk. 

Just in Time, Zero Trust

Moreover, just-in-time access adheres to the “principle of least privilege,” defining  policies that support “least privilege”  requirements on standing accounts and allowing access on a per-need basis. The system evaluates authorization every time before granting access. This dynamic and consistently enforced per-need approval is the basis of a Zero Trust framework. Hitachi ID Bravura Privilege is a reference level solution that can leverage just-in-time processes to eliminate the threat of standing privilege accounts while remaking your platform with a Zero Trust architecture, reducing management timelines and augmenting security.

Definitive Action, Just in Time

As organizations reconsider best practices for standing privilege accounts, it’s clear that careful consideration should be given to just-in-time and Zero Trust methods. These models address the intrinsic dangers that standing privilege accounts bring, as well as address ever-changing and challenging access frameworks. 

For more information on PAM best practices and key takeaways from EMA, you can access the full report here: Advancing Privileged Access Management (PAM) to Address Modern Business Requirements.