Privileged Account Management

Current Status

Seeking Feedback on Project Description

We are currently seeking feedback on a draft project description, Privileged Account Management: Securing Privileged Accounts for the Financial Services Sector.

The public comment period is now open and will close on November 13, 2017Please submit your feedback.

Summary

The National Cybersecurity Center of Excellence (NCCoE) at NIST is proposing a project to provide guidance on and demonstrate the secure usage and management of privileged accounts, also referred to as Privileged Account Management (PAM). This project will include the development of a reference design and use commercially available technologies to develop an example solution that will help financial sector companies implement stronger controls for privileged account security.

PAM is the aspect of identity and access management that addresses administrative accounts/users within an organization. Complex organizations, including financial services companies, face challenges managing privileged accounts  These challenges include:

  • controlling and monitoring (and auditing) use of these accounts
  • ensuring personal accountability among privileged users
  • enforcing least privilege and separation of duties policies

This is especially problematic as many privileged accounts provide the “keys to the kingdom” for attackers or malicious insiders because these accounts provide elevated, often unrestricted, access to corporate resources and critical systems (e.g. “crown jewels”), beyond what a regular user would have. Past successful cyber-attacks have made use of privileged accounts to gain access to information or systems of interest resulting in data breaches.

This project focuses on the control of privileged account use to enable organizations to enforce access policies for users without compromising their ability to perform job tasks. Improved control and management of privileged accounts can limit the access any single individual or malicious actor has to systems and data, thereby improving an organization’s cybersecurity posture. The scope of the project will include management and control of privileged accounts used to administer the IT infrastructure. It will result in a publicly available NIST Cybersecurity Practice Guide, a detailed implementation guide of the practical steps required to implement a cybersecurity reference design that addresses this challenge.

Join Our Community of Interest

Interested in joining the Privileged Account Management Community of Interest? Contact us!

A Community of Interest is a group of professionals and technical advisors convened to support the cybersecurity resiliency of the U.S. economy. Read More.

News and Events