The National Cybersecurity Center of Excellence (NCCoE) at NIST is proposing a project to provide guidance on and demonstrate the secure usage and management of privileged accounts, also referred to as Privileged Account Management (PAM). This project will include the development of a reference design and use commercially available technologies to develop an example solution that will help financial sector companies implement stronger controls for privileged account security.
PAM is the aspect of identity and access management that addresses administrative accounts/users within an organization. Complex organizations, including financial services companies, face challenges managing privileged accounts These challenges include:
- controlling and monitoring (and auditing) use of these accounts
- ensuring personal accountability among privileged users
- enforcing least privilege and separation of duties policies
This is especially problematic as many privileged accounts provide the “keys to the kingdom” for attackers or malicious insiders because these accounts provide elevated, often unrestricted, access to corporate resources and critical systems (e.g. “crown jewels”), beyond what a regular user would have. Past successful cyber-attacks have made use of privileged accounts to gain access to information or systems of interest resulting in data breaches.
This project focuses on the control of privileged account use to enable organizations to enforce access policies for users without compromising their ability to perform job tasks. Improved control and management of privileged accounts can limit the access any single individual or malicious actor has to systems and data, thereby improving an organization’s cybersecurity posture. The scope of the project will include management and control of privileged accounts used to administer the IT infrastructure. It will result in a publicly available NIST Cybersecurity Practice Guide, a detailed implementation guide of the practical steps required to implement a cybersecurity reference design that addresses this challenge.