NIST on Privileged Access Management: Secure the Keys to your Kingdom

Two people looking at a desktop computer

In any business, there’s individual contributors, managers and leadership. The bigger the organization you have, the more layers you have between the individual employee and executive leadership. This distinction applies to access and credentials as well. Some employees and leaders may have access to specific data sets, others may not, and the levels of access rights can even vary by team and hierarchy throughout the company.

As you can see, access can get complicated quickly, especially when you’re dealing with highly sensitive data in matrixed organizations. Privileged access management (PAM) technologies are designed to simplify the access management for privileged accounts to ensure that only designated users are able to access the company’s most sensitive data. The solutions do this through password vaulting, recording and auditing privileged sessions, and managing access to privileged accounts to name a few functionalities.

However, privileged accounts are also referred to as “the keys to the kingdom” because they are an ideal target for cybercriminals. The executive leadership team is one example of a privileged account, as they have the highest levels of access in the enterprise. As a result, the privileged accounts require the highest levels of security as well.

The Privileged Account Management for the Financial Services Sector Report

The National Cybersecurity Center of Excellence, a part of The National Institute of Standards and Technology (NIST), recently published a draft version of the Privileged Account Management for the Financial Services Sector report with new guidelines aimed to increase the security of privileged accounts. Among those guidelines were password management practices, which included:

  • PC.Am.B.3: Elevated privileges (e.g., administrator privileges) are limited and tightly controlled (e.g., assigned to individuals, not shared, and require stronger password controls).
  • PC.Am.B.7: Access controls include password complexity and limits to password attempts and reuse.

NIST also included a variety of secure password management scenarios in the report spanning not displaying passwords to users, to changing passwords after each privileged session as security recommendations.

Strengthening Privileged Access Management Through Secure Password Management

NIST’s recommendations for increasing privileged access security through strong password management practices are spot on. Passwords, if not managed securely, can open the risk of exposing sensitive business data. And when dealing with privileged accounts especially, the risk of exposing that data can be detrimental to the business.

The report also calls out enterprise password managers as a way to enhance the security of privileged accounts. Our recent Global Password Security Report even found that when businesses first invest in password management, they have a Security Score of 26/100. After the first year alone of leveraging an enterprise password manager, the average Security Score increased by 15 points.

Recommendations for Managing Privileged Credentials with LastPass

Investing in password management won’t only help increase security, for privileged accounts or otherwise, but can also make the NIST’s password recommendations a little easier. Here are a few ways LastPass can help manage privileged credentials:

  • Shared Folders: LastPass offers you the option to securely share folders among your teams. You can store privileged credentials in a Shared Folder within your Vault and only share the folder with necessary users at the time they need privileged access. You can even customize the sharing permissions such as hiding the passwords on a folder, group, or individual basis in addition to restricting access at the site level, per user, even in the same Shared Folder. The Shared Folder functionality helps ensure that only the right users have the right access.
  • Role-Based Permissions: LastPass includes 4 levels of user roles including Users, Helpdesk Admin, Admin, and Super Admin to distinguish between the different levels of access across your organization. As an administrator of LastPass, you will be able to assign each of your users to one of these roles. Each role has its own level of access, so for users in your organization who require privileged access, you have the option to assign them to a role with higher access, such as an Admin role. In addition, you can customize the roles to offer a specific privileged credential to a certain user without giving them access to every single privileged credential stored in your vault.
  • Password Rotation: LastPass also enables you to rotate passwords via the command line application. Leveraging the terminal on Mac, Linux and Windows using Cygwin, you can access, add, modify and delete entries in your Vault all on the terminal.

LastPass can help make NIST’s password management recommendations for securing privileged accounts a reality. All in LastPass, you can implement stronger password controls, hide passwords when sharing with users, receive insights on password reuse within your organization, implement role-based permissions and more all to secure the “keys to your kingdom.”