4 Best Practices for Privileged Access Management

Start implementing Privileged Access Management Best Practices in a manageable, incremental fashion.

privileged access managementNo IT leader responsible for security ever wants to draw a blank on the question of who has access to what. However, most organizations don’t know exactly who is, and who isn’t a privileged user. A privileged user is someone who can make administrative changes to critical systems. For example, a privileged user can set up and delete email accounts or access secure databases.

Privileged user accounts are broadly classified in three basic categories:

  • Administrative accounts: A personal user account that is assigned to a system administrator with access to all standard user and privileged operations.
  • System accounts: These are built into systems or applications, such as root on Unix/Linux systems or Administrator on Windows systems.
  • Operational accounts: This type of account falls into two subcategories and may have elevated privileges: Shared accounts set up to be used for administration and software installation, not created for any individual user, but meant to be shared. In many cases, these accounts are used to install software. They may also include emergency accounts, often known as “firecall” or “break-glass” accounts, used in the event of an emergency that requires privileged access on a temporary basis.
  • Service accounts or application accounts that are used to allow remote (software-to-software) interactions with other systems, or to run system services.

With all this power, its important to maintain consistency in privileged access management. Here are 4 Best Practices we recommend for privileged access management.

1. Keep an Inventory of Privileged Accounts

Yes, this is a bit of a pain, especially if you have to do it manually. But it’s the best place to start when it comes to mitigating risk. It is a security best practice to frequently scan your infrastructure to discover any new accounts introduced with excess privileges. This becomes even more important for dynamic environments that change rapidly, such as those using virtualization on a large scale, or hybrid IT environments that include cloud infrastructure. Organizations should consider using  autodiscovery features offered by privileged access management tools like BeyondTrust to enable automated discovery of accounts across the range of infrastructure.

2. Start Caring About Sharing

Shared privileged accounts are in just about every enterprise IT environment and can pose a significant risk of accidental and deliberate data compromises. Routinely sharing superuser account passwords dramatically increases the risk that a password may become known outside the intended groups. The golden rule is that shared-account passwords must not themselves be shared. Sharing passwords, even among approved users, severely erodes personal accountability; this is a security best practice and demanded by regulatory compliance. We recommend passwords for shared accounts are known to only one approved person at any one time.  In general, the fewer shared privileged accounts the better. Even with best-practice processes and controls in place, too many accounts are as much an audit risk as they are a risk of breach.

3. You Gotta Keep ‘Em Separated

Yes, that was a reference to one of the more annoying hit songs of the 90s, but the sentiment is important in the context of privileged access management. Consider implementing a “separation of duties” (SOD) model to grant and restrict superuser administrative privileges. This model allows splitting up required privileges for a specific task or role among multiple administrators. It also ensures that administrators do not have conflicting permissions.

4. Periodically Validate Privileged Accounts

Standard user accounts are subject to auditing and usage validation- so should privileged accounts. Consider performing periodic access certification campaigns for privileged accounts to ensure that account owners certify that the account is still needed, that account privileges are scoped properly, and that access to the accounts is properly controlled.


As always, the challenge with privileged access management is balancing the mix of security and productivity; giving people the ability to do their jobs while managing the risk associated with elevated access. We recommend implementing these tangible best practices as a simple way to get started.