Why Migrating from Shared Accounts to the Dual Account Model?

prabu jitu
prabu jitu

Managing privileged accounts is a lot of work. In the old days everyone knew the password of the root and administrator accounts and logged on as such whenever they needed to get some work done. But that introduces all kinds of risks and problems including:

  • Keeping track of who knows each password
  • Handling password change and distribution when someone is terminated or changes jobs
  • Keeping passwords secret when that many people know it
  • Accountability between admins

So, to deal with that, best practice dictated that we stop using built-in accounts like root and administrator and instead give each admin authority to each administrator, using their own personal account.

That lead to other problems, because admins do a lot work (like everyone else) that doesn’t require admin authority. And those activities (e.g. web browsing, email, opening documents) are dangerous no matter what – much less if you are logged in with unnecessary privilege.

So best practice came to dictate that each admin have two accounts – one with normal end-user authority – and the other privileged. The unprivileged account to be used for everything by default – and the privileged account only to perform actions requiring that authority level. Rather than logging in and out all day, we encouraged admins to use tools like RunAs on Windows and different ssh client sessions or su/sudo on Linux.

But as attackers became more focused on the endpoint and developed more effective ways to harvest credential artifacts (think pass-the-hash, Mimikatz), it became clear that more separation was needed than simply different accounts. Endpoints likewise need to be kept separate between end-user and privileged activities.

All of these factors really combined to make privileged account and session management (PAM/PSM) technology a requirement for enterprise security. PAM & PSM though make it easy to securely share built-in accounts like root and administrator. This is valuable for 2 reasons:

  • facilitates secure administration of systems and devices that don’t support individual admin accounts
  • allows fast and easy implementation because you can quickly provision devices with their built-in admin account and then simply entitle the appropriate admins with access

Companies need to explore all the different methods of privileged account management and understand why it’s so important to reach the top of the maturity model: dual accounts for each admin with full attribution across the entire stack of logs.

BeyondTrust PowerBroker Password Safe and Cyberark Privileged Access Solutions has the framework and relevant integrations to achieve this Dual Accounts Model without all the provisioning and maintenance burdens commonly associated with this privileged accounts.