How to Fight Against Shadow Admin?

shadow admin

When it comes to privileged accounts, traceability is essential, but it is sometimes compromised by the use of shadow admin. This traceability, as well as real-time or a posteriori control of the administration actions allowed by the PAM (Privileged Access Management) should however be exhaustive to effectively protect the information system.

What Is Shadow Admin?

Shadow admin refers to untraceable administration accounts since they are not listed even though operational. Any access to this type of account is therefore invisible to the organization and therefore no control, either in real-time or a posteriori, can be performed. These accounts are often created by legitimate administrators who also have an official account but who, in order to go faster, create a parallel administration account to avoid having to request additional authorizations.

These administration accounts can also be created by mistake by the same administrators, but never used afterwards. In some cases, these accounts can also be created by malicious users who have managed to access a privileged account and then create a shadow admin account, allowing them to stay under the radar of the target organization.

What Are the Risks?

The risks of shadow admin can come from a legitimate administrator who has created an untraceable administration account as well as from an illegitimate user who has access to this type of account, which are highly targeted by cyber attackers given the wide margins of maneuver that they provide in complete discretion.

The first major risk of shadow admin is data leakage. Since these accounts are not traceable, the administrator of the account will be able to obtain potentially sensitive and confidential data without being detected. If it is an untraceable administration account controlled by a cyber attacker, he will be able to go further and, for example, propagate a ransomware in the information system of the target organization.

Another risk, which may seem less important at first glance, is the risk of a wrong manipulation, a human error in the administration actions performed on this account. Due to the lack of traceability and the impossibility of reviewing the actions performed on the session afterwards, it will be more complicated for the organization to correct the faulty action.

How to Counter Shadow Admin?

To counter shadow admin, PAM solutions offer an account discovery feature that will allow, by scanning the administration network on a regular basis, to detect all administration accounts, including shadow admin accounts, and either reintegrate them into the list of official accounts (and provide control and traceability mechanisms), or delete them.

This account discovery feature is essential for large organizations, given the substantial turnover of privileged users that they have to manage, the arrival and departure of these privileged users, changes of position and also the intervention of external service providers to whom the organization grants privileged access.

Integrated to Systancia Cleanroom, Systancia’s PAM solution, the account discovery feature allows to counter shadow admin and all the associated risks in a simple and effective way.