Editor's note: This article is the first in an occasional feature series from Dell Security's Bill Evans on managing privileged accounts within organizations.
Organizations accounts are accustomed to concentrating their identity and access management initiatives on granting, maintaining, controlling and governing end-user access to critical business resources. But, too often, they lose sight of applying that same level of due-diligence to privileged accounts -- one of their most business-critical assets. Privileged accounts provide unlimited access to systems and data, making them desirable to hackers. failure to properly manage privileged accounts is an open invitation to a serious breach.
What is privileged account management?
Privileged account management (PAM) ‒ sometimes called privileged identity management or privileged access management ‒ focuses on controlling and auditing access to administrative, or privileged, accounts. These accounts have the rights necessary to perform administrative tasks such as setting up an account, resetting someone’s password or installing software updates. Yet, managing them can have its own set of challenges.
Challenges with privileged accounts
First, there are many privileged accounts across the organization. They provide access to nearly every piece of infrastructure and every digital resource within the environment, including firewalls, databases, routers, switches, mainframes and all the applications that run on them. Secondly, because there are lots of individuals within the organization who need access to these accounts ‒ administrators, helpdesk associates, developers, vendors, and even applications and scripts ‒ the typical result is that many passwords are floating around and being shared.
Therein lies the problem.
Because they are shared, they lack individual accountability, which means it’s nearly impossible to know what any particular administrator does with a privileged account. The danger can come from either disgruntled employees or cyber criminals who hack into a privileged account. Not only is there no sure way to determine who is to blame when damage occurs to a privileged account shared by so many different administrators, those intent on making mischief can edit logs or cover their tracks in other ways.
How to adopt a successful approach to privileged account management that is not "breach driven"
We can’t live without privileged accounts. IT staff ‒ including contractors and vendors ‒ must have enough access to the systems they manage to do their jobs. But, as a prime source of security breaches both deliberate and unintentional, privileged accounts present a big problem. Organizations need to stay out in front of the security risks they present by adopting a proactive strategy for privileged account management, rather than a “come-from-behind” reactive strategy that's breach driven. Any remedy must eliminate the risks inherent in privileged accounts without undermining the IT staff’s ability to do its job. To effectively manage privileged accounts, start with a project plan that outlines a three-step approach to securing privileged access. If each process is adopted by the organization and becomes “routine procedure,” you are safeguarding your privileged accounts against even the most creative threat vectors trying to access your network.
Create a strategic plan: With shrinking budgets and never ending projects, time and money to research, test and implement different ways to solve your problems with privileged accounts are limited. Solving the problems correctly the first time is critical to ensuring the success of the project, and that’s why it’s very important to have a plan. By taking the time up front to create a strategic plan to deal with privileged accounts, you can eliminate a lot of roadblocks and missteps along the way, saving yourself both time and money. With a plan in place, you will be able to more effectively evaluate vendors and solutions to help solve your challenges with privileged accounts.
The strategic plan should identify all key business stakeholders affected by or involved in the effort, and articulate each group’s area of responsibility to ensure the plan is successfully executed. Most importantly, you will need to learn the roles and responsibilities of the users in your organization who need access to privileged accounts.
Determine requirements for roles and responsibilities: After you have determined the roles and responsibilities for those who need access to privileged accounts, it’s time to determine the requirements for each. To help determine these requirements, you should document a set of use cases that track a user-account lifespan, from provisioning to de-provisioning. Some examples include:
- On-boarding a new user
o How is access granted?
o Where (which systems) is that user information entered and stored?
- A role change within the organization
o How are the new access requirements determined and provisioned?
o How are the old access requirements de-provisioned?
- Attestation/recertification of access
o How are access rights periodically reviewed for accuracy?
- De-provisioning a user
o Who initiates the de-provisioning process?
o Who ensures the de-provisioning process has occurred?
Going through these exercises enables the business to do two things critical to building a strong PAM strategy: determine key stakeholders, and identify real-world requirements on which to build your PAM project.
Three steps to securely managing privileged accounts
After you have documented your plan, several key controls need to be put in place to secure privileged accounts. First, lock down access only to those who need it. When they do need access, provide it in a secure and efficient manner. Secondly, implement least-privileged access, so users have access to only what they need ‒ no more and no less. Finally, you need to log and monitor all privileged account activity. Watch for the next article in this series, where we will take a deeper look at these three steps.
About the Author:
Bill Evans is the senior director of product marketing for the Identity and Access Management businesses within Dell Security. In this role, Bill drives the strategic direction for the team which includes setting product and solution positioning, creating the global direction for demand gen and other sales support efforts as well as providing content for sales enablement activities.
Prior to his current role, Bill served as product marketing director for Dell’s Windows and SharePoint businesses as well as general manager of the SharePoint and Notes transition business unit at Quest Software. He joined Quest in 2004 with the acquisition of Aelita Software.
With more than 18 years of experience as a product and marketing manager for various IT solution providers, Bill has a wealth of experience in the creation and positioning of software products targeting specific IT pains.
