5 Keys to Addressing Privileged Access
Most security breaches require some form of privileged access to result in any serious damage being inflicted. You know you need a Privileged Access or Privileged Identity Management solution but don’t know where to start? Here are 5 keys to jump start your project and get you on your way to 1) reducing the cost of providing privileged access, 2) decreasing the risk of security incidents and 3) lowering the time it takes to grant privileged access:
1. Temporary vs. Permanent Privileged Access
Some employees use privileged access every day, all day in order to perform their daily job responsibilities. Others only need temporary privileged access to perform a project, incident or change management activity. Should you treat both of these groups the same? Some factors to consider are:
• Historical risk – past audit issues with either group
• Size of each user population – are there many more temporary access users
• User type – are there more internal vs. external users in either user population
2. Resource Classification
Have you classified your privileged access endpoints into tiers that could be used to determine the rigor required to provide privileged access? A typical organization will have hundreds or thousands of endpoints that need to be defined in the Privileged Access solution. Defining tiers of resources will help to prioritize deployment and map the appropriate workflow around the privileged access request process. Some recommended tiers are:
• Tier 1 – resources that drive financial reporting to auditors or regulatory agencies
• Tier 2 – resources that are mission critical to company operations
• Tier 3 – resources that contain very sensitive personally identifiable information
All other endpoints should be ignored until these prioritized resources are addressed.
3. Authoritative Source for Check-Out / Check-In
Do you have an authoritative source that can be used to drive check-in and check-out of privileged credentials? This is the most important component to making the privileged access workflow a smooth and natural process for the end users. The most common authoritative source is an IT Service Desk System used for request, incident & change control tracking. The presence of an open ticket assigned to the protected resource both automates the check-in/check-out process and restricts who can request privileged access at the same time.
4. Automated Provisioning
Delivering privileged access efficiently requires an automated mechanism to update the account password or entitlements. Integrating the privileged access solution with an existing identity management system is a key consideration. The identity management system has connectors deployed for the protected resources which will allow:
• Self Service – to request privileged access
• Workflow – to automate the check-in/check-out process
• Account Updates – to grant/remove privileged access
• Recertification – to drive audit & verification of users with privileged access
5. Privileged Roles
Knowing which groups of privileged users are entitled to request privileged access to various groups of protected resources is an important aspect in providing a privileged access solution. Having these roles defined ahead of time and mapped to the appropriate resources can dramatically reduce the time it takes to deliver a solution. Some common privileged access roles are:
• Server Administrators – to grant server admin access
• Database Administrators – to grant database admin access
• Application Administrators – to grant application admin access
• Security Administrators – to grant security admin access
• Desktop Administrators – to grant desktop/laptop admin access
Getting a handle on these topics will allow you to jump start your Privileged Access implementation and get you well on your way to a more secure environment that provides a seamless end user experience for your administrators.