With organisations recently coming to the IAM realisation, a lot of security budget dollars are now being poured into IAM solutions.
Despite the increased spend, organisations are still struggling to effectively manage administrative and service accounts – some of the most vital accounts an organisation has.
The obstacle for many companies is figuring out what to do with privileged identity management (PIM) and acknowledging that these accounts often hold the “keys to the kingdom” and need to be treated accordingly. A big part of the challenge is simply the way we think about it.
PIM is seen as a subcategory of identity management
A big issue for many companies has been securing privileged identities such as admin credentials, root accounts and enable accounts.
The issue is that privileged identity management is seen as a subcategory of identity management.
This has put it in competition for budget and resources with single sign on projects, multi-factor authentication roll outs, provisioning programs, and other items that are connected to end user security.
Being a subcategory of IAM also means that privileged identity is difficult to place into the models and approaches people use.
IAM seeks to have polices about people and lock down the point of access, but privileged access needs different controls.
While two factor authentication policies are great for securing end users, they don’t protect against accidental or malicious use of these powerful accounts.
People are simply too trusting of their administrators.
Recent headlines are saturated with examples of people who went from trusted employee to insider threat in the space of one misplaced comment or change in HR policy. And even if the insider means well, no one is perfect.
If everyone runs around with scissors, eventually someone’s going to put someone’s eye out.
The answer is to lock away the keys
Most think of administrators like the caretaker in a building walking around with all the keys on their belt, keys they can use whenever they want.
Administrators should be thought of more like security guards in a locked down facility where the keys aren’t on anyone’s belt. They live in a locked box in a locked room.
When someone needs a key they go through a sign out process, getting the key on a provisional basis. If that key isn’t back in the box at a specific time, the guard is going to go looking for it and the person who has it.
This is how privileged identity management should be applied, with all the credentials locked up in a secured library.
When they are needed, people and systems can check them out. Some maybe just require a simple log in to check out, maybe others require prior authorisation or approval steps.
Once the checkout expires, then the credential must be rotated.
The password must be changed, or the account swapped, or whatever makes sure that the access which was granted is now revoked. And that rotation is not just for checkouts.
The people who have the highest levels of security awareness are rotating their privileged identities aggressively all the time.
That helps protect against the “key on the floor” problem. You can’t stop Windows from keeping a copy of a ticket, but if you’re rotating that account aggressively then you’ll pull the rug out from under that bad guy who found it on the floor and tries to use it.
Not to mention that if you integrate the PIM system with your SIEM and analytics, you could know for sure that someone using that key right now is not using it in tandem with a valid checkout. That means they are doing something wrong and you need to stop them.
How to realign PIM with incident response
So if you are starting from scratch or trying to improve your current privilege approach, your best port of call would be to find your greatest administrator and talk to them.
This is not necessarily the security person or even that person in operations who is always talking about security. Find that one person everyone recognises as the one who knows it all and ask them how privilege is really used.
Have them map out how admins use it, where it’s used in automated systems like backups and updates, and all the likely surprising spots where your team has found to tuck away privileged identities to make all the IT magic happen smoothly.
That’s going to be your actual set of requirements. Starting from the idea that you should get a “vault” and build out from there is a broken mindset.
The problem is not the place you’ll put all these privileged identities, it’s how you’re going to get them integrated into your real processes and actual operations.
The privileged identity management problem isn’t all that different to all the other big challenges IT has taken on over the years.
It will take a deep understanding of the requirements and a commitment to a layered solution.
But if you start from the point of view of your fighter pilot level administrators and go after the use cases they think have the biggest risk impact, then you’re doing things right. If the system you build can knock over those big issues, then the simple stuff will be easy.
Sourced by Jonathan Sander, VP of product strategy at Lieberman Software