5 Keys to Addressing Privileged Access

Most security breaches require some form of privileged access to result in any serious damage being inflicted. You know you need a Privileged Access or Privileged Identity Management solution but don’t know where to start? Here are 5 keys to jump start your project and get you on your way to 1) reducing the cost of providing privileged access, 2) decreasing the risk of security incidents and 3) lowering the time it takes to grant privileged access:

1. Temporary vs. Permanent Privileged Access
Some employees use privileged access every day, all day in order to perform their daily job responsibilities. Others only need temporary privileged access to perform a project, incident or change management activity. Should you treat both of these groups the same? Some factors to consider are:

Historical risk – past audit issues with either group
Size of each user population – are there many more temporary access users
User type – are there more internal vs. external users in either user population

2. Resource Classification
Have you classified your privileged access endpoints into tiers that could be used to determine the rigor required to provide privileged access? A typical organization will have hundreds or thousands of endpoints that need to be defined in the Privileged Access solution. Defining tiers of resources will help to prioritize deployment and map the appropriate workflow around the privileged access request process. Some recommended tiers are:

Tier 1 – resources that drive financial reporting to auditors or regulatory agencies
Tier 2 – resources that are mission critical to company operations
Tier 3 – resources that contain very sensitive personally identifiable information

All other endpoints should be ignored until these prioritized resources are addressed.

3. Authoritative Source for Check-Out / Check-In
Do you have an authoritative source that can be used to drive check-in and check-out of privileged credentials? This is the most important component to making the privileged access workflow a smooth and natural process for the end users. The most common authoritative source is an IT Service Desk System used for request, incident & change control tracking. The presence of an open ticket assigned to the protected resource both automates the check-in/check-out process and restricts who can request privileged access at the same time.

4. Automated Provisioning
Delivering privileged access efficiently requires an automated mechanism to update the account password or entitlements. Integrating the privileged access solution with an existing identity management system is a key consideration. The identity management system has connectors deployed for the protected resources which will allow:

Self Service – to request privileged access
Workflow – to automate the check-in/check-out process
Account Updates – to grant/remove privileged access
Recertification – to drive audit & verification of users with privileged access

5. Privileged Roles
Knowing which groups of privileged users are entitled to request privileged access to various groups of protected resources is an important aspect in providing a privileged access solution. Having these roles defined ahead of time and mapped to the appropriate resources can dramatically reduce the time it takes to deliver a solution. Some common privileged access roles are:

Server Administrators – to grant server admin access
Database Administrators – to grant database admin access
Application Administrators – to grant application admin access
Security Administrators – to grant security admin access
Desktop Administrators – to grant desktop/laptop admin access

Getting a handle on these topics will allow you to jump start your Privileged Access implementation and get you well on your way to a more secure environment that provides a seamless end user experience for your administrators.