1 Introduction
Digital identity is a primary vector of attack in nearly all the headline-grabbing data breaches of the last few years. Bad actors, such as fraudsters, state agents, and even malicious insiders or contractors, start by getting access to user accounts, then searching for administrative or service accounts to take over in order to exploit the elevated privileges that they possess. Whether the attackers’ goal is stealing credit card information, health records, or intellectual property, their Techniques, Tactics, and Procedures (TTPs) almost always include capturing and using privileged accounts.
Regulatory compliance is another factor driving adoption of privilege management solutions. For example, in Germany, the “IT-Sicherheitsgesetz” (IT Security Law) requires critical infrastructure operators to adopt a stronger security posture and report security incidents to the government. In the US, federal laws such as Sarbanes-Oxley mandate separation of duties.
Privilege management solutions help organizations meet these requirements. This makes Privilege Management a key concept and mandatory component of modern identity management and cybersecurity architectures.
Historically, internal IT staff such as system and database administrators have been the target of privilege management solutions. With the increased utilization of cloud and external services, organizations are finding that other users and groups need to be covered by the privilege management system. If IT operations are outsourced, the accounts used by Managed Service
Providers (MSPs) need to controlled and monitored. Cloud services, particularly SaaS, are often engaged and maintained by personnel outside of IT departments. These SaaS administrative accounts have access to sensitive data, and thus must be controlled and audited by the privilege management solution as well.
Passwords are still an all-too-common authentication method for getting access to user, group, shared, administrative, and service accounts even today. Managing passwords securely has
never been more important. Most privilege management systems today tackle the password problem by automatically changing the passwords periodically, consolidating administrative users into fewer accounts, providing password check-out and check-in capabilities, creating normal-user to administrative-user mappings, and time-limiting privilege usage.
Privilege management solutions also generally provide extensive auditing capabilities over the usage of administrative, group, shared, and service accounts. In these cases, auditing on these sensitive accounts goes above and beyond typical logging to include command recording and even screen (“video”) recording of the administrative user’s actions for later review. Privilege management systems may also allow definition of administrative approval workflows, whereby the concurrence of fellow administrators or management can be required before an individual user can gain administrative access.
Implementing privilege management should proceed as a set of iterative steps:
- Inventory all privileged accounts: internal, external, and cloud
- Limit access to privileged accounts and restrict use for “break glass” emergencies only
- Have users log in with their individual accounts on Windows and Linux; elevate privileges based on role
- Monitor privileged account usage
- Use MFA everywhere for increased identity assurance and to prevent breaches
- Detect anomalies in privileged account use that might indicate potential fraudulent activities
- Respond to privileged account incidents quickly and with targeted actions
- Continuously evaluate and improve your Privilege Management strategy.
Centrify Privilege Service provides management of customers’ privileged accounts. It is available as an on-premise product and also as a cloud service. Centrify is a private, venture-backed identity and access management solutions provider based in Santa Clara, California. The company was founded in 2004, and has developed privileged access security and session monitoring products for Linux, Unix, Windows, and network devices as well as Identity-as-a Service (IDaaS), mobile and Mac Management, and multi-factor authentication solutions.