1 Introduction
Managing access to applications, systems and resources is a key task for any organization and the hybrid IT deployment model has made this even more complex. One area of concern is managing administrative access – administration is an essential process, but the administrator accounts provide the keys to the kingdom. This makes it especially important that privileged access using administrator accounts is well governed, controlled and monitored.
In traditional IT deployments privileged accounts are needed to manage and configure operating systems, middleware like databases and applications. While some of these activities are delegated to the CSP (Cloud Service Provider) for cloud services, the customer must administer their own use of the services – obtaining resources, setting up policies and implementing controls over how the service is configured, accessed and used.
The cloud customer must use the administrative interface provided by the service to buy and configure the service components that they need. This essentially creates a contract with the service provider and has cost implications. The technical configuration of the cloud resources by the customer controls not only the price and performance of the service but also the security risks. It also common for this process to be delegated across the organization to the lines of business that are using the services. Furthermore, the administrative interfaces provided by each vendor for their service is different and where several cloud services are in use these differences add to the complexity.
In order to help organizations to manage these complexities KuppingerCole has created architectural blueprints for Access Governance and Privilege Management and Hybrid Cloud Security. These recommend a common risk-based approach using standards such as ISO/IEC 27001 and identify the critical components and controls. In the hybrid IT environment, it is essential to remember that, however the service is delivered, the customer is always responsible for managing identity and access to their data and the resources they use. Critical components relating to the governance of privileged access include:
- Identity provisioning – this is the foundation for the good governance of the privileged identity lifecycle. The provisioning process must ensure that only the minimum entitlements that are necessary for the administrators to do their job are given. As people move through the organization and eventually leave processes must ensure that these privileges are adjusted appropriately and in a timely manner.
- Authorization – the access entitlements for privileged administrators must be limited to only those that are necessary. This involves limiting not only the systems and services that can be administered but also the scope of administration. Ideally there should be predefined templates not only for the administrator accounts but also for the configuration of the systems and services that they control. This helps to prevent both mistakes as well as malicious activity.
- Authentication – it must not be easy to gain privileged access to systems and services – these are the primary target for the cyber attackers because of the power that they provide. Privileged access should normally require stronger authentication such as MFA (Multi-Factor Authentication) and ideally should only be available with a documented cause- such as a trouble ticket or a change request. The privileged user should not need to remember multiple sets of credentials to perform their task – this only increases the risks that those credentials will be shared or leaked – SSO (Single Sign-On) based on strong authentication is recommended.
- Monitoring – while the previous components have been primarily concerned with preventing misuse of privilege, monitoring is more concerned with detection of abnormal behaviour. It is essential to monitor all privileged activity – this is not only to be able to trace why changes were made but also to detect potentially malicious activity. Cyber attackers target privileged accounts and often the first sign of an attack in progress is abnormal behavior by a privileged account.
- Auditing – this includes being able to identify at any point in time what privileges each individual administrator has and what privileged activities they have performed. From an auditing perspective it should be possible to quickly identify wherever these deviate from the norm. From a process point of view there should be regular independent reviews of privileged access rights. This should also include consideration such as SoD (Segregation of Duties) – for example the person with privileged access should not be able to approve their own use of that privilege.