Commissioned by Thycotic
1 Introduction
With a rapidly changing IT landscape in the age of digital transformation, the risks of unmanaged privileges can be disastrous to the business. Most organizations lack sufficient visibility into the access privileges that are often spread across the IT environment and have no provisions in place to calibrate and measure the state of privileged access entitlements. The privileged entitlements are generally assigned to software and system accounts and in some cases to administrative roles and even individual named accounts.
With the increasing complexity of privileged access entitlements and the need to assign them on a least-privilege basis to conform to foundational security guidelines, it is important that security leaders and system owners have the right tools that can help them conduct frequent access certifications as a vehicle to gain necessary visibility in the organization’s state of privileged access.
This starts with a consistent lifecycle management for privileged accounts. When applications are onboarded, such processes must be initiated. Beyond that, there also is a continuous need for tracking such accounts, e.g. to avoid orphaned accounts or ending up with highly privileged but unmanaged accounts.
Organizations must introduce controls to gain the required visibility into the access patterns and privileged entitlements by deploying appropriate access governance capabilities. Emerging technology initiatives such as the digital workplace, DevOps, security automation and the Internet of Things continue to expand the attack surface of organizations as well as introduce new digital risks. To stay competitive and compliant, organizations must actively seek newer ways of assessing and managing security risks without disrupting the business. Security leaders, therefore, have an urgent need to constantly improve upon security posture of the organization by identifying and implementing appropriate controls to prevent such threats.
In a nutshell, Privileged Access Management represents the set of critical cybersecurity controls that deal with the management of security risks associated with privileged access in an organization. There are primarily two types of privileged users:
- Privileged Business Users - those who have access to sensitive data and information assets such as HR records, payroll details, financial information, company’s intellectual property etc.. This type of access is typically assigned to the application users through business roles using the application accounts.
- Privileged IT Users – those who have access to IT infrastructure supporting the business. Such access is generally granted to IT administrators through administrative roles using system accounts, software accounts or operational accounts.
The privileged nature of these accounts provides their users with an unrestricted and often unmonitored access across the organization’s IT assets, which not only violates basic security principles such as least privilege but also severely limits the ability to establish individual accountability for privileged activities.
Privileged accounts pose a significant threat to the overall security posture of an organization because of their heightened level of access to sensitive data and critical operations. Security leaders, therefore, need a stronger emphasis on identifying and managing these accounts to prevent the security risks emanating from their misuse.
Available Identity and Access Management (IAM) tools are purposely designed to deal with management of standard users’ identity and access and do not offer the capabilities to manage privileged access scenarios such as the use of shared accounts, monitoring of privileged activities and do not provide Privileged Access Governance capabilities. IGA tools also do not provide management of non-human accounts such as service accounts that are frequently used by systems and applications to execute specific tasks including connecting to other systems, applications and databases, and are non-interactive in nature. Privileged Access Management tools are increasingly being designed to address Privileged Access Governance (PAG) requirements by either building native governance functions or allowing for external interfaces such as APIs and SDKs for IGA tools to fetch privilege entitlements associated with a user and role during the standard access certification campaigns.
IGA tools also do not provide management of non-human accounts such as service accounts that are frequently used by systems and applications to execute specific tasks including connecting to other systems, applications and databases, and are non-interactive in nature.
While credential vaulting, password rotation, controlled elevation and delegation of privileges, session establishment and activity monitoring have been the focus of attention for PAM tools for a long time, Privileged Access Governance along with other advanced capabilities such as privileged user analytics, risk-based session monitoring and advanced threat protection are becoming the new norm - all integrated into comprehensive PAM suites being offered. We see a growing number of vendors taking different approaches to solve the underlying problem of restricting, monitoring, and analyzing privileged access and the use of shared accounts.
In addition to these capabilities, there’s an urgent need felt by organizations to conduct and manage privileged access certifications to help security leaders and managers gain the necessary visibility into the state of administrative and privileged access of users and contractors in the IaaS and PaaS platforms at a given point of time. Privileged Access Governance provides this visibility through on-demand access certifications, access attestation and remediation workflows for cloud resources. Flexible reporting capabilities allow security leaders and systems owners to continuously monitor, manage and control privileged access including privilege escalations to the critical assets and sensitive data across the organization’s IT environment.
In this whitepaper, we will discuss the drivers, challenges and best practice approaches of leveraging Privileged Access Governance to enable a secure, accountable and regulatory compliant privileged access environment for organizations.