Identity and Access Management: Access Is a Privilege

Privileged-access lifecycle management is a process and technology framework that can make your access controls more efficient and effective.

John Mutch

Financial institutions, health-care organizations and other firms operating in highly regulated industries must continuously face the monumental task of managing authorization to mission-critical systems. These organizations often have large numbers of internal and external users accessing an increasing number of applications. Each user requires a different level of security and control requirements.

Companies in these highly regulated industries must also address identity-management concerns related to compliance issues. Regulations such as Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) and the Payment Card Industry Data Security Standard (PCI DSS) have strict guidelines on how firms within their purview are required to manage identity and access.

There are often excessive administrative costs due to account maintenance, password resets, inconsistent information, inflexible IT environments, silos due to mergers and acquisitions, and aging IT infrastructures. These factors make effective identity and access management even more of a challenge for organizations.

Provisioning Privilege

These combined factors are propelling the adoption of privileged-access lifecycle management (PALM) solutions across all industries. PALM is a technology architecture framework consisting of four stages running continuously under a centralized automated platform:

1. Access to privileged resources
2. Control of privileged resources
3. Monitoring actions taken on privileged resources
4. Remediation to revert changes made on privileged IT resources to a known good state

Access includes the process of centrally provisioning role-based and time-bound credentials for privileged access to IT assets. The process also includes automating approval of access requests and auditing access logs.

Control includes the process of centrally managing role-based permissions for tasks that require access to privileged IT resources. This part of the process also includes automating permission request approvals and auditing system administrative actions.

Monitoring includes audit management of logging, recording and overseeing user activities. This process also includes automated workflows for event and I/O log reviews, acknowledgements and centralized audit trails for streamlined audit support, and heightened security awareness.

Remediation includes the process of refining previously assigned permissions for access and control to meet security or compliance objectives. You need to be able to centrally roll back system configuration to a previous known acceptable state when required.

The process of automating PALM includes developing a central unifying policy platform coupled with an event-review engine. This gives you controls for and visibility into each stage of the lifecycle.

Cost-Justifying PALM

There are several business operational factors that come into play when considering the costs of PALM systems:

• Security: Privileged access is critical for smooth ongoing IT administration. At the same time, it exposes an organization to security risks—especially insider threats.
• Compliance: If not managed correctly, privileged access to critical business systems can introduce significant compliance risks. The ability to provide an audit trail across all stages of the privileged-access lifecycle is critical for compliance. It’s often difficult to achieve in large, complex, heterogeneous IT environments.
• Reduced Complexity: Effective PALM in large, heterogeneous environments with multiple IT engineers, managers and auditors can be an immensely challenging task.
• Heterogeneous Coverage: An effective PALM solution must support a broad range of platforms including Windows, Unix, Linux, AS/400, Active Directory, databases, firewalls, and routers and switches.

Here are some of the first steps to take when considering a PALM system:

Establish security as a corporate goal. Enterprises might have trouble maintaining security because everyone is too busy trying to reach other goals. If you have problems maintaining security in your company, consider adding security as a goal for every level of management.

Provide or enlist in training as required. For security to work, everyone needs to know the basic rules. Once they know the rules, it doesn’t hurt to prompt them to follow those rules.

Ensure all managers understand security. It’s especially important that all members of the management team understand the risks associated with unsecured systems. Otherwise, management choices may unwittingly jeopardize the company’s reputation, proprietary information and financial results.

Clearly communicate to management. Too often, IT managers complain to their terminals instead of their supervisors. Other times, IT professionals find that complaining to their supervisors is remarkably similar to complaining to their terminals. Make sure your message is heard and understood.

If you’re a manager, make sure that your people have access to your time and attention. When security issues come up, it’s important to pay attention. The first line of defense for your network is strong communication with the people behind your machines. If you’re a front-line IT administrator, try to ensure that talking to your immediate manager fixes the problems you see from potential or realized misuse of privileges. If it doesn’t, you should be confident enough to reach higher up the management chain to alert them to take action.

Delineate cross-organizational security support. If your company has a security group and a systems administration group, your corporate management needs to clearly define their roles and responsibilities. For example, are the systems administrators responsible for configuring the systems? Is the security group responsible for reporting non-compliance?

If no one is officially responsible, nothing will get done. In those cases, accountability for resulting problems will often be shouldered by the non-offending party. An effective PALM framework is a blend of process, technology, accountability and communication.

John Mutch has been an executive and investor in the technology industry for more than 25 years. Prior to joining BeyondTrust as CEO in 2008, Mutch was a founder and managing partner of MV Advisors LLC. He has also served as president, CEO and director of HNC Software, and spent seven years at Microsoft in a variety of executive sales and marketing roles.

Related Content

• Identity and Access Management: Filling the Gap in Identity and Access Governance
• Using Kerberos for SharePoint Authentication
• Identity and Access Management: Managing Active Directory Users with ILM 2007