Special Requirement of Privileged Identities
A Privileged Identity Management technology needs to accommodate for the special needs of privileged accounts, including their provisioning and life cycle management, authentication, authorization, password management, auditing, and access controls.
- Provisioning and life cycle management – handles the access permissions of a personal user to shared/generic privileged accounts based on roles and policies.
- Note: built-in privileged accounts are not normally managed using an identity management system (privileged or otherwise), as these accounts are automatically created when an OS, database, etc. is first installed and decommissioned along with the system or device.
- Authentication
- First use case -- control authentication into the privileged accounts, for example by regularly changing their password.
- Second use case -- control authentication into a privileged access management system, from which a user or application may "check out" access to a privileged account.
- Authorization -- control what users and what applications are allowed access to which privileged accounts or elevated privileges.
- First use case -- pre-authorized access ("these users can use these accounts on these systems any time.").
- Second use case -- one-time access ("these users can request access to these accounts on these systems, but such requests for short-term access must first be approved by ...").
- Password Management -- scheduled and event-triggered password changes and password complexity rules, all applying new password values to privileged accounts.
- Auditing – both event logs (who accessed which account, when, etc.) and session capture (record/replay what happened during a login session to a given account?).
- Access Controls - Control what a given user, connected to a given privileged account, on a given system, can do. Two design principles are balanced here: the principle of least privilege and a desire to minimize the need to develop and maintain complex access control rules.
- Session Recording - The ability to record access to privileged accounts is vital both from a security and compliance perspective.
- Session isolation - Controlling access to privileged accounts using a session proxy (or next generation jump server) can prevent issues such as pass-the-hash attacks and malware propagation.
Read more about this topic: Privileged Identity Management
Famous quotes containing the words special, requirement and/or privileged:
“We agree fully that the mother and unborn child demand special consideration. But so does the soldier and the man maimed in industry. Industrial conditions that are suitable for a stalwart, young, unmarried woman are certainly not equally suitable to the pregnant woman or the mother of young children. Yet “welfare” laws apply to all women alike. Such blanket legislation is as absurd as fixing industrial conditions for men on a basis of their all being wounded soldiers would be.”
—National Woman’s Party, quoted in Everyone Was Brave. As, ch. 8, by William L. O’Neill (1969)
“The work of the political activist inevitably involves a certain tension between the requirement that positions be taken on current issues as they arise and the desire that one’s contributions will somehow survive the ravages of time.”
—Angela Davis (b. 1944)
“It is as if, to every period of history, there corresponded a privileged age and a particular division of human life: “youth” is the privileged age of the seventeenth century, childhood of the nineteenth, adolescence of the twentieth.”
—Philippe Ariés (20th century)