Special Requirement of Privileged Identities
A Privileged Identity Management technology needs to accommodate for the special needs of privileged accounts, including their provisioning and life cycle management, authentication, authorization, password management, auditing, and access controls.
- Provisioning and life cycle management – handles the access permissions of a personal user to shared/generic privileged accounts based on roles and policies.
- Note: built-in privileged accounts are not normally managed using an identity management system (privileged or otherwise), as these accounts are automatically created when an OS, database, etc. is first installed and decommissioned along with the system or device.
- Authentication
- First use case -- control authentication into the privileged accounts, for example by regularly changing their password.
- Second use case -- control authentication into a privileged access management system, from which a user or application may "check out" access to a privileged account.
- Authorization -- control what users and what applications are allowed access to which privileged accounts or elevated privileges.
- First use case -- pre-authorized access ("these users can use these accounts on these systems any time.").
- Second use case -- one-time access ("these users can request access to these accounts on these systems, but such requests for short-term access must first be approved by ...").
- Password Management -- scheduled and event-triggered password changes and password complexity rules, all applying new password values to privileged accounts.
- Auditing – both event logs (who accessed which account, when, etc.) and session capture (record/replay what happened during a login session to a given account?).
- Access Controls - Control what a given user, connected to a given privileged account, on a given system, can do. Two design principles are balanced here: the principle of least privilege and a desire to minimize the need to develop and maintain complex access control rules.
- Session Recording - The ability to record access to privileged accounts is vital both from a security and compliance perspective.
- Session isolation - Controlling access to privileged accounts using a session proxy (or next generation jump server) can prevent issues such as pass-the-hash attacks and malware propagation.
Read more about this topic: Privileged Identity Management
Famous quotes containing the words special, requirement and/or privileged:
“I don’t like to be idle; in fact, I often feel somewhat guilty unless there is some purpose to what I am doing. But spending a few hours—or a few days—in the woods, swamps or alongside a stream has never seemed to me a waste of time.... I derive special benefit from a period of solitude.”
—Jimmy Carter (James Earl Carter, Jr.)
“Reporters for tabloid newspapers beat a path to the park entrance each summer when the national convention of nudists is held, but the cult’s requirement that visitors disrobe is an obstacle to complete coverage of nudist news. Local residents interested in the nudist movement but as yet unwilling to affiliate make observations from rowboats in Great Egg Harbor River.”
—For the State of New Jersey, U.S. public relief program (1935-1943)
“Democracy means the organization of society for the benefit and at the expense of everybody indiscriminately and not for the benefit of a privileged class.”
—George Bernard Shaw (1856–1950)