printer friendly version

Privileged Access Lifecycle ­Management

Banks, insurance companies, and other institutions are faced with the monumental task of managing authorisation to mission-critical systems. These organisations have large numbers of internal and external users accessing an increasing number of applications, with each user requiring a different level of security and control requirements. In addition, these organisations must also address identity management concerns that arise from compliance issues related to regulations like SOX, HIPAA, GLBA, and PCI DSS.

High administrative costs due to account maintenance, password resets, inconsistent information, inflexible information technology (IT) environments, silos due to mergers and acquisitions, and ageing IT infrastructures make this even more challenging for organisations. Together, these factors are propelling the adoption of privileged lifecycle access management solutions across all industries. Privileged Access Lifecycle Management (PALM) is a technology architecture framework consisting of four continual stages running under a centralised automated platform:

Access to privileged resources; control of privileged resources; monitoring of actions taken on privileged resources; and remediation to revert changes made on privileged IT resources to a known good state.

Access includes the process of centrally provisioning role based time-bound credentials for privileged access to IT assets in order to facilitate administrative tasks. The process also includes automation for approval of access requests and auditing of access logs.

Control

Control includes the process of centrally managing role-based permissions for tasks that can be conducted by administrators once granted access to a privileged IT resource. The process also includes automation for approval of permission requests and auditing of administrative actions conducted on the system.

Monitor

Monitor includes audit management of logging, recording and overseeing user activities. This process also includes automated workflows for event and I/O log reviews and acknowledgements and centralised audit trails for streamlined audit support and heightened security awareness.

Remediation

Remediation includes the process of refining previously assigned permissions for access and/or control to meet security or compliance objectives, and the capability to centrally rollback system configuration to a previous known acceptable state if required. Automation of the Privileged Access Management Lifecycle includes a central unifying policy platform coupled with an event review engine, that provides controls for and visibility into each stage of the lifecycle.

How to cost justify Privileged Access Lifecycle Management

* Security: Privileged access is critical for smooth ongoing administration of IT assets. At the same time, it exposes an organisation to security risks, especially insider threats.

* Compliance: Privileged access to critical business systems, if not managed correctly, can introduce significant compliance risks. The ability to provide an audit trail across all stages of the Privileged Access Lifecycle Management is critical for compliance, and is often difficult to achieve in large complex heterogeneous IT environments.

* Reduced complexity: Effective Privileged Access Lifecycle Management in large heterogeneous environments with multiple administrators, managers and auditors, can be an immensely challenging task.

* Heterogeneous coverage: An effective PALM solution supports across a broad range of platforms including Windows, UNIX, Linux, AS/400, Active Directory, databases, firewalls, and routers/switches.

Beginning steps before implementing PALM

Set security as a corporate goal

Enterprises may have trouble maintaining security because everyone is too busy trying to reach other goals. If you have problems maintaining security in your company, consider adding security as a goal for every level of management.

Provide or enlist in training as required

For security to work, everyone needs to know the basic rules. Once they know the rules, it does not hurt to prompt them to follow those rules.

Ensure all managers understand security

It is especially important that all members of management understand the risks associated with unsecured systems. Otherwise, management choices may unwittingly jeopardise the company’s reputation, proprietary information, and financial results.

Communicate to management clearly

Too often, system administrators complain to their terminals instead of their supervisors. Other times, system administrators find that complaining to their supervisors is remarkably like complaining to their terminals.

If you are a manager, make sure that your people have access to your time and attention. When security issues come up, it is important to pay attention. The first line of defence for your network is strong communication with the people behind your machines.

If you are a system administrator, try to ensure that talking to your immediate manager fixes the problems you see from potential or realised misuse of privileges. If it does not, you should be confident enough to reach higher in the management chains to alert for action.

Delineate cross-organisational security support

If your company has a security group and a system administration group, the organisation needs to clearly define their roles and responsibilities. For example, are the system administrators responsible for configuring the systems? Is the security group responsible for reporting non-compliance? If no one is officially responsible, nothing will get done. And accountability for resulting problems will many times be shouldered by the non-offending party.

Share this article:

Further reading: