Privileged Access Management
On a stand-alone Windows machine on or more ‘user’ and a single ‘administrator’ account should be created. Use of the ‘administrator’ permits an individual or program to make changes to the machine settings with the potential of accidental damage and the risk of allowing malware to run riot. Hence the simplest form of Privileged Access Management is to restrict access to the administrator account. On a domain (Windows) or LDAP (Linux/Unix) system the individual’s log in credentials will be linked to privileges of access on the network. Remember that even on a domain based solution access to individual machines is still possible through their local accounts with potential damage to the system as a whole.
The above advice would have applied equally well at the end of the 1990s except for the version of Windows in use. Computer systems have become considerably more complex since then. Information may be held on virtual and cloud servers over which the original data creator has limited control. Internet services are frequently run within the cloud rather than on dedicated company servers. Social media hosting is almost completely out of the data owner’s control. All these systems together with program suites for business solutions, data management and security depend on systems of users and passwords. They also all fall into the simple mantra of only allowing the minimum access required to do what they are supposed to do. While every user could be assigned their own set of passwords the more that responsibilities and access can be grouped the better. Assigning a single sign on for each user is the ideal but minimising accounts is more realistic and easier to regulate.
Steps towards Privileged Access Management include:
- Group accounts based on a role in the business (sales, warehouse etc.)
- Only assign the lowest privilege to allow normal work to be done.
- Temporarily elevate a privilege for a task then reduce it afterwards.
- Monitor and audit network traffic including details of users and their points of access.
- Pay particular attention to accounts with high levels of access.
An important aside is that accounts should never be shared (except perhaps for the most limited of guest access). Having each account traceable to a distinct user allows any event to be tracked down to the responsible individual or program. If 3 members of staff each need administrator access they should each have individual accounts or be part of a group with appropriate rights of access. Phishing and similar hacking activities aim to compromise accounts. If access management is optimally set up; the accounts most likely to be phished will be those with less potential to harm the overall system.
Integrated solutions to the concept of Privileged Access Management are becoming available. Many of these are Software as a Service (SaaS) models providing an integrated administration dashboard, single sign on for network users and some degree of automation. They may appear similar but vary in the exact services offered. Kindus understand the market and will provide advice on the best solution or combination of solutions for your business.