News
Privileged Access Lifecycle Management
April 2012 by
Banks, insurance companies, and other institutions are faced with the monumental task of managing authorization to mission-critical systems. These organizations have large numbers of internal and external users accessing an increasing number of applications, with each user requiring a different level of security and control requirements. In addition, these organizations must also address identity management concerns that arise from compliance issues related to regulations like SOX, HIPAA, GLBA, and PCI DSS.
High administrative costs due to account maintenance, password resets, inconsistent information, inflexible information technology (IT) environments, silos due to mergers and acquisitions, and aging IT infrastructures make this even more challenging for organizations. Together, these factors are propelling the adoption of privileged lifecycle access management solutions across all industries. Privileged Access Lifecycle Management (PALM) is a technology architecture framework consisting of four continual stages running under a centralized automated platform:
Access to privileged resources; control of privileged resources; monitoring of actions taken on privileged resources; and remediation to revert changes made on privileged IT resources to a known good state.
Privileged Access Lifecycle Management
Access includes the process of centrally provisioning role based time-bound credentials for privileged access to IT assets in order to facilitate administrative tasks. The process also includes automation for approval of access requests and auditing of access logs.
Control
Control includes the process of centrally managing role based permissions for tasks that can be conducted by administrators once granted access to a privileged IT resource. The process also
includes automation for approval of permission requests and auditing of administrative actions conducted on the system.
Monitor
Monitor includes audit management of logging, recording and overseeing user activities. This process also includes automated workflows for event and I/O log reviews and acknowledgements and centralized audit trails for streamlined audit support and heightened security awareness.
Remediation
Remediation includes the process of refining previously assigned permissions for access and/or control to meet security or compliance objectives, and the capability to centrally roll back system configuration to a previous known acceptable state if required.Automation of the Privileged Access Management Lifecycle includes a central unifying policy platform coupled with an event review engine, that provides controls for and visibility into each stage of the lifecycle.
How to cost justify Privileged Access Lifecycle Management
• Security: Privileged Access is critical for smooth ongoing administration of IT assets. At the same time, it exposes an organization to security risks, especially insider threats.
• Compliance: Privileged Access to critical business systems, if not managed correctly, can introduce significant compliance risks. The ability to provide an audit trail across all stages of the Privileged Access Lifecycle Management is critical for compliance, and is often difficult to achieve in large complex heterogeneous IT environments.
• Reduced Complexity: Effective Privileged Access Lifecycle Management in large heterogeneous environments with multiple administrators, managers and auditors, can be an immensely challenging task.
• Heterogeneous Coverage: An effective PALM solution supports across a broad range of platforms including Windows, UNIX, Linux, AS/400, Active Directory, databases, firewalls, and routers/switches.
Beginning Steps Before Implementing PALM
1. Set Security as a Corporate Goal
Enterprises may have trouble maintaining security because everyone is too busy trying to reach other goals. If you have problems maintaining security in your company, consider adding security as a goal for every level of management.
2. Provide or Enlist in Training as Required
For security to work, everyone needs to know the basic rules. Once they know the rules, it doesn’t hurt to prompt them to follow those rules.
3. Ensure All Managers Understand Security
It is especially important that all members of management understand the risks associated with unsecured systems. Otherwise, management choices may unwittingly jeopardize the company’s reputation, proprietary information, and financial results.
4. Communicate to Management Clearly
Too often, system administrators complain to their terminals instead of their supervisors. Other times, system administrators find that complaining to their supervisors is remarkably like complaining to their terminals.
If you are a manager, make sure that your people have access to your time and attention. When security issues come up, it is important to pay attention. The first line of defense for your network is strong communication with the people behind your machines.
If you are a system administrator, try to ensure that talking to your immediate manager fixes the problems you see from potential or realized misuse of privileges. If it doesn’t, you should be confident enough to reach higher in the management chains to alert for action.
5. Delineate Cross-Organizational Security Support
If your company has a security group and a system administration group, the organization needs to clearly define their roles and responsibilities. For example, are the system administrators responsible for configuring the systems? Is the security group responsible for reporting non-compliance? If no one is officially responsible, nothing will get done. And accountability for resulting problems will many times be shouldered by the non-offending party.
