A big security concern for enterprises is monitoring and safeguarding privileged accounts. Should inventory procedures be considered as a way of categorizing and maintaining privileged accounts? Any advice for doing this effectively?
Whether or not to adopt an inventory security procedure is a great question. It seems everyone struggles with the question, “How do you administrate an administrator?” Questions have been raised about inventorying privileged account data and yes, this is a good idea. However, before an enterprise starts inventorying accounts, it is necessary to understand that it is just one task within the overall execution of privileged accounts governance. Otherwise, what good does it do to collect the data?
Privileged account management within most organizations goes awry because governance for these accounts has never been formalized. Like many IT systems that grew organically within an organization, the people who manage these systems started managing them without any formal training with respect to privileged accounts. Only as enterprises have begun to grow in security awareness and read the news reports about those few rogue administrators has management become aware of the power and the threat that privileged users present. Now with the proliferation of IT systems in every corner of an organization, getting a handle on where these accounts are and how to manage them has become a priority task in the protection of the organization’s information.
The governance process should include the following:
- A privileged account policy needs to be drafted and approved by an organization’s executive management. This policy should call out how the account will be managed and what a privileged account should and should not be able to do.
- 2. A model needs to be established on how to manage privileged accounts. The model should indicate if privileged account management is centralized or distributed and who should be in charge of ensuring accounts follow the policies established in step one.
- An inventory needs to be completed to determine how extensive the population is to manage and to identify what accounts are out there; this is where inventory comes in.
- Tools and processes need to be put in place to manage accounts going forward. Most organizations today formalize privileged account policy through the use a provisioning tool. If an enterprise wants to specifically manage privileged accounts, there are specialized provisioning products in the marketplace called privileged identity management (PIM) systems.
Concentrating on No. 3, let's discuss how to conduct a privileged account inventory. First, an organization should start with its technology management and inventory systems. It’s a safe bet that someone is managing each of these systems using a privileged account. For instance, knowing an organization has Cisco networking tools, Oracle databases under its applications, a Web presence on Apache servers, Microsoft PCs using VMware virtual applications, and an enterprise environment that is monitored with HP OpenView, will establish the inventory is effective and if -- when it’s processing is done -- it has captured privileged accounts for each of these areas. If an inventory doesn’t identify a privileged account on the Oracle databases, for example, then a security professional can individually query the business owner of these systems for this information.
The next step is to explain how to capture the information. A good place to start is with an organization’s provisioning system, if one exists. This tool will have a query mechanism to identify which accounts it manages. The second place to look is within network monitoring and logging tools. These tools can quickly display what privileged accounts are active and on what systems they were used. Finally, it is possible to go to enterprise directories. Many systems today don’t maintain their own user accounts, but rely on LDAP and Active Directory to provide this information, including privileged accounts. These directories will identify who has privileged accounts on your Web, application and end-user systems. Between these three mechanisms, it’s possible to capture a large percentage of accounts, if not all of them.
This was first published in December 2011