Tip

Best practices for a privileged access policy to secure user accounts

    Requires Free Membership to View

    Login

For more information
Find out best practices for deleting user accounts after a layoff.

Read more about privileged account managment implementation.

Also check out The New School of Enterprise Authentication for more advice from Mark Diodati.
The process of securing accounts includes a variety of factors, one of the most important being ensuring employees have the minimum access necessary to target platforms. In addition, employees' job functions and related access should be reviewed to ensure there are no separation of duties issues. Case in point: A person who creates a vendor account should not be able to approve payment to that vendor.

The access-review process includes understanding workflow: A baseline of access policies must be reviewed and approved by application owners. Additionally, subsequent changes to access rights should be reviewed and approved. Access certification tools, including those embedded in identity management provisioning systems from various vendors, can assist with the review process.

In some cases, a third-party security tool like CA Inc.'s Access Control or Symark International Inc.'s PowerBroker is required to limit privileged user access. For example, rather than giving the UNIX database administrator access to the root account for the purpose of restarting the server, the security tool can delegate the privilege of system restart to a real user.

Don't miss need-to-know info!

Security pros can't afford to be the last to know. Sign up for email updates from SearchSecurity.com and you'll never be behind the curve!
Assuming you have locked down privileged user access, you should be all set, right? Not quite; you need to ensure privileged users do not abuse their access rights. One common use case concerns the customer support supervisor who appropriately has access to confidential customer data. If the supervisor accesses an excessive number of customer records on a given day, it may be an indication of a problem. A security information management (SIM) system would not likely detect this anomaly. Increasingly, enterprises are looking to deploy risk-based consumer authentication techniques to detect this level of access, but for the most part, these risk-based tools aren't ready for enterprise use because they are oriented toward financial transactions. Consumer authentication vendors with risk-based authentication include Hagel Technologies Ltd.'s AdmitOne, Arcot Systems Inc., Entrust, Oracle Corp., RSA Security and VeriSign Inc.

Some organizations consider the use of two separate accounts to address excessive user privilege. The first one is the "everyday" account for use in routine activities such as logging onto Windows workstations and checking email. The second account is only used for administrative tasks that require high privilege, including working with high-risk production systems. The high privilege account is not used during everyday tasks, which limits exposure to malware. However, the use of two accounts will not address the issue of excessive privileges granted to the user.

Balancing user access between the too lenient and the overly strict can be a challenge, but with these best practices, it can be a bit less daunting.

About the author:
Mark Diodati, CPA, CISA, CISSP, MCP, CISM, has more than 18 years of experience in the development and deployment of information security technologies. He has served as vice president of worldwide IAM for CA Inc., as well as senior product manager for RSA Security's smart card, SSO, UNIX security, mobile PKI and file encryption products. He has had extensive experience implementing information security systems for the financial services industry since starting his career at Arthur Andersen & Co. He is a frequent speaker at information security conferences, a contributor to numerous publications, and has been referenced as an authority on IAM in a number of academic and industry research publications.


This was first published in June 2009

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top