freshidea - Fotolia
Recent research showed 72% of temporary workers and contractors are given administrative privileges on their employers' systems. After the Snowden incident I'm obviously leery about too many users with admin privileges. How do you recommend taking back control over system privileges without interrupting employee productivity?
Privileged identity management is indeed an issue within the security community. This population of workers generally needs to have privileges that exceed those of most normal workers in the organization, whether for business continuity activities or to perform administrative tasks. However, there are several ways to minimize exposure of sensitive activities and information:
- Implement a good attestation process: The organization audits users with privileged access on a regular basis and ensures all users who no longer need this access have it taken away.
- Implement a "break the glass" process: Administrative privileged accounts are not given to personnel with only occasional need. Some solutions are to call a help desk, go to a website or log onto a password management system/provisioning system and request access for a defined period of time or until the closure of a support ticket.
- Enlist an internal or external security monitoring team: This team would monitor the activities of privileged users and define a series of alerts to immediately notify appropriate personnel when an administrator may have performed a function outside of their assigned duties.
- Utilize data loss prevention devices, firewalls, web proxy services, and other boundary services to monitor out-going traffic: This ensures if a privileged account is compromised, sensitive information doesn't leave the organization.
- Deploy workstation session managers: These tools limit, log and replay administrative activities to ensure unauthorized activities are not being conducted.
- Take away full administrative access: Privileged accounts should be given to only those workers who truly need it, despite the grumblings that are sure to occur. In addition, once issued, ensure those personnel who are given these privileges are periodically trained, informed of enterprise policies around proper use and protection of their accounts, and attest their understanding of the importance of their role in the protection of your organization's information.
While these suggestions will greatly reduce the risk of rogue administrators, there's no control available today to stop that one person -- with the access and drive that Snowden had -- from walking away with some information, even under the nose of the most stringent security group. Implementing any or all of these suggestions will help reduce risks, but having a good evaluation and trust of your administrators' moral code, and selecting the most trustworthy workers in your organization, will go the farthest in protecting your sensitive information.
What's your question?
Got a question about identity and access management technology and strategy in your organization? Submit your question via email today and our experts will answer it for you. (All questions are anonymous.)
Check out why one CEO thinks successful privileged identity management starts at the top of an organization
Dig Deeper on Web authentication and access control
Related Q&A from Randall Gamby
Learn how to create account lockout policies that detail how many unsuccessful login attempts are allowed before a password lockout in order to ... Continue Reading
When it comes to minimum password length, 14-character passwords are generally considered secure, but they may not be enough to keep your enterprise ... Continue Reading
Enterprise SSO products have matured over the years, so what's the state of eSSO today? Expert Randall Gamby discusses. Continue Reading