freshidea - Fotolia

Manage Learn to apply best practices and optimize your operations.

How can organizations get control over privileged identity management?

Doling out too many admin privileges can lead enterprises astray when it comes to privileged identity management, but there are ways they can take back control.

Recent research showed 72% of temporary workers and contractors are given administrative privileges on their employers' systems. After the Snowden incident I'm obviously leery about too many users with admin privileges. How do you recommend taking back control over system privileges without interrupting employee productivity?

Privileged identity management is indeed an issue within the security community. This population of workers generally needs to have privileges that exceed those of most normal workers in the organization, whether for business continuity activities or to perform administrative tasks. However, there are several ways to minimize exposure of sensitive activities and information:

  • Implement a good attestation process: The organization audits users with privileged access on a regular basis and ensures all users who no longer need this access have it taken away.
  • Implement a "break the glass" process: Administrative privileged accounts are not given to personnel with only occasional need. Some solutions are to call a help desk, go to a website or log onto a password management system/provisioning system and request access for a defined period of time or until the closure of a support ticket.
  • Enlist an internal or external security monitoring team: This team would monitor the activities of privileged users and define a series of alerts to immediately notify appropriate personnel when an administrator may have performed a function outside of their assigned duties.
  • Utilize data loss prevention devices, firewalls, web proxy services, and other boundary services to monitor out-going traffic: This ensures if a privileged account is compromised, sensitive information doesn't leave the organization.
  • Deploy workstation session managers: These tools limit, log and replay administrative activities to ensure unauthorized activities are not being conducted.
  • Take away full administrative access: Privileged accounts should be given to only those workers who truly need it, despite the grumblings that are sure to occur. In addition, once issued, ensure those personnel who are given these privileges are periodically trained, informed of enterprise policies around proper use and protection of their accounts, and attest their understanding of the importance of their role in the protection of your organization's information.

While these suggestions will greatly reduce the risk of rogue administrators, there's no control available today to stop that one person -- with the access and drive that Snowden had -- from walking away with some information, even under the nose of the most stringent security group. Implementing any or all of these suggestions will help reduce risks, but having a good evaluation and trust of your administrators' moral code, and selecting the most trustworthy workers in your organization, will go the farthest in protecting your sensitive information.

What's your question?
Got a question about identity and access management technology and strategy in your organization? Submit your question via email today and our experts will answer it for you. (All questions are anonymous.)

Next Steps

Check out why one CEO thinks successful privileged identity management starts at the top of an organization

This was last published in June 2015

Dig Deeper on Web authentication and access control