A key security principle is that of least privilege, the practice of limiting permissions to the minimal level that still allows users to perform their duties but nothing else; for example, an employee working in HR doesn't need and shouldn't be granted access to the company's client database. However, every IT environment has to have users who need superuser privileges in order to configure and maintain that environment, from deployment and configuration to the day-to-day management of databases, servers, users and the security controls that protect the network and its data.
What PIM is
Privileged identity management (PIM) is the monitoring and protection of these superuser accounts to ensure that their elevated privileges are not misused by employees or abused by outsiders as they grant access to critical applications and systems. PIM enables security teams to manage who has the right to do what, where they can do it and when -- a powerful security control.
Handling privileged identity management manually for a large number of users is a time-consuming and resource-draining process and leads to mistakes and oversights, which is why many organizations invest in privileged identity management tools that monitor privileged users, sessions and applications. Not only can these products scale as the organization grows or moves into the cloud, but they can also prevent the costs of dealing with security incidents and data breaches caused by mis-assigned or abused privileges.
According to research by Technavio, a market research company based in London, the global market for privileged identity management tools is expected to grow at an annual compound rate of around 23% between 2018 and 2022. The increasing frequency of insider threats is a major factor driving the market's growth, while various regulatory measures such as the PCI DSS and HIPAA recommend or require the monitoring and enforcement of controls on high-privilege access.
How PIM works
A PIM product manages the lifecycle of all user accounts that have access to an IT infrastructure, focusing particularly on privileged accounts. It initially identifies and documents all critical IT assets, along with the privileged accounts or roles with access to them. It then ensures that rules for those accounts, such as password complexity and time of use, are enforced. Critically, it logs, monitors, and audits each privileged access request and produces alerts any time a request is deemed suspicious or inappropriate.
The ability to centrally monitor, manage and audit identities and permissions across the entire IT infrastructure keeps privileges aligned with each employee's tasks and responsibilities, greatly reducing the risk of privilege creep, where a user slowly acquires new privileges without having those from former roles removed. It can also help reduce insider threats by highlighting any unusual behavior of an on-premises privileged user. A well-implemented data classification policy will help those managing privileged identity management to set appropriate access privileges to resources within the organization. As the sensitivity of data held in various servers and databases can change over time, regular audits are essential to ensure associated privileges are realigned accordingly even when using automated role-assignment technologies.
Features to look for
The first requirement of privileged identity management tools is that they can seamlessly work with all the different technologies that an organization uses and plans to use in the future, which pretty much means that they must work across all platforms. The incorporation of cloud in PIM products is one of the key emerging trends, and these products are available as infrastructure, platform or software as a service, allowing organizations of any size to have enterprise-grade security while choosing the type of capital investment they prefer.
Secondly, the PIM tool should create comprehensive account audit trails with key information displayed in easy-to-use dashboard views and reports. Administrators should be able to quickly see the number of users who are assigned to each privileged role and view live privileged role activity. The ability to check the status of users -- including their roles, location and credentials -- makes the oversight of privileged identities and accounts a lot simpler, so products that integrate with existing HR systems are a definite plus.
A correctly configured PIM tool should be able to produce enough information to allow behavior- and context-analysis tools to determine if a situation warrants a step-up authentication challenge or if an account is being misused or is under threat of compromise. Automated actions are the key to improving detection and response times, and they also reduce the security team's workload. Those PIMs that can generate instant responses allow genuine users and tasks to continue with little interruption, while inappropriate activity can be challenged or stopped before any damage can occur. The ability to adapt responses to the exact nature and context of suspicious events, instead of just locking out a user or terminating a session, allows a network to support genuine user and system activities, while containing, mitigating and eradicating the real threats.
A feature that will greatly reduce the window of opportunity for hackers to abuse stolen credentials is the ability to make someone eligible for a role on-demand or to grant just-in-time administrative access, instead of having to assign them permanently to it. This allows the user to activate the role for a predetermined amount of time when they need to perform a specific task, meaning they are not logged in to the system with unnecessary privileges the entire time.
The market for privileged identity management tools has plenty of players, so competition is fierce. Once your decision-makers agree on a shortlist of potential products or services that include the features and functionality required, contact the appropriate vendors and request a demonstration. For those with a good demonstration, request a free trial. A trial period provides the opportunity to see how easily the tools can be integrated into an existing infrastructure. The responsiveness of not just the sales team but the support team as well will be an important gauge as to how easy it will be to resolve any future problems that arise. Check what kind of support is offered: free, subscription or per-issue basis, as this will affect the overall cost of running the new PIM. Finally, run a check against the initial list of requirements to ensure the product can actually deliver them while running within your environment.
After a few months, the logs and reports from privileged identity management tools should provide insights into how existing security controls and policies can be refined or improved, based on real events: Should more roles require two-factor authentication, or is additional security-awareness training needed for superusers? As the number of users, contractors, third-party suppliers and devices connecting to networks continues to grow, so does the task of effectively enforcing least privilege. The correct PIM tool can make managing superusers and their privileges a lot simpler while improving the overall security of an organization's network and cloud environments.