When it comes to evaluating their security perimeter, many companies focus on external threats and overlook internal ones. Yet despite the various sophisticated threats that exist, human error is still a common cause of security comprises. This is particularly critical as companies set up privileged accounts, which give superusers a far greater amount of access to classified company information. These risks only grow as companies begin to provide privileged access to contractors, vendors and other partners. According to Gartner, more than half of security failures associated with IaaS and PaaS will be the result of companies failing to adopt privileged access management technology and processes.
We’ve previously outlined best practices for setting up privileged access management. Below, we outline important considerations for expanding your identity protocols to your privileged users, which will help mitigate potential threats from within the organization.
Extend your company’s identity governance to privileged accounts
To start, companies need to outline a clear Identity Governance and Administration (IGA) protocol. This should be applied to all employees to minimize the risk of internal threats by specifying the correct level of access. It’s particularly important for privileged users.
Access discovery - First, identify who has access to what. This involves harvesting user accounts and permissions from sources you control, as well as reconciling user identity and sensitive account information from other target resources and systems that you don’t have control over. From this information, it’s important to create a master catalog so your access certifiers can easily read the information they need and certify that access.
Identity administration - Once you’ve cataloged your user identities and permissions, you then need to manage their lifecycles. Better known as user provisioning and deprovisioning, this involves understanding and managing your accounts, your groups, the relationships between these accounts and groups, as well as entitlements and attributes across various applications.
Access requests and approvals - Depending on the situation, users may need to request ad hoc entitlement outside of your rules based provisioning process set up in the previous step. This access request based provisioning requires a formal process where users can self-service request access to specific applications and manager or sponsors can grant that access without IT’s involvement. At the same time, IT must have visibility and auditing controls into who is requesting what and who is authorizing those requests.
Access certification - Finally, there must be ongoing auditing of entitlements to prevent entitlement creep over time. Access certification campaigns ensure users have the correct level of access and should be run on a periodic basis to observe ongoing access patterns and privileges. This can be done on a regular basis, whether annually, semi-annually, or quarterly. These certifications can also focus on something specific that you think is a priority (for example, financial security).
Access reporting - The results of the access certification campaigns are the reports that can be handed over to external and internal auditors. Here, you can begin to check for any anomalies and discover the parts of your system where your key risks lie. If an internal breach has already occurred, this will allow you to easily determine where, when, and how it took place.
Apply IGA to lifecycle management
Identity is the new security perimeter. If someone is given the wrong access to the wrong resource, this could lead to an unintentional (or intentional) security breach. If a terminated employee is not properly deprovisioned from your system, this creates the risk of misconduct with your files – one that is heightened when users have privileged access to highly confidential information.
Secure this by applying strong IGA practices to the lifecycle of each identity and each resource. Someone’s identity lifecycle may be longer than their resource lifecycle, often when they change to a different position within the company. This requires flexibility within your lifecycle management solution as well.
Click here for more information on Okta’s Lifecycle Management – a streamlined solution for implementing and managing your Identity Governance and Administration (IGA) protocol.
Don’t look the other way
Privileged accounts represent one of the biggest threats to companies today because of the information they are privy to. A robust IGA protocol provides the structure IT teams need while a lifecycle management solution gives privileged employees the secure ease of access to information they require and IT teams the visibility to monitor inside threats. Don’t wait until it becomes a necessity to implement these best practices – the stakes are simply too high.
If you want Okta to take charge of your Privileged Access Management and protect you from a variety of other data breaches, learn more about what our platform can do for you.