Privileged Access Management
High privilege accounts are a growing security concern, particularly for organizations that must adhere to corporate governance and compliance regulations. Administrative, Super User, Root, and Fire-Call accounts provide the nearly-unlimited access to system resources that is essential for everyday and emergency IT operations, but are frequently shared and poorly controlled. As a result, organizations are left wide open for compliance violations, privacy breaches, and fraud. For organizations to have a closed security and compliance loop, part of the overall strategy must include a process for monitoring and managing high privileged accounts. The bottom line is that without an automated privileged access management solution, an organization does not have security or compliance.
Privileged Access Management Challenges
Organizations face many challenges.
- Insufficient oversight and audit: Most organizations lack appropriate controls to regulate the privileges and usage of highly-privileged accounts. Yet regulations such as Sarbanes-Oxley, HIPAM, J-Sox and GLBA dictate that organizations be able to prove who had access to which data and resources, when, why, and who approved their access and entitlements.
- Shared access to account IDs and passwords: Many organizations create a small pool of highly-privileged accounts that are shared among several people. The typical problem with shared accounts is that everyone uses the same ID and password, which creates compliance challenges as it is impossible to determine who has access to the accounts and who actually performed a specific action.
- Inappropriate Segregation of Duties: The IT Resource Staff that use and maintain highly-privileged accounts are typically the largest holders of informational access in any organization. Certain highly-privileged accounts, especially those designed for emergency operations and incident handling, can allow misuse to go virtually undetected or to not be traced to any individual. Organizations must often choose between compliance and the ability to quickly recover or troubleshoot issues.
- Self-enforcement of "The Principle of Least Privilege:" Some administrative-level users choose to use a highly-privileged account for everyday activities instead of their general user account, as it eliminates the time and interruption to acquire the highly-privileged account, continually re-enter passwords, etc. This practice unnecessarily increases an organization's level of exposure in the event the highly-privileged account is compromised or errors are inadvertently committed.
- Hard-coded IDs and Passwords: Administrative IDs and passwords are sometimes embedded in programs or scripts for automated processes or kept in configuration files without being changed according to policy. This increases the likelihood of hackers finding passwords since the scripts and configuration files are usually not completely secured.
Fischer's Privileged Access Management (PAM) solves the problem of managing highly-privileged accounts. The solution provides the control, auditing, and compliance required for securing and managing access to administrative and other highly-privileged or shared accounts, including temporary accounts. As part of Fischer's Global Identity Architecture™, PAM can be extended to take full advantage of Fischer Identity's core capabilities (provisioning, password management, compliance, etc.) and infrastructure components (policies, workflows connectors, etc.) to provide better control and security with less overhead. For example, PAM:
- Provides accountability and avoids material weaknesses: Control and track privileges across multiple shared accounts. Track account usage back to a specific user.
- Discourages casual use of privileged accounts: All account privileges are recorded and subject to approval/review of managers and system owners, discouraging use of privileged accounts for routine operations.
- Accelerates and simplifies audits: Data is stored in Fischer's audit database and is easily incorporated into compliance reports.
- Never embed passwords within scripts: PAM eliminates the need to hardcode administrative IDs and passwords within scripts and programs.
- Self-documenting internal controls: Automatically documents the compliance process detailing: who can perform administrative tasks, when and who approved their access, and the rationale and approval history for the accounts.
Fischer Privileged Access Management offers a simple and cost-effective capability for organizations to improve security and automate privileged compliance.
How Privileged Access Management Works
PAM enables organizations to conveniently maintain small pools of highly-privileged accounts instead of creating and managing a large number of user-specific accounts. When an authorized user needs access to a highly-privileged account, s/he simply opens the PAM web interface and requests the type of account required, for which period of time, and specifies why the account is needed. Depending on the organization’s rules and the requester’s attributes, the requester could receive access immediately, upon approval by the System Owner through Dual Control, or after a specified period of time. Automated (fire-call) approval can be desirable when, for example, an emergency situation occurs in the middle of the night and no approver is available. Pre-assigned persons can automatically receive the access they need for a limited period of time. Requests can also be automatically rejected if not approved within the specified period of time or can be automatically escalated to another approver. In any case, the System Owner retains full control and can easily revoke access that has been granted to accounts. Refer to Figure 1.
PAM includes a complete audit record of exactly who can perform administrative and other highly-privileged functions, for which periods of time, why the functions were needed, who approved the privileges, and why the requests were approved. When combined with provisioning, administrators can specify that account passwords are changed every X minutes / hours for enhanced security and control. All events are audited whether they occur at an end-user interface, at a connected system or on the Fischer server. This incorporates all actions taken by requesters and approvers including comments regarding why accounts were needed and why approvers took specific actions. Auditors can quickly see the full scope of compliance. PAM simplifies the auditing process by proving that most highly-privileged accounts are inactive for long periods of time. PAM also enables periodic recertification of accounts including permanent administrative and other highly-privileged accounts. End users and System Owners can automatically receive email notifications regarding accounts whose access has been approved, relinquished, rejected, automatically expired, is about to expire, etc.
Privileged Access Management is secure. System Owners specify which requesters can view / request specific resources and can approve / reject / revoke the use of any highly-privileged accounts. Most systems allow highly-privileged accounts with appropriate permissions to provide administrative functions with no need to divulge the root password. PAM never stores user passwords and IT operations personnel no longer need to handle user passwords or allocate accounts; also, PAM never divulges passwords to anyone, including super user administrators. When combined with Fischer Automated Role & Account Management™ (provisioning), a new account can be created, assigned appropriate privileges and protected by a randomly-generated password that no one knows. Once a highly-privileged account has been approved, PAM enables the requester to securely change the password to a value that complies with the organization’s password policies for the system, including minimum and maximum length, dictionary check, and password composition such as the number of alpha characters, numerals, special characters, etc. PAM can be configured to automatically change the password when a highly-privileged account is revoked or relinquished, so that no one can use the account without approval, including super user administrators. All communication with connected systems and applications are protected by WS-Security (PKI) and/or TLS/SSL.
Privileged Access Management eliminates the need to hard code passwords into scripts that must authenticate to systems, databases or applications. When authentication is required, PAM provides the current password via a secure web-services channel. Without this capability, system passwords can be exposed to persons having access to the scripts, and organizations cannot assure auditors they know who has access to their administrative accounts or who performed a specific task. PAM also enables rapid, flexible implementation as it requires no agents or other software on client workstations or on servers of applications being connected.
Benefits of Privileged Access Management
PAM eliminates the risk of compliance violations, privacy breaches, and fraud due to shared accounts, and only PAM leverages the power of Fischer's Global Identity Architecture™ to provide the following benefits:
- Ensures compliance with regulations through preventive, detective and corrective controls as well as audit of the controls and access privileges.
- Improves productivity and the user experience by automating the management of access to privileged and shared accounts.
- Establishes accountability by enforcing consistent policies for acquiring access to accounts.
- Eliminates the risk of anonymous logins to privileged and shared accounts regardless whether the systems and applications are on-premise, hosted or SaaS.
- Enforces the Least Privilege principle by enabling access to highly-privileged accounts only when needed.
- Provides agility to quickly accommodate changed business processes.
Document MCB-07-260J: May 2012
Copyright © 2007-2012 Fischer International Identity, LLC. All rights reserved.
Fischer International, Fischer International Identity, Managed Identity Services, Managed Identity Services Technology, Identity as a Service, IaaS, the Fischer International Logo, Global Identity Architecture, Built for Business…Yours, and all other Fischer product or service names are the trademarks and/or registered trademarks of Fischer International Identity.