This is the fourth in a weekly four-part series providing best practices for an effective Privileged Identity Management program.
Part one of the series provided an introductory overview of Privileged Identity Management. In part two we moved to the basic check off items required for a successful Privileged Identity Management program. In the third part of the series, we covered taking Privileged Identity Management to the next level, as part of a proactive cyber defense strategy.
Download the white paper Best Practices in Privileged Identity Management to get your complete guide to securing privileged identities.
Now we’ll take a look at the three practices we regularly see in the most mature Privileged Identity Management programs.
Scale Up to Manage Privileges at Every Endpoint
This is likely the simplest advice you can get: take what works and do as much of it as you can. Regardless of if your network includes one building or a global network of millions of endpoints and systems, Privileged Identity Management applies to every corner of your IT infrastructure. So, take it there. The goal should be full deployment.
This has a few implications. Your Privileged Identity Management product must be able to handle that scale. And you must design your deployment to suit the needs of that scale. These go hand in hand.
A common error is to have the goal of full deployment from the start, but to test systems as if they will only be in one small layer of the network. When you test, test big. Unlike many cyber security systems, Privileged Identity Management is something you should load test from the very start – before you even invest in a solution.
In a world where the bad guys attack fast and with automation, Privileged Identity Management needs to react even faster and with more automation. You won’t know if your solution can accomplish this unless you try it in your specific configurations.
This also means you need to design your Privileged Identity Management solution to touch everything it will ultimately affect right from the start. Many start off their projects with only easy targets like Windows-based user systems. But you should test and design with everything from your largest mainframes, oddest cloud-based systems, and smallest network devices in mind from the start, too. If you do this correctly in design and test, you can scale up without challenges later.
Manage Embedded Credentials
The reason this falls into the advanced practices is the difficulty of doing it thoroughly. The technical task of orchestrating this sort of network password management is complex, but it’s not even the most complex part. Often negotiations with the people who run these systems comprise most of the difficulty. They put those passwords in clear text for their own convenience. Offering a persuasive argument to make them change that practice will be a challenge without a mandate from above.
This is where you can often find that other factors will help you get traction. Pick a group with particularly high risk and high visibility that will be more receptive to the idea of proactive cyber security. If you can make this comprehensive approach part of one group’s success, then others will sign on, too.
In order to get the best reception for this, make sure your platform has a lot of options to enable a smooth transition. There should be ways to call for credentials securely from any kind of script, any sort of connection protocol, and via all the latest forms of integration (SOAP, JSON, etc.).
It’s also good to keep in mind that anything is better than a password in clear text. So if the application needs to have a slightly less secure method to communicate than the highest level of security your system can do, that’s still an improvement. Progress should always be preferred to perfection – especially in advanced cyber security programs.
Integrate Privileged Identity Management with IGA (Identity Governance and Administration) and IAM (Identity Access Management)
Ultimately, privileged identities are going to have a deep relationship with user identities. But they are not the same. User identities map to a single human. Privileged identities are by their nature mapped to many people, devices and other technological entities.
That’s why Identity Access Management and Privileged Identity Management are different. But the governance layer that IGA introduces holds a great deal of promise for combining the best of both systems to offer a tightly integrated approach to the lifecycle of all identities.
And it can be driven by business minded choices made from the top down. A policy that enforces how and when an authorized IT administrator has access to a privileged identity is the realm of Privileged Identity Management. How does that administrator become “authorized?”
This is a business decision, and it’s exactly the type of choice that IGA can manage and track. As people change roles and eventually leave the organization, governance allows the business to keep the security of the organization intact at every lifecycle decision point. The advice is simple: if you have IGA or will be adopting it, make sure you include integration of Privileged Identity Management in the picture.
During this four-part series, we’ve looked at hard-won Privileged Identity Management best practices that we gleaned from the success and failures of our own customers. If applying all of this to your organization seems daunting, be assured that no one we’ve run into is currently doing all of this at once. Some come close. And the best aspire to do it all.
Above all, hopefully these best practices will help you win some tough battles in the cyber war we all find ourselves fighting.
Learn More About Privileged Identity Management
If you’d like to see for yourself how it all works, please request a demo from Lieberman Software.
You can also read the authoritative guide – Best Practices in Privileged Identity Management.
If you like this topic, please subscribe to our Cyber Defense Newsletter.
You can also follow us on Twitter.