Privileged Identity Management
Encyclopedia
Privileged Identity Management (PIM) is a domain within Identity Management
focused on the special requirements of powerful accounts within the IT infrastructure of an enterprise. It is frequently used as an Information Security
and governance
tool to help companies in meeting compliance
regulations and to prevent internal data breaches through the use of privileged accounts. The management of privileged identities can be automated to follow pre-determined or customized policies and requirements for an organization or industry.
Please also see Privileged password management
-- since the usual strategy for securing privileged identities is to periodically scramble their passwords; securely store current password values and control disclosure of those passwords.
, authorization
, password management
and monitoring.
The intruders profiled in the report combine zero-day vulnerabilities developed in-house with clever social exploits to gain access to individual computers inside targeted networks. Once a single computer is compromised, the attackers exploit "highly privileged administrative accounts" throughout the organization until the infrastructure is mapped and sensitive information can be extracted quickly enough to circumvent conventional safeguards.
Privileged account passwords that are secured by a privileged identity management framework so as to be cryptographically complex, frequently changed, and not shared among independent systems and applications offer a means to mitigate the threat to other computers that arises when a single system on a network is compromised.
Privileged identity management software frameworks manage each of the special requirements outlined above including discovery, authentication, authorization, password management with scheduled changes, auditing and compliance reporting. The frameworks generally require administrators to check out privileged account passwords before each use, prompting requesters to document the reason for each access and re-randomizing the password promptly after use.
In doing so privileged identity management software can guard against undocumented access to configuration settings and private data, enforce the provisions of IT service management practices such as ITIL
, and provide definitive audit trails to prove compliance with standards such as HIPAA 45 § 164.308(1)(D) and PCI-DSS 10.2. In addition, the more advanced frameworks also perform discovery of interdependent services, synchronizing password changes among interdependent accounts to avoid service disruptions that would otherwise result.
Identity management
Identity management is a broad administrative area that deals with identifying individuals in a system and controlling access to the resources in that system by placing restrictions on the established identities of the individuals.Identity management is multidisciplinary and covers many...
focused on the special requirements of powerful accounts within the IT infrastructure of an enterprise. It is frequently used as an Information Security
Security
Security is the degree of protection against danger, damage, loss, and crime. Security as a form of protection are structures and processes that provide or improve security as a condition. The Institute for Security and Open Methodologies in the OSSTMM 3 defines security as "a form of protection...
and governance
Governance
Governance is the act of governing. It relates to decisions that define expectations, grant power, or verify performance. It consists of either a separate process or part of management or leadership processes...
tool to help companies in meeting compliance
Compliance (regulation)
In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that corporations or public agencies aspire to in their efforts to ensure that personnel are aware of and take steps to comply with relevant laws and...
regulations and to prevent internal data breaches through the use of privileged accounts. The management of privileged identities can be automated to follow pre-determined or customized policies and requirements for an organization or industry.
Please also see Privileged password management
Privileged password management
Privileged password management software may be deployed by organizations to secure the passwords for login IDs that have elevated security privileges. This is most often done by periodically changing every such password to a new, random value...
-- since the usual strategy for securing privileged identities is to periodically scramble their passwords; securely store current password values and control disclosure of those passwords.
Types of Privileged Identities
The term “Privileged Identities” refers to any type of user or account that holds special or extra permissions within the enterprise systems. Privileged identities are usually categorized into the following types:- Generic/Shared Administrative Accounts – the non-personal accounts that exist in virtually every device or software application. These accounts hold “super user” privileges and are often shared among IT staff. Some examples are: Windows Administrator user, UNIX root user, and Oracle SYS account.
- Privileged Personal Accounts – the powerful accounts that are used by business users and IT personnel. These accounts have a high level of privilege and their use (or misuse) can significantly affect the organization’s business. Some examples are: the CFO’s user, DBA user.
- Application Accounts – the accounts used by applications to access databases and other applications. These accounts typically have broad access to underlying business information in databases.
- Emergency Accounts – special generic accounts used by the enterprise when elevated privileges are required to fix urgent problems, such as in cases of business continuityBusiness continuityBusiness continuity is the activity performed by an organization to ensure that critical business functions will be available to customers, suppliers, regulators, and other entities that must have access to those functions. These activities include many daily chores such as project management,...
or disaster recoveryDisaster recoveryDisaster recovery is the process, policies and procedures related to preparing for recovery or continuation of technology infrastructure critical to an organization after a natural or human-induced disaster. Disaster recovery is a subset of business continuity...
. Access to these accounts frequently requires managerial approval. Also called: fire-call IDs, break-glass users, etc.
Special Requirement of Privileged Identities
A Privileged Identity Management technology needs to accommodate for the special needs of privileged accounts, including their provisioning and life cycle management, authenticationAuthentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
, authorization
Authorization
Authorization is the function of specifying access rights to resources, which is related to information security and computer security in general and to access control in particular. More formally, "to authorize" is to define access policy...
, password management
Password management
There are several forms of software used to help users or organizations better manage passwords:* Intended for use by a single user:** Password manager software is used by individuals to organize and encrypt many personal passwords...
and monitoring.
- Provisioning and life cycle management – Handles the access permissions of a personal user to shared/generic privileged accounts based on roles and policies.
- Authentication – controls the strong authentication of privileged identities. Specifically it is providing applications with a secure alternative to static passwords.
- Authorization – manages powerful permissions and the workflow of providing them, sometimes on-demand, to privileged identities.
- Password Management – enforces password policies on Privileged Identities, which unlike regular identities may not be associated with a single person or may be shared among a few.
- Auditing – provides the detailed auditing for actions taken by privileged users. This may include recording of the user’s session as well as creating correlation between a generic/shared account and a person.
Risks of Unmanaged Privileged Identities
A 2009 report prepared for a US congressional committee by Northrop Grumman Corporation details how US corporate and government networks are compromised by overseas attackers who exploit unsecured privileged identities. According to the report, "US government and private sector information, once unreachable or requiring years of expensive technological or human asset preparation to obtain, can now be accessed, inventoried, and stolen with comparative ease using computer network operations tools."The intruders profiled in the report combine zero-day vulnerabilities developed in-house with clever social exploits to gain access to individual computers inside targeted networks. Once a single computer is compromised, the attackers exploit "highly privileged administrative accounts" throughout the organization until the infrastructure is mapped and sensitive information can be extracted quickly enough to circumvent conventional safeguards.
Privileged account passwords that are secured by a privileged identity management framework so as to be cryptographically complex, frequently changed, and not shared among independent systems and applications offer a means to mitigate the threat to other computers that arises when a single system on a network is compromised.
Privileged Identity Management Software
Because common Identity access management frameworks do not manage or control privileged identities, privileged identity management software began to emerge after the year 2000.Privileged identity management software frameworks manage each of the special requirements outlined above including discovery, authentication, authorization, password management with scheduled changes, auditing and compliance reporting. The frameworks generally require administrators to check out privileged account passwords before each use, prompting requesters to document the reason for each access and re-randomizing the password promptly after use.
In doing so privileged identity management software can guard against undocumented access to configuration settings and private data, enforce the provisions of IT service management practices such as ITIL
Itil
Itil may mean:*Atil or Itil, the ancient capital of Khazaria*Itil , also Idel, Atil, Atal, the ancient and modern Turkic name of the river Volga.ITIL can stand for:*Information Technology Infrastructure Library...
, and provide definitive audit trails to prove compliance with standards such as HIPAA 45 § 164.308(1)(D) and PCI-DSS 10.2. In addition, the more advanced frameworks also perform discovery of interdependent services, synchronizing password changes among interdependent accounts to avoid service disruptions that would otherwise result.
External links
- "Generic accounts are your SIEM blind spot" Article (article written by Philip Lieberman and published in ComputerWorld 30 June 2011)
- "Why Privileged Identity Management Implementations Fail" Article (published on a Blog sponsored by Lieberman Software)
- “Take Control of Your Business with Privilege Centric Risk Assessment” Whitepaper (white paper plus sales pitch from Cyber-Ark)
- “Secure Your Cloud and Outsourced Business with Privileged Identity Management” Whitepaper (white paper plus sales from Cyber-Ark)
- "Best Practices for Managing Privileged Passwords" Whitepaper (white paper; no sales pitch from Hitachi ID Systems)
- "Privileged Identities Explained" Video (slide presentation with voice-over from Lieberman Software)