When I talk to companies about managing the risk of privileged accounts one of the many things that comes up at organizations with a more mature privileged access control environment is if and when human approval should be required for access to privileged accounts.
First let me qualify what I mean by “more mature privileged access control environments”. These are environments where admins don’t have perpetual privileged access to all systems under their care. Instead, for a given ticket, they request access for the systems needed and they are dynamically – and more importantly – temporarily granted that access. It’s automatically revoked.
In early days, I saw organizations implement this completely manually with a workflow app and a “fire call” desk manned by folks that don’t actually work tickets but just handout privileged account access. But now it’s much more efficient, and secure, to use privileged account/session management systems.
Good PAM/PSM systems hold the keys to kingdom on a set of fault-tolerant deeply hardened physical appliances that change privileged account passwords each time they are used (which, by the way, virtually wipes out mimikatz and related credential artifact attacks). Such PAM systems handle the whole account request process and can automatically approve requests based on pre-defined criteria.
But when is that not enough? When should a human be required to evaluate the
• Requester?
• System/account being requested?
• Purpose of the request?
In this real training for free webinar, we will discuss risk factors and other situations where human approval is really important such as
• Very high value/risk systems and processes
• To empower someone not normally authorized to address an emergency
• For systems/users too complex to define hard and fast automated approval criteria
• When policies require dual-authorization
I particularly like the point about “empowering someone not normally authorized to address an emergency”. This is a frequent situation cited as pushback to implementing stricter controls over privileged accounts. And it’s a legit concern. When a business is down because of an IT problem management doesn’t want to hear that no one can work on it because they don’t have a key password.
However, introducing human approval can make the problem even worse if it’s implemented in a ham-fisted way that doesn’t take into account the realities of the modern workplace. What if none of the approvers are in the office? What if they aren’t looking at their email?
That’s where my sponsor, One Identity, comes in. Tyler Reese will briefly show you how their new One Identity Safeguard uses push technology and secure use of the cloud to allow approvers to approve (or deny) privileged session requests wherever and whenever. No need to be in the office, no need to boot up their laptop, start a VPN session and logon to an app.
Please join me for this real training for free event in which we delve into how to securely manage privileged access without getting in the way of productivity and supporting the issues that arise in the real world.