In the wake of massive data breaches caused by user credential theft, identity and access management (IAM) has become one of the most important tools in the CSO’s toolbox.
But, really IAM has been a tried and tested tool in the Chief Security Officer’s toolbox for decades, used for improved IT operations and compliance as well as IT security. The focus and use cases have merely shifted over time – in particular to the privileged user and his or her access and activity.
The U.S. government has rightly been promoting the use of both multi-factor authentication through the use of personal identity verification (PIV) credentials and privileged access management (PAM).
An example of the government’s move to promote PAM has been through a memorandum from the Office of Management and Budget, which among its many recommendations, tightens up policies and procedures for privileged users and is a driving requirement of the Department of Homeland Security Continuous Diagnostics and Mitigation program. Recommendations include:
- Tighten privileged user policies, practices, and procedures
- Inventory and validate privileged account scope and numbers
- Minimize the number of privileged users
- Limit functions that can be performed when using privileged accounts
- Limit the duration that privileged users can be logged in
- Limit the privileged functions that can be performed using remote access
- Ensure that privileged user activities are logged and regularly reviewed
These considerations help provide agencies with an excellent way to identify high-risk privileged users and accounts.
PAM Tips Beyond OMB Recommendations
These developments and others show that the government is heading in the right direction regarding PAM. More importantly, we see the private sector understands the benefits of PAM because privileged users – or at least his or her credentials – are recognized as a high risk factor.
The convergence of IAM as a SecOps (security and operations) practice establishes a more holistic IT management approach.
Here are a few additional PAM best practices not directly spelled out in the OMB recommendations that highlight this.
- PAM has to be about more than just security; it has to affect everything an organization does in its day-to-day operations. It begins with policies focusing on what systems privileged users can access to do their jobs, and what level of privilege is really needed for them to successfully carry out their tasks.
- PAM must enable user identification and authentication. Organizations need to set up procedures to positively identify users. Doing this allows administrators to take steps like controlling the credentials used to access the system, applying multi-factor authentication, controlling shared accounts, and enhancing background checks and identity proofing.
- Authentication and access control must be separate. This involves taking a “zero trust approach” and segmenting the network to prevent attackers from gaining broad access to resources.
- In addition to preventing unauthorized access, organizations also need to establish monitoring procedures to oversee user sessions, log-ins and behavior on the network.
Security for the Application Economy
No single security solution will be 100 percent effective. But by implementing these suggestions, adopting the proposed NIST guidelines, and recognizing the relationship between security and operations, CSOs and CIOs can chart a course for success for securing their organizations and optimally running their businesses.
SecOps is just two-thirds of the story for security in the application economy. Secure application development is another must-have for app economy success. A topic for discussion another day.
Is your organization viewing IAM – in particular privileged access management – as a holistic security and operations initiative? If not, you could be missing out on critical benefits and an easier path to justifying the investment.