In a digitally-driven business world, today’s infrastructure, applications and networks are spread across on-premise and in the cloud environments, with mobile and virtual elements. With such a dynamic set of circumstances, identifying and safeguarding critical “crown jewel” assets and their access becomes a key risk mitigating control to proactively address security risks. A first step in mitigating this risk is to understand the footprint of the organization.
In our last IAM Best Practices blog, Julie Talbot-Hubbard discussed how organizations can decide where to start with automating the provisioning and de-provisioning processes for identities. These types of identities are further described by Tom Malta in his blog. This blog will focus on how to start a discovery process for both critical and non-critical assets and prepare for a successful Privileged Access Management (PAM) implementation.
Privileged access is top of mind for many CISO’s, as it carries a significant risk and they are primary target for attackers. A privileged account (e.g.; domain admin, root, database admin, local admin, service account, etc.,) is any account that has more privileges than a standard user account, which has the authority to manage configurations, security settings, databases, application access, etc.
The first step in managing these accounts is to understand and gain insight into the environment and where these accounts are currently being used.
“The industry has come back to saying you can’t secure what you don’t know you have,” said my industry colleague Adam Bosnian, executive vice president of global business development at CyberArk and IDSA executive board member. “It falls under the identity security umbrella we are pushing at IDSA.”
The tools for discovery
Most vendors provide a tool to perform an automated discovery process, but all tools are not created equal. Pick a tool that aligns with your ecosystem and provides you with comprehensive results that outline an accurate look into the current state of privilege accounts in your environment.
Privileged accounts are spread across multiple components in any environment. Plan a strategy and approach to discover various types of privileged accounts in your environment, that are spread across infrastructure components (operating systems, domain controllers, network devices), application components (databases, APIs, scripts, programs, legacy applications), local admin accounts on end user devices, cloud applications (IaaS, PaaS and SaaS), social media accounts, SSH keys and 3rd party vendor access.
Once you have completed a baseline inventory on your network, categorize those accounts based on the criticality and risk. Then you can begin the journey to secure access to those privileged accounts. Create an implementation plan that starts with most sensitive privileged accounts first, which can include root accounts on Unix/Linux, Active Directory admin accounts, virtualization admin accounts, database accounts for mission critical applications, local admin accounts on end user devices. When your most sensitive accounts have been accounted for, then you can expand the scope to include additional privileged accounts on an ongoing basis to cover all in-scope privileged accounts and credentials.
Keep in mind this is not a one and done process. Organizations must incorporate a plan to have an ongoing discovery mechanism. Adopting an automated discovery mechanism can help keep up with the changes introduced into the environment, and this process can be embedded into the asset and services lifecycle management.
About the Author: Narendra Patlolla, Leader Information Security, Identity and Security Architecture at Brighthouse Financial, has over 20 years of progressive experience in the identity and security discipline. He previously held key leadership roles in information security, where he established identity and security architecture programs and has extensive experience with both custom built and off the shelf identity management products. Narendra is a member of the IDSA Customer Advisory Board.