There will always be people who need to be granted access to privileged accounts. In fact, many organizations accept that some privileged access accounts cannot be fully controlled. In many cases, default “Root” or “Administrator” type accounts remain active, with passwords that, while complex and complying with corporate policy, are shared across a team of IT administrators to enable them to do their jobs efficiently. In small IT functions, it is sometimes possible to contain the problem to a handful of users. In larger IT functions, this shared access to privileged accounts results in a complete lack of accountability for the actions performed by the most technical people with the highest levels of access to company data and system functionality. This does not, however, need to be the case.
Privileged accounts in today’s organizations have the following characteristics:
- They are high volume – Every server, domain controller, network device, desktop, laptop, firewall, database, application, etc., will have at least one local privileged account. Large organizations may therefore have tens of thousands of accounts to manage.
- They are often shared – In the guise of operational efficiency, most organizations still share privileged account passwords across a team of IT administrators (e.g., Root, Admin, SA, etc.). As a result, it can be difficult to associate any actions performed to a specific individual with any certainty.
- They are keys to the kingdom–Privileged accounts provide the highest levels of access to company systems and data. People with this level of access have the ability to read, change or distribute highly sensitive information or make changes to critical systems that could impact the success of an organization.
- Privileged users are IT experts – By necessity, privileged accounts are put into the hands of highly technical people. The users of these accounts are, as a result, the most technically able to circumvent controls that are built into systems to control their use.
Challenges and Opportunities
Uncontrolled privileged access to IT systems and data represents a significant risk to almost every organization. The good news is that a number of technology-based solutions exist to enable any organization to regain control of these accounts.
At its core, the technology underpinning these solutions provides a secure logical “safe” to store privileged user passwords and the functionality to associate an individual user with the use of a shared account. Furthermore, these solutions can also:
- Restrict access to pre-approved time periods. • Require certain users to obtain an additional authorization, facilitated by workflow, before privileged access is granted.
- Limit the extent of users’ access, even when a user is logged on with the most powerful accounts.
- Connect to IT systems and automatically change passwords immediately after use.
- Eliminate the need for the IT administrator to know the password by initiating a session and logging in the user automatically.
- Record the sessions (logging keystrokes or capturing indexed video) to enable monitoring of privileged user activities after the event.
These are just a handful of the features offered by the technology solutions that have matured significantly in recent years.
Our Point of View
Companies should assess the adequacy of controls they have in place over privileged access to systems and data. Consideration should be given to the following areas when planning an evaluation and remediation strategy:
- Scope and prioritization – Define a scope that makes sense for your organization and a prioritization that is based on business requirements and risk appetite.
- Security standards – Organizational standards must be reviewed and updated to ensure control requirements are clearly established to manage privileged access to IT systems and are consistent with the policies of the firm.
- Tools and technology – It is not possible to address all the issues associated with privileged accounts without investing in some tools and technology. The company should make sure its requirements are clearly articulated and conduct an assessment of solutions to identify the best match.
- Processes and procedures – Tools cannot solve the privileged access problem in isolation. Without robust processes, the risk will not be fully addressed and the return on investment for tools and technology will be limited.
- Training and awareness – The implementation of new tools and processes will change the work patterns of IT administrators. It is therefore important that these teams understand the reasons for the change and are provided with the necessary training to enable them to continue doing their jobs effectively.
How We Help Companies Succeed
Protiviti works with companies to design and implement privileged access control frameworks that consist of good practice policies and control standards, tools and technology, and supporting processes and procedures. Our experts work with a company to understand its technology landscape, identify risk hot spots, and establish a control improvement plan that is tailored to the organization, reflects its risk appetite and is aligned to specific business requirements.
Protiviti has experience with several privileged user management tools and can help companies assess and select the most appropriate one based on their specific requirements. Protiviti also helps clients manage and execute their control improvement plans to ensure business requirements and success criteria are met.
Protiviti was engaged by a global financial services firm to support a program to address an IT privileged access control issue that was pervasive across the organization and resulted in an unacceptable risk of inappropriate access to critical IT systems. Our team conducted an initial current state assessment to measure the effectiveness of existing controls against a new privileged access control standard. We then worked with the client’s IT infrastructure teams to design and implement the solution across a diverse range of platforms on a global basis, including several operating systems, data platforms, middleware technologies, and data and voice networks. Protiviti supported the client with the implementation of the solution across more than 40,000 servers and devices, managing more than 100,000 user accounts in more than 20 countries.