Privileged Identity Management Part 1

Privileged Identity Management is a really interesting area nowadays. It just started to evolve and spread in the market.


Usually the IT leaders do not know how important this could be for the prevention, detection of an incident or as evidence in a crime case. These tools intended to deter the administrators of doing things they shouldn't do and makes it possible to record (almost) everything! HOW?

Well there are several products on the market each of them working a bit differently but there are some basic functions which are common. I have tested some of them and had the privilege to challenge them, score them and select one of them to be the preferred one by us.

So, what does the title of this topic mean?

PIM/PUM/PAM/...both are somehow meaning the same. Privileged Identity/User/Access/... Management. Both of these were developed to provide a tool which is capable of managing the privileged user accounts in the IT infrastructure.

I have some very interesting questions at this point. Ask them from yourself:

  • What are the privileged user accounts?
  • Where are the privileged user accounts?
  • How many privileged accounts exist in the IT infrastructure?
  • Are there any shared accounts? (Are there any named accounts?)
  • Who knows the passwords?
  • How often are these passwords changed?
  • After a change in the positions (on/off boarding) these password remains the same?
  • Am I able to see what do the administrators do/see during their daily work? Do the check the salary spreadsheets or database tables in their free time?

What are the privileged user accounts and who use them?

Privileged user accounts as I see are the accounts which have more privilege on a system than a regular user. It is hard to determine the border line but you can feel it:). It is when someone has more power than the others. He can bypass the general built in controls or for example able to access the database without using general client software. Perhaps he can browse it with an SQL tool. Or it can be an administrator account in windows (or a domain admin!); or a "root" in linux; or "enable" in a Cisco device; or SYSDBA/SYS in a database. These accounts are the most powerful users who can do anything in the systems and usually they cannot be removed or there is no way to ignore them and not to use them in special cases. Usually they are known by several people, they are SHARED ACCOUNTS! As they are shared usually there is no strict policy on the password complexity.

 

Number of privileged accounts

Generally speaking the number of administrative accounts is more than the number of the devices! Why? Because on every windows there is a local administrator account, in every linux there is the root account, in every Cisco device there is the enable, in every database there is a database administrator. Above these there are the domain administrators, the application administrators and so on...

And I did not speak about the technical users or service users which are usually equally strong users. Sometimes they are hard coded into applications.

 

Password change?

Have you ever heard about changing administrative passwords? Very rare!!! Why? Because they are hard coded into the applications and nobody is brave enough to change an admin password because they cannot estimate the impact of it to the business applications.

 

What happens if someone got fired?
Usually nothing. The IT remove/disable some account but the general administrative shared account passwords remain the same. I heard several stories about this, and I know some people who said that he left a company years ago but the ssh or rdp passwords are still the same. What a surprise?!?

 

To be continued.