Recent high-profile data breaches involving privileged accounts show a need for rigorous privileged identity management. Given the diversity of users and devices that connect to enterprise networks, dedicated PIM tools are the only way to ensure least-privileged access is enforced across the IT infrastructure. But, PIM can’t operate in isolation, nor is it a silver bullet.
Accessing privileged accounts is the easiest way to break into a network; phishing users with access to privileged accounts to steal their credentials is the most common social attack. Therefore, ongoing security-awareness training should be given to those with privileged access so that they can recognize the latest attacks. New employees must learn corporate security policies before they are added to the organization’s identity and access management system. Whenever an employee’s role changes, induction training should cover the responsibilities that come with any new privileged access the role requires before it’s granted.
Security teams and HR must collaborate on the role assignment so that there is an adequate level of separation of duties and so that employees’ roles and permissions are added and taken away as their status changes. Technologies for privileged identity management that provide clear, comprehensive dashboard overviews of the status of employees, roles and permissions are essential to quickly spot and correct mistakes and mis-assigned privileges.
Logging and monitoring privileged users’ activities is also key; it allows for any unusual or suspect behavior and events to be spotted. Context-aware privilege control — using multiple factors such as a user’s location, IP address, role and the time of day to decide what a user can do — provides another layer of protection.
Privileged identity management must be at the heart of any organization’s IT security strategy, but other disciplines like data classification and security-awareness training are necessary if it is to perform to its potential.