A few weeks back at the Gartner Catalyst conference I presented a session titled: Where does management end and governance begin for privileged accounts?
The talk is a culmination of many ‘camp fire’ talks we’ve had internally over the past while about privileged account access and management. As some of you know, we’ve had solutions that covered the use cases in this area for quite some time. When we looked at past efforts in identity management and saw that many ‘priv management’ projects were occurring in separate silo’d deployments we started asking customers why administrator accounts are treated differently. In some cases – they are treated more specifically and severely – with good automation and governance processes in places to manage access, record sessions, manage activities on the servers, etc.
However, we also found that by virtue of being silo’d, they are generally ‘apart’ from standard Identity and Access Governance processes that many of the same organizations had put in place. The scenario may be familiar to you – ‘normal’ end users have to request an account, have it approved, usually have that access reviewed intermittently and overall – that system or resource is managed by an application/service owner ongoing.
That same user (yes, super users are also normal users!), generally does NOT go through the same process to use the tools he or she needs for their job. In this case, as a new hire all of the basics are provisioned by normal business processes – from his LAN ID, to his corporate mobile phone and building access control system. So why, when he starts to work server outage tickets for example, do we just hand over admin-level permissions ‘willy-nilly’ – with virtually no oversight, reviews or comparisons against business policies (such as separations of duty, etc.)?
The talk was productive and I feel timely – many of the questions that came up afterwards included admin-level service accounts and application level credentials – which are different (and potentially more dangerous) than a simple root/Administrator account. Indeed, the overarching story from many of the sessions here at Catalyst spoke of the ‘higher level’ stories surrounding Identity and Access Management
Enjoy the session!