By Peter Theobald | August 22, 2018
Every company has privileged users – superusers and admins –who are tasked with installation, configuration, administration and management of mission-critical systems, applications, databases and network gear. Naturally they need to have extensive access rights to carry out their responsibilities. Literally, they hold the “keys to the kingdom” – they have the ability to do whatever they want in the environment. Audit trails are weak & superusers can easily deny having done something – especially if admin passwords have been shared . Superusers can even hide their tracks subsequently by deleting logs of their actions. In a nutshell, either inadvertently or with malicious intent, a superuser can cause immense damage to any environment – bring down systems, open them to attack or even engineer a data breach. In fact, a significant number of security incidents are caused by misuse of supervisory access.
Companies are now seeking ways and means to secure, manage, control and record the activities of these superusers, so that extensive damage can be prevented, and responsibility can be affixed to them for their actions. “Privileged Identity Management” (PIMs) or Privileged Access Management (PAMs) specifically fulfil this need.
Basically, instead of allowing admin users to directly access critical systems and applications, the PIM solution routes their access through their solution. So instead of giving the privileged user admin usernames and passwords to multiple devices and system, he is given only one user account on the PIM system, and through that system, based on the rights assigned, he can carry out whatever admin activities he needs to.
There are several benefits of this approach. Firstly, the superuser does not know the actual admin passwords of all the systems, since those passwords are typically assigned and held by the PIM system itself in a secure “Password Vault”. Therefore, if the user leaves the organisation, there is no need to change passwords everywhere. Just delete his account and you are done. Secondly, all activities done by the user are recorded. Keystrokes/commands issued can be captured or optionally, even a “video recording” of the session can be done. The superuser can be held accountable for his actions. Further, it is also possible to restrict the user from issuing particularly dangerous commands, so significant damage can be prevented before it occurs.
PIM systems also come in use for issuing temporary admin rights to users – eg one-time access for maintenance work. There is no need to reveal actual admin passwords and then change or delete them thereafter. Normally admin rights are “always on” but with PIM, limited admin rights based on time of day, approval-based access etc. can also be issued. Typically, two factor authentication is also inbuilt into these systems or third party 2FA solutions can also be integrated into the PIMs, providing an additional layer of security and accountability. Full reports of admin access can be generated and often even “query analysers” can be run to identify exactly who ran what command on which system
Hitachi Systems Micro Clinic has expertise in deploying and configuring PIM solutions that can control access to different Operating Systems, Databases, Networking and Security devices. Do get in touch with us to learn how best to “secure your superusers”!
To know more, write to email@example.com