Just about every organization has to do regular privileged account recertification. You might call it something else, but the need is to check that only the right people have privileged access (i.e. admin or system-level access) to shared devices, applications, or services.
In many cases, it’s a legal requirement: NIST-800, CAF, PCI-DSS and many other regulations have a requirement to show that organizations do regular reviews and audits of privileged accounts. Even if it wasn’t a regulatory requirement, it’s just good practice.
But it’s hard and it’s time-consuming so it’s no wonder that it either gets missed or isn’t complete and that means you’re leaving an open door for attack.
The traditional approach for reviewing privileged accounts involves a lot of spreadsheets and manual review, collating changes, then updating AD.
The typical process involves IT generating lists of accounts from Active Directory (AD). Each account may be a member of a group that has administrator privileges. Just to make things even more challenging, AD groups can be nested, meaning it’s not always easy to spot why an account has administrator privileges.
IT then has to associate the groups with particular managers in the organization, such as by identifying who owns the “London Marketing”team or the “Germany Firewalls” groups. It’s not unusual to have hundreds or even thousands of groups in AD.
So IT creates lists of users that are members of those groups and sends the lists to the owners of those groups.
Each group owner then reviews the lists – and they could have many – to check that the memberships are correct. Perhaps someone was seconded from one team to another so were added to a group but no longer need access. Another common scenario might involve an external contractor, some temporary staff or a supplier working on a project. If those accounts weren’t disabled or removed from the groups when the project ended, there’s a massive security hole just waiting to be exploited. That’s why the re-certification process is so important.
Switch now to the group owners – the Marketing Manager in London or the Network admin in Germany. They get a list of spreadsheets from IT with potentially hundreds of names on each. They may or may not know which groups they own, let alone all the people on the lists. As a result, they may delegate parts of the list to others to review which generates more work to collate the results before sending back to IT. Of course, this isn’t seen as particularly interesting or valuable to the Marketing team so the process might not get to the top of their To Do lists and they’ll get continual reminders from IT or the Security team until they’ve completed their review.
As IT receive the spreadsheets, they’ll have to review the content to make sure they’ve all been reviewed correctly. It’s quite likely they’ll have to send some to be re-reviewed or have further questions.
Assuming the results are all OK, an AD administrator will have to manually update AD with all the necessary changes. With the process being manual, there are plenty of opportunities to make mistakes – miss someone or remove an account that shouldn’t be. Somehow, an audit trail needs to be maintained,perhaps the printed spreadsheets, to prove to the IT auditors that the process has been complete.
Overall, there’s a lot of routine work, that’s easy to get wrong and could leave massive security holes if not completed correctly. And it has to be done every quarter. No wonder it’s one of the activities that most IT organizations would rather they didn’t have to do.
Imagine if you could automate the whole process ….
Automation may seem an unlikely solution. After all, the process involves a lot of people in different locations, reviewing lists is a human task and updating AD needs a trained and valuable administrator. With Privileged Process Automation (PPA) however, it’s very easy.
You can see how the process works in this video:
Each group owner or manager can only see the groups they have access to. From there, it’s easy to select accounts to remove from their groups. The entire process is secure because AD credentials are retrieved from a secure vault such as Osirium PAM or HashiCorp and the credentials are never exposed to the user.
The process to update AD is all automated within PPA so the user doesn’t need to know how to use AD and they can’t do anything they shouldn’t.
PPA keeps a complete audit trail of all the changes, so Auditors will have all the information they need on their next visit.
If you can automate recertification, just imagine what else you could do. PPA is being used beyond AD tasks such as recertification or password resets. It’s being used to automate security operations (for example, updating firewall rules), network operations (e.g. configuring routers or DNS servers) or financial operations such as managing AWS billing data. You can see examples on the PPA page.
PPA is as powerful as your imagination. Faster, simpler,safer.
So, what do you imagine doing with the time you'll save with PPA?