Operations Managers are at the centre of IT production, running the systems, applications and infrastructure that are the lifeblood of the organisation. Pressured by all departments, each with competing demands, and ever pushed for time, the idea of a Privileged Access Management solution may appear to them as extra work for little return.
In this blog we demonstrate how a Privileged Access Management solution actually helps Operations Managers in their daily roles, bringing speed and simplicity to everyday tasks, as well as providing robust IT security.
Operations Managers deal with various business stakeholders and their conflicting needs. To juggle these demands and deliver services, they need great planning, the best workflow and an environment of structured change management.
A Privileged Access Management solution can sometimes ignite fears in Operations Managers over the extra steps needed just to get access to systems, infrastructure, and applications. In their eyes, a Privileged Access Management solution can translate to time, effort and complication.
At Osirium, we understand that speed and simplicity are the keys to adoption. We use our own Privileged Access Management solution, Osirium PAM, in-house thanks to the efficiencies it provides. It delivers Privileged Access Management that works with your staff rather than against them.
A typical dilemma faced by an Operations Manager is ‘privilege creep’. Looking after the Help Desk team, the Operations Manager is faced with Help Desk operators demanding access to tools to help users. As a result, over-privileging occurs; Help Desk operators end up with domain admin rights to solve issues like locked accounts and clearing application caches.
Uncontrolled access to these privileged accounts by insiders, even well-intentioned, leaves an organisation vulnerable to data leaks and cyber-attacks – ultimately causing irreparable damage to both the business and its’ reputation. Every organisation has many tales of staff that tried to fix something while breaking many other systems in the process. Osirium PAM helps identify and prevent this threat by supplying and withholding privileges. Access is only given to users when they need it.
Osirium PAM's Privileged Task Management module allows tasks to be delegated and automated without fear of human error. Perfect for repetitive, time consuming and error-prone daily tasks, task automation allows Operations Managers to delegate the task, not the privilege, operating on a least privilege model.
An example of this is PBX Tasks and Nessus Vulnerability scans. Malware tools and vulnerability scanners by their very nature need to run under privileged accounts that can access everything. Human access to these accounts is clearly dangerous, so by automating these tasks we remove the risk.
We know from our customers that Domain Account Password Reset and Service Restarts are the bread and butter of daily help desk work. Processes like these may not be overly complex, but require an account with privilege in order to run. We have helped many of our customers ‘taskify’ these, as well as some of their more complex operations. In general, these are tasks that require multiple steps, for example:
check service A running
if not service A:
stop service C
stop service B
start service A
start service B
delete cached files
start service C
if service A:
report “Service A running, no action taken”
This is a typical example of a task that needs to be used 2-3 times per week and would generally be given to a full SysAdmin to execute. This is because they need the privileges to access the applications, and the knowledge about the files to delete, and the order of operations to restart the applications. After a while it becomes tedious, and it’s an expensive use of time.
It’s a typical task that gets migrated to a promising member of the help desk staff who is perhaps on their way to becoming a SysAdmin. The cost of the job is reduced because cheaper resources are utilised.
Task Automation is a way of encoding the process that a SysAdmin would perform. It also has the key advantage that it can be replayed without risk of a human typo error. With the PxM Platform, the privileged credentials to the end system/application never enter the user’s workstation and are never available to the task initiator. This means that the credentials cannot be misused and they cannot be phished from humans or scraped by malware. Not only can the task be safely delegated to cheaper resources, it can be done faster and with complete accuracy.
PAM can also create speed of operation. An example can be seen in our desktop interface functionality which contains a free text search scheme. This is designed so that it searches over all the available data, not just the system name. For instance, if an employee needs to access a Cisco router on a DMZ in Dartford, they could type ‘cisc dmz dart’. If they wanted an SSH session to this router, they could type ‘cisc dmz dart ssh’. With each character typed the number of systems and tasks shown are reduced. As we run upwards of 3,000 virtual machines, the efficiencies this brings are incalculable.
Osirium PAM also helps with third-party access management, a regular concern of Operation Managers. It does this by integrating with change ticket systems, time windows and multi-factor authentication, delivering exemplary security.
Speed, accuracy, security, and the ability to delegate, all reduce an Operations Managers pain. That is why we believe that Privileged Access Management shouldn’t be shied away from by Operations Managers, instead providing them with the opportunity to work smarter, not harder.