6
September 2016
Two Ideas
Andy Harris
We’ve heard a couple of deployment ideas recently and thought they’d make a very strong combination for increasing security and reducing the cost of managing Privileged Access Management Solutions.
The first seems counter-intuitive: Remove all Personalised Privileged Accounts. Of course managing these personalised accounts is one of Osirium’s best features! However, here’s the gain, if you organise your system access into role based accounts your team can ensure that these are kept to the absolute minimum. This means that your Privileged Account attack surface is as small as it can be. The issue here is that the credentials of role based accounts could get proliferated around the organisation. Therefore it’s vital that you:
Separate People From Passwords
The next step is to ensure that you can always determine the identity or whoever uses these accounts. This is very simple using Osirium’s profiles and groups. Everything will get SysLogged so your SIEM systems can tie everything up.
Here’s the second idea: People have no access to any system unless there is an authorised reason. This of course gives you the issue of how to manage all those authorisations, isn’t it easier for your SysAdmins and DevOps to work their way through the open tickets and deal with issues as they arise?
Your ticket system contains the inherent reasons why someone should be authorised to access particular systems. If you can combine your ticketing system with Osirium’s profiles you get this:
(Identity + Reason) IN — (SysLogged Role) OUT
You have now reduced the attack surface in two ways:
- Reduced the overall number of Privileged Accounts
- Gated the access to those Accounts by the ticketing system
You have reduced your management and reporting effort as well:
- Osirium can give you a direct mapping between identities and role based accounts
- Your ticket system (and Osirium) can tell you when and why access to these Accounts was enabled
- Your SIEM system will have all the information nicely correlated
- You’ve not added any new procedures or steps for your SysAdmins and DevOps to go through
Many customers have enjoyed our management of Personalised Privileged Accounts and this could be used in the scenarios given. However, looking to the future it could be used to migrate from personalised to role-based accounts.
We believe these two interesting ideas brought together have real merit and are perfectly suited to an implementation of Osirium. If you’d like to achieve this level of security with ease of management then please get in touch!