I have been intending to write something about privileged access management for a while now, but I had been struggling to come up with something that anybody would actually be interested in reading. Then, last night while walking the dog it came to me that the answer was staring me in the face. If I am struggling to come up with an article about why control of privileged access is important, what chance does somebody with no knowledge of the subject have to understand the importance of this subject?
So how do I generate an interest in privileged access management? How do I make it sexy?
I could present lots of pretty pictures, draw fancy graphs and present impressive statistics but at the end of the day I believe there is one fundamental issue. This is an area of security that often gets overlooked. Why? In my opinion, it is probably the most important aspect of securing computer systems. Companies spend vast sums of money building impressive, complicated security and yet have administrator accounts that allow a user to simply walk right through those defences.
I once worked with a colleague who was in dispute with a telecoms service provider. Frustrated at never being able to sort out his issue, one day he logged on to one of their routers. He guessed at the default administrator user ID and password and was into their network with full administrator privileges. Fortunately for them he was only looking for information to sort out his issue, but what if he had wanted more?
Let’s take a lesson from the bad guys. One of the first thing attackers do when they gain access to a target is try to escalate privileges. Elevated privileges give them all the access they need to continue their attack. So much expensive security infrastructure is rendered useless once an attacker has the administrator privileges to bypass it all.
And it isn’t just the bad guys that we need to worry about. The world is full of UNIX system administrators who can tell you the story of the person who mistakenly deleted a whole load of important data because they ran a delete command in the wrong place. Many of these mistakes could have been prevented if the person running the command did not have administrative access.
Fortunately there are many tools and solutions for this problem. But even they suffer from the basic problem that we first have to understand there is an issue and be interested in doing something about it.
So is privileged access management sexy? Of course not. Is it important? I think so. Privileged identities have access to the most sensitive of your company’s data and systems. Without proper control they can be used to wreak havoc. I often wonder how much of the security we implement we would actually need if we had proper controls around identities and their levels of access. But there is a discussion for another day….