The basic premise of security comes down to three words: trust no one. This is especially true when we focus on those who hold "the keys to the kingdom." If you don't have this mindset as you're thinking about security, you're potentially setting yourself up for a major security incident via the intentional or inadvertent misuse of these privileged accounts. This isn't to disparage administrators, 99.9 percent of the employees with access to privileged accounts can be the most honest and trustworthy person you know. But the simple existence of such pervasive power in your organisation demands that accountability starts at the top by managing and monitoring the activity that takes place through these accounts.
If you're not continuously managing and monitoring these privileged accounts and applications in your organisation, here are seven immediate steps you can take to make sure the power you've created is accountable:
* Include privileged identities within the broader security/Identity Management project scope. This is a critical first step, because if privileged access isn't included in the initial scope, it won't get addressed. Identity management projects need to focus on more than controlling end-user access in your organisation. Given the power of these privileged accounts, this needs to be included in any IdM discussion, and should be a focal point from the onset of the project.
* Identify the key systems, applications and databases and the underlying privileged accounts that exist in each one. Often overlooked is that fact that each application in your organisation has underlying generic identities, which, once access through a privileged account, gives wide ranging access to any other application in the organisation it touches
* Identify who should have access to privileged accounts - make sure you understand who exactly you're giving this power to.
* Identify who does have access to privileged accounts - as you audit these accounts, you'll be shocked to find out how many users have access that they shouldn't.
* Clearly define policies for privileged access to key systems, ensuring safeguards such as dual-control, time-based access and frequent strong password changes.
* Implement processes to automatically apply the policy definitions. As cited above, the Consensus Audit Guidelines suggest that these processes be managed automatically and continuously.
* Monitor and report actual adherence to the defined policies you set forth. This is a critical component in safeguarding your organisation, making sure you not only know who is accessing these accounts, but monitoring the activity once the access is granted to make sure the activity itself is in compliance with your security and business policies.
Organisations will always be faced with threats from the inside and out. Identifying your greatest risks and threats is the first step in safeguarding your organisation. You can do this by taking trust out of the equation when it comes to security - it simply does not make for good policy. To steal a line from an old favorite, just remember, "It's not personal, it's strictly business."
Adam Bosnian is the vice president of products, strategy and sales at Cyber-Ark Software. He is responsible for the global product and business strategy of the company as well as for managing the North American sales organisation and growing the business in this area.