Wikipedia

Privileged identity management: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Shohami (talk | contribs)
34 edits
Clarify terminology (PIM, PAM). Add a category for service accounts (distinct from application accounts). Explain why a separate product category is required (not just IAM). Clean up some text generally.
Line 2:
 
Please also see [[Privileged password management]] -- since the usual strategy for securing privileged identities is to periodically scramble their passwords; securely store current password values and control disclosure of those passwords.
 
==Types of Privileged Identities==
Line 7 ⟶ 9:
 
The term “Privileged Identities” refers to any type of user or account that holds special or extra permissions within the [[enterprise systems]]. Privileged identities are usually categorized into the following types:
*Generic/Shared Administrative Accounts – the non-personal accounts that exist in virtually every device or software application. These accounts hold “[[super user]]” privileges and are often shared among IT staff. Some examples are: Windows Administrator user, UNIX root user, and Oracle SYS account.
*Privileged Personal Accounts – the powerful accounts that are used by business users and IT personnel. These accounts have a high level of privilege and their use (or misuse) can significantly affect the organization’s business. Some examples are: the CFO’s user, DBA user.
* Application Accounts – the accounts used by applications to access databases and other applications. These accounts typically have broad access to underlying business information in databases.
* Emergency Accounts – special generic accounts used by the enterprise when elevated privileges are required to fix urgent problems, such as in cases of [[business continuity]] or [[disaster recovery]]. Access to these accounts frequently requires managerial approval. Also called: fire-call IDs, break-glass users, etc.
 
== Special Requirement of Privileged Identities ==
Line 17 ⟶ 20:
A Privileged Identity Management technology needs to accommodate for the special needs of privileged accounts, including their provisioning and life cycle management, [[authentication]], [[authorization]], [[password management]], auditing, and access controls.
* Provisioning and life cycle management – handles the access permissions of a personal user to shared/generic privileged accounts based on roles and policies.
* Authentication – controls the strong authentication of privileged identities. Specifically it is providing applications with a secure alternative to static [[passwords]].
* Authorization – manages powerful permissions and the workflow of providing them, sometimes on-demand, to privileged identities.
* Password Management – enforces password policies on Privileged Identities, which unlike regular identities may not be associated with a single person or may be shared among a few.
* Auditing – provides the detailed auditing for actions taken by privileged users. This may include recording of the user’s session as well as creating correlation between a generic/shared account and a person.
* Access Controls - Manages what commands and resources a privileged account has access to. Different people using the same shared privileged account can have different access requirements. Access controls should be at the individual level, following the security principle of "least privilege."
 
== Risks of Unmanaged Privileged Identities ==
 
Unmanaged privileged identities can be exploited by both insiders and external attackers. If they are not monitored, held accountable, and actively controlled, malicious insiders, including system administrators, can steal sensitive information or cause significant damage to systems.
Line 38 ⟶ 45:
 
Because common [[Identity access management]] frameworks do not manage or control privileged identities{{ref|iam1}}, privileged identity management software began to emerge after the year 2000.
 
Privileged identity management software frameworks manage each of the special requirements outlined above including discovery, authentication, authorization, password management with scheduled changes, auditing, compliance reporting, and access controls. The frameworks generally require administrators to check out privileged account passwords before each use, prompting requesters to document the reason for each access and re-randomizing the password promptly after use. Even after logging in, administrator actions are managed using access controls.
Retrieved from "https://en.wikipedia.org/wiki/Privileged_identity_management"