Privileged users are critical to managing your company’s systems. Without them, there would be nobody to take accountability for decisions. However, these users also add risk to your company. If their access and privileges are misused, then you face a considerable chance of damage. That leaves you with a dilemma: balancing the need for privileged user productivity and IT security. You will find out how to balance these issues successfully.
Defining Privileged User Risk
Before we dive into the details, let’s take a step back for a moment and define the problem. In identity and access management, there is some chance of misuse, theft or abuse of credentials at all times. However, the risk impact varies considerably depending on the user. For privileged users, they have significantly more authority than regular users. For example, you may permit these users to create new accounts, cancel accounts or download management reports. If these privileges were misused, your company would face a considerable negative impact.
To give one example, a disgruntled privileged user could remove user accounts for everybody in the customer support department. That single change would cause chaos and bring productivity to a standstill. In another scenario, a privileged user could create accounts and enable an outsider to access sensitive data. Left unmanaged and unmonitored, you face considerable risk of data loss and embarrassment due to your privileged users. Fortunately, this is a known risk, so you do not have to start from scratch in managing it.
There are several ways to respond to this risk. You might choose to dramatically limit the number of privileged users. Alternatively, you may decide to use reporting and training to guide users in the best way to use their accounts. In any case, it is critical to balance the need for risk reduction and the need for enterprise productivity. Rather than prescribing a single approach for all situations, we recommend aligning your strategy to privileged user risk to your organization.
Simple Steps To Optimize Privileged User Risk
Use this process to refresh your approach to privileged users and bring this risk exposure under control. The method may take a few days the first time you run it. Once you are in maintenance mode, it may take as little as one day to manage per quarter.
1) Review Your IT Security Risk Strategy
Any change to your identity and access management systems and processes needs to align with the company’s IT security strategy. For example, your company may brand itself as the most trustworthy bank in the marketplace. In that situation, you will have support to invest further into controls. In other cases, growth and innovation may be the guiding principles for the company. In that context, your approach to optimizing privileged users will need to emphasize productivity further.
2) Check For Privileged User Incidents, Reports and Issues
In this step, you will need to do some research. Specifically, review any recent security events, hacks, audits and other reports to identify privileged user issues. Poorly managed “admin accounts” and other types of privileged users often tend to be involved in security events. If you find nothing in recent reports, make a note to ask IT audit to consider the issue of privileged user management in an upcoming audit.
3) Identify Privileged User Reduction Opportunities
Using your identity and access management system as a resource, create a list of all your privileged users. At this stage, it is best to take a broad interpretation of privileged users: admin accounts in IT, executive accounts and more should all be in scope. Once you have this list, assess it with the following questions.
- When was this access privilege last reviewed and approved? It is a red flag if the last review date is unknown or more than a year ago.
- Does the privileged user access match with the individual’s current job role? For example, an IT manager who moves to IT audit probably needs a different access profile.
- What are the user behavior outliers for privileged users? Look for unusual activities such as privileged users who routinely create new accounts. At the opposite end of the spectrum, look for administrative users who never seem to use their privileges.
4) Engage Managers and Stakeholders to Implement Access and Privilege Reductions
Based on the analysis in the previous step, you need to discuss changes with your stakeholders. Start with people you already know well in the company. Explain that you are looking to reduce access privileges to reduce the company’s IT security risk. Once this initial effort succeeds, expand to the rest of the company.
At a certain point, you will encounter limits. Some users may resist reducing their administrative privileges. In that case, there is an alternate strategy to reduce risk.
5) Transition Tasks To Self-Serve and Systems
In this part of the process, we will use technology to reduce your risk. Rather than handing out privileged user access rights to everyone, look at using a self-serve approach. For example, let users submit ordinary access requests and have them approved by rules. For example, you might have a list of optional system access rights for sales representatives. There’s no need to have these kinds of routine requests handled manually.
Use an identity and access management software solution like Group Enforcer. This application makes it easy to simplify access management based on job role. That means less administration work for your managers.
6) Establish An Optimization Schedule
Keeping privileged user risk under control requires ongoing monitoring. As a starting point, we recommend monitoring this group of users every quarter. If there is minimal activity, you can adjust the schedule to an annual review instead.
What To Do If You Cannot Get Budget Approval For New SoftwareSpecialized identity and access management software is a key tool in managing privileged users. However, you might face resistance to obtaining budget approval for new software purchases. In that situation, develop a business case to win executive support. Use the process outlined in our article “Build Your Business Case for Single Sign-On” for the next steps.