Privileged Access Management

Privileged Access Management

Privileged Access Management (PAM) builds on the base IT Security concept that a user should have the minimum privileges to do the work that they need to do and no more.

On a stand-alone Windows machine on or more  ‘user’ and a single ‘administrator’ account should be created.   Use of the ‘administrator’ permits an individual or program to make changes to the machine settings with the potential of accidental damage and the risk of allowing malware to run riot.  Hence the simplest form of Privileged Access Management is to restrict access to the administrator account.  On a domain (Windows) or LDAP (Linux/Unix) system the individual’s log in credentials will be linked to privileges of access on the network.  Remember that even on a domain based solution access to individual machines is still possible through their local accounts with potential damage to the system as a whole.

The above advice would have applied equally well at the end of the 1990s except for the version of Windows in use.  Computer systems have become considerably more complex since then.  Information may be held on virtual and cloud servers over which the original data creator has limited control.  Internet services are frequently run within the cloud rather than on dedicated company servers.  Social media hosting is almost completely out of the data owner’s control.  All these systems together with program suites for business solutions, data management and security depend on systems of users and passwords.  They also all fall into the simple mantra of only allowing the minimum access required to do what they are supposed to do.  While every user could be assigned their own set of passwords the more that responsibilities and access can be grouped the better. Assigning a single sign on for each user is the ideal but minimising accounts is more realistic and easier to regulate.

Steps towards Privileged Access Management include:

  • Group accounts based on a role in the business (sales, warehouse etc.)
  • Only assign the lowest privilege to allow normal work to be done.
  • Temporarily elevate a privilege for a task then reduce it afterwards.
  • Monitor and audit network traffic including details of users and their points of access.
  • Pay particular attention to accounts with high levels of access.

An important aside is that accounts should never be shared (except perhaps for the most limited of guest access).  Having each account traceable to a distinct user allows any event to be tracked down to the responsible individual or program. If 3 members of staff each need administrator access they should each have individual accounts or be part of a group with appropriate rights of access. Phishing and similar hacking activities aim to compromise accounts.   If access management is optimally set up; the accounts most likely to be phished will be those with less potential to harm the overall system.

Integrated solutions to the concept of Privileged Access Management are becoming available.  Many of these are Software as a Service (SaaS) models providing an integrated administration dashboard, single sign on for network users and some degree of automation.   They may appear similar but vary in the exact services offered.  Kindus understand the market and will provide advice on the best solution or combination of solutions for your business.

More from Security

03/09/2024

Google and Facebook Single Sign On (SSO)

Single Sign On (SSO) options are commonly seen through providers such as Google, Facebook and to a lesser extent Apple.  There are also less …

Read post

13/08/2024

Ransomware in Healthcare

The ThreatLabz 2024 Ransomware Report highlights the relative susceptibility of the healthcare industry to ransomware attacks.  312 attacks on the Healthcare industry were reported …

Read post

29/07/2024

Bad Bots

Kindus has discussed the role of bots on the Internet and how webmasters can use ‘robots.txt’ to control them.  Unfortunately many bots do not …

Read post

22/07/2024

Lessons from the Cloudstrike Outage

On July 19, 2024 at 04:09 UTC, CrowdStrike released an update for ‘Falcon Sensor 7.11’ or above to Windows systems.  This caused a system …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories