I got to thinking the other day about the terms “privileged identity management,” “privileged account management,” and “privileged access management”. These are all terms that the industry uses pretty interchangeably, but have the meanings changed over the years? Do they need to?
Here’s why I ask the question:
We used to define privileged users, as administrators of a system or application – people who could cause big problems if they made a serious mistake or did something malicious. We created ways to restrict what administrators could do, and we started by controlling specific administrative accounts – the ones that represent the proverbial keys to the kingdom.
When we look at how our IT environment has changed (and how we expect it to continue to change), we see the same high-level trends having an impact across the board. Typically, as an industry, we describe these broad changes as mobility, cloud and consumerization of IT. But essentially these trends point out that the how of IT is changing. Let me explain what I mean.
In many cases it’s useful to look at the what and the how – the goals and objectives along with the ways those goals and objectives are met. I would argue that the what of IT has not changed. IT is about connecting consumers of technology resources to those resources. This is the case whether we are talking about a user on a mainframe terminal on a hardwired connection to a mainframe server or a user on a tablet sitting in a coffee shop connected to an application running on a hosted server in a provider’s datacenter. So if the what of IT hasn’t really changed, then we need to look at the how. These large trends are changing how we do business, so perhaps it is time to look at how our approach needs to change in order to keep up with the times and, more importantly, prepare ourselves for the future.
So let me bring this discussion back to privileged identity management. The trends we’re seeing create a lot more grey area. The ways consumers connect to resources and the ways we need to manage these relationships have shifted as we move from a much simpler and controlled environment to a very dynamic and diverse environment. In this environment, every user has more privileges (in fact they have differing degrees of privilege across a varying environment). And these privileges may have a significant impact across an organization. For example, a user who has access to a corporation’s social media accounts may inadvertently communicate information that should not be publicly shared. Another example is the case of a “dev-ops” team managing server infrastructure in the cloud. Are these people developers or IT admins?
Lastly, I’ll point out that the distributed devices and resources (due to mobile devices, outsourcing, hosted servers, federation, etc.) increase the attack surface that organizations need to deal with, so consistency across our environments is critical. An image of a door with ten locks but no walls (e.g. just walk about the door) comes to mind.
What’s my point? It’s that from a privilege-management perspective, we have evolved to the point we knew would arrive someday. Smart folks who came before have already described that we need a systemic way to think about privilege management and that we must start with principles like “least privilege access”: Users should log in as themselves and receive only those privileges required for their job. If they require more privilege, they should explicitly elevate privilege, and I would add, in a manner whereby all their activities can be specifically traced back to the individual. Some will argue that least privilege has been too hard to deploy and manage, but this is a terrible rationalization for deploying band-aids or doing nothing. We simply must make it easier to deploy least privilege models of privilege management. We need to make sure we are using the right models and frameworks to describe privilege management for our expanding problem space and requisite solution.
What do you think?