Gerard Taylor, senior consultant at Ubusha Technologies
In the last post, we examined why it’s critical to manage the entire life-cycle of the privilege account. In this post, we’ll look at some best practices and how you can tell if your business is doing a good job of controlling the privileged account life cycle.
Five Key Questions to Ask about Privileged Accounts
To negate the risks associated with the privileged account life cycle, its critical to ensure these accounts exist only as long as they are needed for, and not a second longer. Mature management of your privileged accounts means a business will be able to answer the following five questions:
- Why does this privileged account exist?
- Who is accountable for its existence?
- Who approved the existence and why?
- When was the approval granted?
- When last was the existence of this privileged account reviewed?
Only if you can answer all five of these questions capably can your company claim to be properly and truly in control of your privileged accounts. The key component that needs to be addressed is controlling the existence of your privileged accounts.
This should be achieved through the establishment of a definitive register of these accounts. The system used for this register is of no import; what matters is that it enables you to manage the life cycle of the account.
This encompasses recording decisions made around this life cycle, providing the reports and audit trails that are required by the organization, and most importantly, integrating with your existing environment and systems, in order to make the automation of the life cycle possible.
It must also be noted that being able to answer all five of these questions satisfactorily is only part of the challenge. More crucially, you need to understand that answering them may be of little worth unless you can prove to auditors that you have answered them accurately.
You have only arrived at true governance once you can demonstrate and substantiate the fact that the answers to these questions are comprehensive, accurate and reliable.
After all, as we mentioned earlier, the issues of governance, risk and compliance (GRC) are taking on an ever greater importance in most organizations, and with an effective GRC policy requiring proof for the auditors, being able to substantiate your answers to these five questions is more vital than ever.
Ultimately, however, the most important reason for ensuring complete and effective life cycle management for your privileged accounts boils down to ensuring your company’s own safety and security.
Bad management inevitably leads to points of access remaining open where people with mischief in mind will be able to gain access into your business.
This one little hole can then become a great big door through which an attacker – be they external or internal – can happily stroll through and cause untold amounts of damage to your organization. Badly managed privileged accounts are the equivalent of leaving your company’s back door wide open.