Privileged User Access Assurance
Posted by Kurt Johnson - VP Strategy on Tue, Apr 07, 2009
Adam Bosnian recently noted in an article he penned in SC Magazine the importance of privileged user access and the risk of poor controls around privileged users. We clearly see this as a critical issue that our customers and prospective customers are trying to get their hands around, and it's critical that privileged accounts are considered as part of a broader access assurance strategy.
Access assurance, for those not familiar with the term, is ensuring that the right users have the right access to the right resources, and are doing the right things with it. One of the most popular questions I get when I'm on the road talking to companies is, "Where should we start?" We often find organizations taking a tactical jump into access assurance. Often it's driven by an audit finding. So, if it's a SOX audit, it's the key financial apps they start with. If HIPAA it may be clinical applications. If it's a finding around accounts still in place for users that left the organization, it's a focus on disabling user access.
Organization need to take a step back and prepare a comprehensive access assurance strategy. The key is to look across the environment and build a phased plan with some key initial wins. This should be driven by the highest areas of the risk in the organization. You should try to avoid the fire fighting approach trying to stomp out little fires all over the place. Build a plan and make sure to include privileged user access as part of the broader identity and access management program.
It's important to take this comprehensive view to lay out a continual process for access assurance. Define who should have access to what. Enforce and apply that access. Detect when access or activity is beyond the scope of policy. Correct variances from policy and coutinously evaluate if the policy is appropriate. This applies to privileged and common users alike.