Back in 1998, Dr. Stephen Johnson wrote a book called Who Moved My Cheese?
, a book which I would crudely and insufficiently summarize as being about change, resistance to change, and how to adapt in order to thrive.
Not too long ago, I was sitting in a room with a very fluffy sales guy. In between words such as "we'll make this happen" and "leave it with me, I'll get it sorted" he asked the question "What is Privileged Account Management
And so, I found myself trying to come back to analogies and basic life experiences to explain the concept.
Here it goes… household front door. Your house is full of assets, just like an organization is full of assets. But you generally speaking have a front door, and that is where everyone comes through. If you're extra cautious you have a fly-wire door, a few lockbolts, and a security camera. These are all extra safety measures to assess who arrives at your front door, let you know if they should have access, and either let them in or tell them to go away.
But let's think for a moment about the folks you have given a key. There are the 2 kids, the husband, the wife, and maybe a spare with the grandparents for emergencies or feeding the fish when the family goes on vacation).
Would you give those keys to just about anybody? Highly unlikely.
Let's upscale the example from a house, to a large enterprise headquarters. There are many, many more assets contained at the headquarters. And many, many more people who have access.
You still have a front door entrance, but now certain rooms and offices have locks. The comms room, the CEO's office, the CFO's office, the pantry with all the tasty chocolate biscuits and dozens of sparkling wine left over from the last holiday bash (yummmm).... they all are locked securely and only accessible by a few individuals.
And so it is with Privilege Account Management. A PAM system at one fundamental level provides a front-door to the many system assets within your infrastructure.
But unlike our house or corporate office, our IT organizations have gotten used to being able to come and go as they please.
Downscaling the example again back to house for simplicity - it's a technology parallel of a house with no significantly secure front door, just a bunch of holes in the side of the external walls that various teams can use to congregate and do their stuff. Oh, there are locks on the room doors, but now there's a key for the Windows room, a key for the Linux room, a key for the Network room, a key for the Applications room, the key for the Security room, and so forth...
As the owner of this house, are you particularly pleased to receive a different key for each room? Because, the Windows guys decided to buy a car-like key, the Linux guys bought an open-source keypad with a PIN code, and a two-factor authentication physical token shaped like a penguin – so there's not one standard key ring that can capture all the master keys and keep them safe.
Then you have the issue associated with the passage of time. For some reason, you needed to check the Linux room. Maybe it was to make sure it didn't smell funky and that the folks weren't sleeping in their chairs, still cradling a packet of Cheetos. But the door won't open with your master key. The next day, you find out that the room leader decided to change the key and didn't inform you. It's fine this time, but what if this had been an emergency situation? You tell this to the Linux room leader, but he just shrugs and says "this is how we roll in our room".
You wonder to yourself, when did my house security get so fragmented? Why do I not have control over who accesses what rooms in my house? (And when did I let the Cloud Services team dismantle the patch of roof over their room, install a fire barrel and why are they warming their hands on burning on premise furniture and speaking to the sky?) UGH.
Maybe it is time that we all took a closer look to the front-door strategy that forms a part of enterprise Privileged Account Management
. Of course, the front door analogy is only part of the true full PAM story. But philosophically, it remains one of the biggest resistances in people's minds about how to access parts of the house.
Because, many organizations today have IT folk who don't need to go through the front door, they simply walk through the wall and access the room they need. And while it's worked for you in the past, the management of this has not scaled well with complexity, size, and what is going on in the external world. We haven't even begun to talk about what's happening out there!
And thus, when explaining Privileged Account Management, I like to start by saying it is a bit like a front door of an office. You let people in through the front door, and you monitor their entry. You give them a proximity card and that card allows them to access the rooms (and only the rooms) that they are allowed in to. You might also record what happens in those rooms, and you can clearly account for who was where, and clearly see what people did.
Sounds like common sense right? What business or house would think of not having a very secure front door entry? None.
Privileged Account Management
represents a much needed change in the way we permit insider access to our IT systems. It provides that secure front door entry. Combined with other solid controls, the perimeter and internal structures should be secure. Combining an enterprise grade Vulnerability Management
system is like installing a security patrol team at your corporate office. It complements the effort you have gone through to secure access within, by ensuring the attack surface outside is known and treated.
As with any change, there is resistance by people who only want to work to the status quo. Fortunately, many PAM solutions today are very easy to work with, so from a productivity point of view as well as a security point of view, they tick all the right boxes. The implementation of PAM can build consensus, and it starts with IT teams taking on board a true collaborative approach that in the short run might seem to threaten their little kingdom... but in the long run makes the bigger kingdom of the organization itself, run efficiently and securely.
Author: Nigel Hedges | BeyondTrust Regional Manager – Australia & New Zealand | CISA, CISM, CISSP, CGEIT, CCSK ITIL-F, COBIT-F, MBA ISO27001 LI & LA