Privilege isn’t unique or limited to the IT department, even though you might think so based upon most of what’s written about privilege management and the scenarios usually discussed. Here’s a list of privileged accounts we most commonly consider privileged accounts:
- Built-in super users: root, administrator, etc.
- Device or computer level
- Domain / realm
- Application level
- Customer created superusers: rsmith in the Administrators group, john.smith in the wheel group. Same levels as above, plus
- Cloud: tenant, account, etc.
- Accounts with delegated privilege. Not full superusers, but having a subset of administrative rights such as:
- Password reset
- User account maintenance
- System maintenance operations
- Group membership maintenance
- Control over permission to certain resources
- Audit log access
By the way, I sometimes see level 3 in the above list omitted when people talk about privileged accounts.
But my real point is that the above list reflects an arbitrary limit on what we consider privileged accounts that corresponds to the boundaries of the IT department. There’s no good reason for this. Risk and privilege remain risk and privilege regardless of the department involved.
Here are some examples of things outside the IT department we should regard as privileged and provide the same level of protection as we do for accounts with a similar risk level inside IT:
- Banking transactions
- SCADA
- Software build servers
- Automated process and manufacturing control systems
- Commodities and securities trading
- Patient Healthcare Systems/Data
Here’s something that makes some of these scenarios even more critical to protect. The applications are frequently old and were never built for today’s attackers and risks. Some of these process control and manufacturing systems have no security at all. So, how do you protect them other than putting them on an isolated network controlling access with physical security?
We will discuss all of these points and more in this real training for free session.
First, we’ll explore how to find operations, roles, applications and transactions outside of IT that should be considered privileged. We’ll talk about the criteria for making that discussion and then we’ll dive into how to protect these areas of privilege using the same proven principles and technologies we’ve been deploying with the IT department for privilege management. We’ll explore how to provide:
- Accountability
- Deterrent controls
- Detective controls
- Preventive controls
- Access Controls
We’ll also discuss how to demonstrate compliance.
BeyondTrust is the perfect sponsor for this real training-for-free event. Product managers Jason Jones and Brian Chappell will also demonstrate how the BeyondTrust privileged access management (PAM) platform can exert privileged security controls both inside the IT environment as well as for those activities and assets outside its traditional bounds.
Please join us for this real training for free event.