Centrify partner logo

Privilege Accounts - How Can We Control Them Without Blocking Our Privileged Users

21/05/19 – Author: Ben Marrable – Certified Centrify Consultant
Administrators in organisations need to be able to get the job done, and they should be able to do it without jumping through unnecessary hoops.

One of the reasons for this is that they are smart people by the nature of their job, and they will likely care more about doing their job efficiently rather than securely. By no means do I mean they don’t care for security, simply that if they are being prevented from conducting their job, they may choose to make alternative “backdoors” for themselves to simplify their efforts and effectively bypass your security policy.

Remember, Security is there to enable the business to run rather than to prevent it from doing so.

So what are we trying to achieve, is it Least Privilege? is it Just In Time Privilege? or is it Zero Trust Privilege? Well ultimately it’s a combination of all three, first let me reiterate what each one is:

  • Least Privilege is the concept of granting only enough privilege to do the job. The concept has been around for a very long time and generally agreed to be security best practice, yet we are still struggling to implement it in many of our organisations.
  • Just In Time Privilege is the concept of allowing privilege only at the time of doing the job. There are a couple of implementation methods to deliver this:
  1. Providing access for general working hours (e.g. 9-5) and not outside of these. This method would be suitable for certain job roles where privileged access is required throughout the users day, but it isn’t so applicable to users who only use their privileges periodically.

  2. Providing access only at the time of requirement, this generally happens via some form of workflow, either automatic or with human approval. This simply means that when access is required a user will request the privileged access, this will then be granted for a short period of time in order to do the job.
  • Zero Trust Privilege is the concept of inherently not trusting any privileged request. Specifically just because a user is on the network and has the correct password, that does not mean they are who they say they are or even that their intentions are appropriate. Requesting certain additional authentication factors and measuring their request based on risk to verify who they are and what they are doing is the concept of Zero Trust Privilege.

All of these concepts reduce our attack surface by reducing the potential damage from compromised credentials. So how do we do all this together without causing irritation to the men and women on the ground doing their job. The answer is by using a combination of simple and secure MFA with Machine learning to understand what a user usually does. This means that when something looks somewhat unusual we prompt for additional factors or we can even deny access if it’s completely out of the ordinary.

Interested in seeing how Centrify Zero Trust Privilege can benefit your Organisation?