Privilege Accounts - How Can We Control Them Without Blocking Our Privileged Users
One of the reasons for this is that they are smart people by the nature of their job, and they will likely care more about doing their job efficiently rather than securely. By no means do I mean they don’t care for security, simply that if they are being prevented from conducting their job, they may choose to make alternative “backdoors” for themselves to simplify their efforts and effectively bypass your security policy.
Remember, Security is there to enable the business to run rather than to prevent it from doing so.
So what are we trying to achieve, is it Least Privilege? is it Just In Time Privilege? or is it Zero Trust Privilege? Well ultimately it’s a combination of all three, first let me reiterate what each one is:
- Providing access for general working hours (e.g. 9-5) and not outside of these. This method would be suitable for certain job roles where privileged access is required throughout the users day, but it isn’t so applicable to users who only use their privileges periodically.
- Providing access only at the time of requirement, this generally happens via some form of workflow, either automatic or with human approval. This simply means that when access is required a user will request the privileged access, this will then be granted for a short period of time in order to do the job.
All of these concepts reduce our attack surface by reducing the potential damage from compromised credentials. So how do we do all this together without causing irritation to the men and women on the ground doing their job. The answer is by using a combination of simple and secure MFA with Machine learning to understand what a user usually does. This means that when something looks somewhat unusual we prompt for additional factors or we can even deny access if it’s completely out of the ordinary.