“CIO Perspectives” is a whitepaper series by Mark Settle that explores the top-of-mind technical issues confronting today’s CIOs and IT leaders. Mark is a seven-time CIO, a three-time CIO 100 award winner, and a two-time book author. His most recent book is Truth from the Valley, A Practical Primer on IT Management for the Next Decade.
Conventional PAM solutions are based on the flawed premise that the management controls used to create, configure and administer IT resources can be neatly packaged in a limited number of privileged accounts and that access to these accounts can be restricted to a limited number of privileged users. In a modern enterprise employing hundreds of cloud-based applications, dozens of cloud-based data repositories and potentially thousands of ephemeral cloud computing instances almost everyone has access to some form of control over selected IT resources. In other words, almost everyone is a privileged user!
Privilege sprawl is rampant in most corporations. Attempts to limit the number of privileged actions available to end users or the number of privileged users themselves are futile. The two most effective means of battling privilege sprawl are stringent enforcement of end user authentication procedures and equally stringent enforcement of zero standing privilege principles.
Enterprises have been reluctant to employ step-up or continuous authentication procedures in the past due to concerns about disrupting or inconveniencing end users. A host of current technologies – including such things as biometric factors, TPM-hosted cryptographic keys and digital wallets – have created the ability to increase the diversity, frequency and unpredictability of identity verification events during an end user work session, frustrating the ability of even the most sophisticated hacker to impersonate an authorized user.
Tools are also emerging that can be used to monitor privilege sprawl at multiple levels, from individual users to individual IT systems to individual functional departments to the entire enterprise. Sprawl management is a war that may be fought on an employee-by-employee basis but will never be won that way. Guidelines established on multiple technical and organizational levels can serve as early warning systems notifying management that privileges are being awarded too easily or revoked too slowly.
This paper is a call to action for IT practitioners to stop thinking about curbing privilege sprawl by limiting access to IT resources and to start thinking about controlling the actions that users can perform after access has been obtained.