You can call it PIM (Privileged Identity Management); you can call it PAM (Privileged Account Management); you can call it PUM (Privileged User Management). The one thing you can’t call it is boring. I’ll go with PIM for now. It seems every customer we’re speaking to either has a PIM solution in place, is rolling one out, or is trying to find one. Considering the way auditors have been giving so much attention to administrative rights, this is no surprise. If you have IT systems, you have administrative users built into those systems. It’s a necessary evil. Well, security folks think of it as evil. For the person trying to get stuff done on the IT staff, administrative user ids are great. You know you can log in as that “god account” and get everything done without any pesky controls getting in your way. That’s exactly why the security team (not to mention the auditors) are so convinced these special user accounts need to be controlled.
The most interesting conversations about PIM recently have customers telling us about gaps in their approach to controlling administrative rights. The common theme is completeness. They’ve been able to apply PIM to the obvious places. PIM has control over the built-in administrative user accounts on the network devices, servers, and major application platforms. What’s happening now is they are starting to see all the other administrative rights that are out there in their IT world. Two areas that seem particularly painful are service accounts and local administrator rights on windows servers. What these two things have in common is that they are very hard to find. You would think service accounts would be easy. But they aren’t as black and white as they seem. You need to be able to understand a lot of different factors to reliably identify all of them. Local administrator rights are even trickier. Some of these will be local accounts on hosts that PIM would take direct control over. But sometimes local rights are granted to AD users that PIM can’t simply throw in the vault. To solve the local administrator rights issue, you need to not only find all these rights hiding in nested groups and local configurations on servers, but also sort out which ones are legitimate, which ones will go under PIM control, and which ones need to simply be eliminated.
Of course, the reason these organizations are having these conversations with us is that STEALTHbits can help close these gaps in their PIM programs. It’s another way STEALTHbits is finding that we can help out the big boys – very similar to how we help out IAM/IAG and SIEM players.