Published: 06 September 2016
By Andy Harris
We've heard a couple of deployment ideas recently and thought they'd make a very strong combination for increasing security and reducing the cost of managing Privileged Access Management Solutions.
The first seems counterintuitive: Remove all Personalised Privileged Accounts. Of course managing these personalised accounts is one of Osirium's best features! However, here's the gain, if you organise your system access into role based accounts your team can ensure that these are kept to the absolute minimum. This means that your Privileged Account attack surface is as small as it can be. The issue here is that the credentials of role based accounts could get proliferated around the organisation. Therefore it's vital that you:
The next step is to ensure that you can always determine the identity or whoever uses these accounts. This is very simple using Osirium's profiles and groups. Everything will get SysLogged so your SIEM systems can tie everything up.
Here's the second idea: People have no access to any system unless there is an authorised reason. This of course gives you the issue of how to manage all those authorisations, isn't it easier for your SysAdmins and DevOps to work their way through the open tickets and deal with issues as they arise?
Your ticket system contains the inherent reasons why someone should be authorised to access particular systems. If you can combine your ticketing system with Osirium's profiles you get this:
You have now reduced the attack surface in two ways:
Many customers have enjoyed our management of Personalised Privileged Accounts and this could be used in the scenarios given. However, looking to the future it could be used to migrate from personalised to role-based accounts.
We believe these two interesting ideas brought together have real merit and are perfectly suited to an implementation of Osirium. If you'd like to achieve this level of security with ease of management then please get in touch!