Our website uses cookies. To find out more information on the cookies we use, please head to our privacy policy.OK

Two Ideas

We’ve heard a couple of deployment ideas recently and thought they’d make a very strong combination for increasing security and reducing the cost of managing Privileged Access Management Solutions.

The first seems counterintuitive: Remove all Personalised Privileged Accounts. Of course managing these personalised accounts is one of Osirium’s best features! However, here’s the gain, if you organise your system access into role based accounts your team can ensure that these are kept to the absolute minimum. This means that your Privileged Account attack surface is as small as it can be. The issue here is that the credentials of role based accounts could get proliferated around the organisation. Therefore it’s vital that you:

Separate People From Passwords

The next step is to ensure that you can always determine the identity or whoever uses these accounts. This is very simple using Osirium’s profiles and groups. Everything will get SysLogged so your SIEM systems can tie everything up.

Here’s the second idea: People have no access to any system unless there is an authorised reason. This of course gives you the issue of how to manage all those authorisations, isn’t it easier for your SysAdmins and DevOps to work their way through the open tickets and deal with issues as they arise?

Your ticket system contains the inherent reasons why someone should be authorised to access particular systems. If you can combine your ticketing system with Osirium’s profiles you get this:

(Identity + Reason) IN — (SysLogged Role) OUT

You have now reduced the attack surface in two ways:

  • Reduced the overall number of Privileged Accounts
  • Gated the access to those Accounts by the ticketing system

You have reduced your management and reporting effort as well:

  • Osirium can give you a direct mapping between identities and role based accounts
  • Your ticket system (and Osirium) can tell you when and why access to these Accounts was enabled
  • Your SIEM system will have all the information nicely correlated
  • You’ve not added any new procedures or steps for your SysAdmins and DevOps to go through

Many customers have enjoyed our management of Personalised Privileged Accounts and this could be used in the scenarios given. However, looking to the future it could be used to migrate from personalised to role-based accounts.

We believe these two interesting ideas brought together have real merit and are perfectly suited to an implementation of Osirium. If you’d like to achieve this level of security with ease of management then please get in touch!

Related Articles

term->name is Identity & Access Management

Database Task Automation for Asterisk (AsteriskNOW)

We used our Privileged Task Management module to grant secure access to the Call Record Database of our AsteriskNow implementation.… Read Post

Using Elastic Stack with the Osirium Privileged Management Platform

Since releasing our Privileged Behaviour Management module we’ve had plenty of customer feedback. Here’s the How-To video for using… Read Post

Implementing the Dual Account model with Osirium’s PxM platform

The Dual Account model has long been best practice amongst SysAdmins and DevOps. Osirium’s PxM Platform can strengthen the approach.… Read Post