Privileges to manage or configure target resources and applications are assigned to specific accounts. The traditional approach implies that passwords or other authenticators for such privileged accounts are provided to authorized personnel, i.e. privileged users.
These privileges can include the rights to:
- Clear logs
- Install additional software
- Perform critical and potentially harmful operations that can disrupt the resource functionality
- And other rights
These rights are often available to privileged users without any oversight. Such practice poses a threat of misuse or abuse of the privileges provided.
Privileged user activity is hard to monitor because these users get privileged access directly to a resource or through a console, circumventing security controls (when peripherals are connected directly to a hardware server). It applies if an administrator has the right to manage network devices and network communication.
Besides, password authentication is often the only control measure used for such accounts and it has a number of critical disadvantages:
- Brute-force attacks
- Unauthorized password disclosure
- The need to promptly change passwords when employees leave the company
- And others
The described privileged access problems expose the company to security threats. The best solution would be using specialized software suites for Privileged Access Management (a.k.a. Privileged User Management, Privileged Identity Management, Privileged Account Management).
Understanding this problem is an important step towards building a comprehensive information security system in the company.