When I had started out in this industry, I had absolutely no clue of what Privileged Identity Management meant. In fact, not for a moment I thought it had something to do with security let alone cyber-security. I was deceived by the term ‘Privileged’ so much so that I started considering it be an elitist term which is like a badge to be worn proudly by some. But what I got to know about this was a complete paradigm shift. Yes of course I was right in thinking that it is a sort of title so to speak conferred only upon a select few. But that they can be threats never crossed my mind. Over the years, I observed that not many could easily understand the real meaning behind the term Privileged Identity Management or Privileged Access Management or Privileged User Management or other terms that this concept is referred to by. I pondered and pondered of how this can be explained in simple language to a layman. So here’s my attempt at it.
Consider you are planning a trip to the most exotic location in the world. Well, being in this location is the end goal – the last step. The most important first step would be – ‘Do I have a passport?’ So for convenience, you have a passport. The next step will be to chalk out your itinerary, decide which places you want to visit, how many days you would need, which hotel to stay in…But wait hold on a minute. Have you wondered why you need a passport? What that passport defines? You probably know it, but let me explain. That passport is your identity, it defines your existence. That’s how you are recognized anywhere in the world. Why is that required though? Simple. Every country has their own people and any outsider for that country is a threat. But at the same time, these outsiders are needed to increase their revenue, to promote cultural exchange, to facilitate and bring in business opportunities – in short for globalization. So how do the countries ensure a secure pathway for these outsiders to come in and go out? By relying on the passport. The passport is the first level of trust. This forms the basis for their trust on you. And they validate this trust by issuing you a coveted badge called the ‘visa’. So you have a passport, you got your visa and now you are a free bird. You can go to your most exotic location because you are a privileged member who has the authorization and the right to access this country albeit with limited access rights but rights after all.
Once you are in the country, you roam around and try to visit as many places as you can within this nation. Nobody is there to micromanage you or keep a constant check on where you are going or what you are doing. Would you call this a vulnerability – not necessarily, but there might be people with the intention of a wrong-doing who might be skilled to make this a vulnerability and exploit it to the country’s disadvantage jeopardizing the security of the nation.
An even worse scenario would be if a citizen of the country in the visa authorization department used his privileged access to somehow smuggle in someone who was not supposed to be in the country with the intention of putting the country’s critical infrastructure (read scenic beauty, high raised buildings, cultural heritage etc.) and assets (citizens, business activities, confidential country specific records) at risk.
So you see there is a pattern in which a country’s security is put at risk. Get privileged access to the country, use that privileged right to find vulnerabilities to exploit and attack – in short identify the most important privileged access rights into the country, in this case the visa and the passport.
But this cannot happen so easily if the country has rigorous and strong security measures in place. The visa process, for instance is tighter in most countries to filter out any potential threat elements. The airport screening is a ‘necessary evil’ to ensure passengers don’t carry restricted harmful items or anything that can compromise the safety and security of the people and the nation.
Stay with me here now. Let’s draw parallels and analyze. The country we talk about here is your organization. The critical infrastructure we talk about is the organization’s IT systems which forms the heart of an enterprise. The assets we talk about are the organization’s confidential customer records and other sensitive information. The citizens we talk about are the employees of your organization who also have the right to be privileged members. And finally you the tourist, is a 3rdparty vendor or contractor. So do you see the connection here? As a 3rd party vendor or contractor, you are given certain privileged access rights to access the organization to facilitate with your work. These rights can be misused either due to lack of awareness or with the intention to attack, just like how you can roam around anywhere and do whatever you want as a tourist. An employee who has privileged access also can either unknowingly harm the critical assets of the organization because of his privileged rights or use these rights to his/her advantage to intentionally harm the organization. And this is where an additional security layer like a Privileged Identity Management solution suite comes into picture. This security layer is possibly a more sophisticated and comprehensive measure of internal security from an enterprise perspective. It controls and monitors each and every privileged user’s access rights regardless of the level of privilege.
Let me sign off here by saying that Privileged Identity Management solution suite is your organization’s necessary evil, it is your organization’s Dark Knight.
ARCON provides state-of-the-art technology aimed at mitigating information systems related risks thereby enabling organizations to comply with Governance, Risk Management and Compliance (GRC) requirements. The company, in particular, is known for its unique Privileged Identity Management/Privileged Access Management solution, which helps deter the misuse of ‘privileged identities’.
Learn more about us at www.arconnet.com