Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

11) Does your organisation use Privileged Access Management controls to securely manage the use of privileged accounts for system administration?

August 30, 2022
IT Operations
Access Management

Answer yes if your organisation has systems and/or processes in place to help ensure privileged accounts are only used for the intended purposes, in a secure way. This could include the use of administration proxies (jump boxes or bastion hosts), Privileged Access Workstations (PAWs), temporary credentials, additional approval processes, or ensuring privileged accounts are not used for normal business activities, such as email or web-browsing. Please describe your PAM controls in the notes section or provide a supporting document (as a PDF file) as evidence.

System Administrator (sysadmin) roles require access to sensitive systems and configurations within your IT network to maintain your IT systems.

Typically, a System Administrator will use some sort of credential to access an administration interface. Having this credential will allow the System Administrator to perform highly privileged actions that other system users would be prevented from doing. An attacker's ability to steal and use this credential would enable them to make similarly privileged changes and could cause significant harm to your system and the data it processes.

There are two parts to Privileged Account Management:

  • Just-in-time administration helps to reduce that risk: Instead of the credential being used to access an administration interface, it's used to request access instead. If the request is approved, a temporary credential is given to the System Administrator. This temporary credential is what the administrator uses to access the system's high privileged administration interfaces.
  • Least privilege administration ensures that when access to the system management interface is granted, the System Administrator has only the necessary privileges to complete the intended administration change activity. The roles and responsibilities of System Administrators can be defined in advance so that when an administrator requests access, they can be prompted to select one of these pre-defined and functionally-limited roles.

Adopting and using Privileged Account Management with just-in-time administration disrupts opportunities for stolen credentials to be used to cause harm and, with functionally-limited roles, reduces the scope of unintended system changes.

How to implement the control

You must ensure that the process used to authorise privileged access requires an approval method and technical implementation that suits your organisation’s risk appetite. This process and technical solution should be clearly documented.

If required, a third party security consultancy can review your Identity and Access Management procedures and either assure, or improve, your PAM processes.

The NCSC provides useful guidance on this topic here and here.

If you would like to contribute to this article or provide feedback, please email Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.