This content is part of the Essential Guide: How to deal with Identity and access management systems

Essential Guide

Browse Sections

How can privileged access accounts be managed in large companies?

Network administrators typically resist policies for separate accounts when performing different tasks. Expert Michael Cobb explains the risk of privileged access.

I'm faced with a challenge to create a policy for separate administrator accounts for all employees who require privileged access. I've implemented similar policies in other organizations, but in those situations the community of users with such access was fairly limited -- fewer than 20 people. In my current role, the community is in the 100s and their access includes Windows, Linux, Oracle and SAS. I've spent some time speaking with others in my company about creating separate admin accounts and received some pushback. Have you seen such policies implemented successfully in larger organizations? What are your thoughts on separate administrator accounts?

Pushback is a common problem faced by new employees and hired consultants tasked with improving information security. Existing network administrators can take new initiatives as criticism of the infrastructure and security environment they've created, or simply not be happy about changing polices that appear adequate and acceptable to them, particularly if it involves extra work. However, it is important that colleagues and senior management accept that this proposal is a sound one, based on industry best practices.

Users with system administrator or privileged access accounts should use a regular user account to perform routine, non-administrative tasks. This is an essential control in any information system as it helps enforce the key security principle of least privilege. It is considered industry best practice by US-CERT, SANS and the National Security Agency, and required in every information security and compliance standard. Limiting an account's privileges minimizes the impact of a compromise. For example, malware is typically introduced during routine tasks such as browsing the internet and reading email. Malware installed while a user has system administrator level privileged access has far greater potential to cause damage than those installed by someone using a regular user account. Having separate accounts also makes log analysis a lot easier as a great deal of irrelevant information is removed from any review of system administrator activities -- another important security control.

A presentation to colleagues referencing standards and publications such as ISO/IEC 27001:2013 (a specification for an information security management system), NIST Special Publication 800-14 (Generally Accepted Principles and Practices for Securing Information Technology Systems) and NIST Special Publication 800-53 (Security Controls and Assessment Procedures for Federal Information Systems and Organizations) should help convince them of the importance of separate administration accounts. Similar recommendations also appear in various publications by technology vendors, such as Microsoft's Best Practices: Using a Separate Account for Admin Tasks and Oracle's Database Vault Best Practices.

If management still can't see the importance of creating additional processes, roles and admin accounts to achieve least privilege, then some real-world stats may help. Privilege misuse is actually highlighted in Verizon's 2016 Data Breach Investigations Report. According to Verizon, privilege misuse accounted for over 15% of all incidents. In its 2015 report, 55% of insider misuse incidents involved access abuse, indicating a growing problem of employees having more privileges than they need to for performing their day-to-day tasks.

Having administrators change between accounts is a minor inconvenience compared to the time and money it could save in dealing with a compromised privileged access account. Once separate administration accounts for all employees who require privileged access have been implemented, ensure everyone understands the importance of not synchronizing passwords across their different accounts, as this reduces the benefit of separate accounts.

Ask the Expert: Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Find out how organizations can control and manage system privileges

Read how many companies are still failing to implement privileged user controls

Learn how to address the risks of unstructured content with IAM

This was last published in September 2016

Dig Deeper on Web authentication and access control