Privileged User Management
Privileged User Management Management in Brief
Many organizations manage users’ lifecycles in a centralized manner. A user identity is created after signing the contract and activated when the agreement enters into force. The user is granted access according to the job description, and an email box and other necessary elements are created for him or her. At different stages of the life cycle, access rights are removed and added, and ultimately when a user leaves the organization, the identity is closed.
However, often access rights other than the normal user accounts are needed in order to manage different services and systems, so-called administrator privileges. Privileged Identity Management covers these high-level user accounts and associated access rights, enabling one administrator identity on all systems where administrator rights are required.
The goal is to keep the number of admin accounts as low as possible. Each admin user has only one admin ID that can be used in all target systems to which the user has administrative rights.
What Mint Security Delivers
Together with the customer, we model the necessary access rights and targets, and we also create the policies and processes to be used. We define the encryption and identification methods that are applicable to the client’s environment, and we implement secure, yet transparent administrator management. If needed, we supply a strong identification tool, YubiKey Key.
Customer Needs and Challenges to Be Solved
Administrator rights are very critical. From the point of view of management and identification, they are an even more essential part of the organization’s security strategy than managing the life-cycle of ordinary user identities. In the wrong hands, the outcome can be catastrophic.
The customer needs to be able to manage administrator identities as easily as normal IDs and, if necessary, to remove administrator privileges centrally, without editing target systems or services.
According to ISO27002, administrator privilege management must be a defined and controlled activity.
More Details about Our Methods and Tools
As far as authentication is concerned, the administrators require careful attention. The password policy for administrators should preferably be stricter than for normal user accounts, and two-factor authentication is almost unconditional. Two-factor authentication can easily be implemented in Linux environments by using SSH keys and prohibiting login with a mere password. In Windows environments, IDs can be used and synchronized directly from the AD service. With selected technologies, we can also include individual Windows servers outside the Windows domain to the administrator (and user) management. Also, two-factor authentication with an external Token can be enabled for service authentication. For this, Mint Security’s choice is YubiKey – a highly versatile and cost-efficient tool. With YubiKey, it is easy to implement two-factor authentication also for workstations, as well as for Linux and Windows servers.
FreeIPA is an IDM product developed for centralized management of users and access rights. With FreeIPA, we can easily manage the authentication to servers and services, as well as create role-based definition for e.g.:
- Who is allowed to log on to which server and by what method?
- Is sudo allowed for Linux servers, and if, on what level?
- Are administrator rights to be accepted for Windows servers?
FreeIPA also provides an LDAP interface that we can utilize in service authentication. We can create and manage central groups of administrators for various services through the FreeIPA interfaces. Thanks to this, the access rights to all target systems and services can be managed through one single view.
YubiKey is a token for key storage. To YubiKey we can store PGP keys, required certificates, and also utilize a PGP key for SSH key authentication. In this case, the SSH keys are always at hand and do not need to be stored separately for workstations, which improves both usability and security. You can also use YubiKey in public services, such as the protection of the corporate administrator’s Gmail account.
In certain situations, administrator rights will also need to be exported from the IDM system and the systems directly utilizing it. LSC enables nearly real-time synchronization of data from FreeIPA (or from another source) to external LDAP directories and databases. Thus, we are also able to manage password requirements and user validity for external target systems in a centralized way in the IDM system.
Yubikey on ruotsalaisen Yubicon valmistama 2FA (“kaksivaiheinen tunnistus”) USB-avain. Avaimella voidaan toteuttaa turvallinen ja helppokäyttöinen vahva kaksivaiheinen tunnistus sekä yksityiskäyttöön että yrityskäyttöön.
LSC on avoimen lähdekoodin hakemistosynkronointiratkaisu. Synkronointi tukee LDAP-hakemistoja, AD-hakemistoa, tietokantoja ja tekstitiedostoja. Perusratkaisu voidaan laajentaa skriptaamalla. Ratkaisu on hyvin kevyt.