November 18, 2010, 5:16 PM — PIM tools help get a handle on sprawling accounts and disjointed management of privileged access. If you do it right. Here are seven key strategies.
For more background on PIM, see the companion article Too much access? Privileged Identity Management to the rescue.
Develop a long-range and short-range strategy. While your organization may be addressing particular pain points--an audit failure on a particular platform or in a business group, operational problems with a manual process, production interruptions or a data breach inadvertently or intentionally caused by someone with shared credentials--lack of PIM is usually a systemic problem that touches all enterprise systems.
If you choose a PIM product to address a limited objective (for example, pass the next audit or control access to a CRM system), you may wind up buying a solution that will not meet all your needs.
"Shared accounts pose almost the same risk regardless of whether it's a shared DBA [database administrator] account giving access to a database, or an admin accessing a Cisco router, or a shared-account e-mail admin accessing an Exchange server," says Cyber-Ark Executive Vice President Adam Bosnian. "If I can use the system, as an admin, to do my bidding, I have a powerful tool to do some real damage."
Unless you take a global approach, you will not understand how your disparate systems are interconnected and dependent on one another. You will fail to develop policies and processes that will form an effective foundation for your privileged-identity program.
So invest in PIM with the big picture in mind. Take a broad view and develop an enterprise strategy. Then you can prioritize where you will start your implementation based on which systems, applications and platforms, or class of privileged users (such as Windows sysadmins or DBAs) pose the greatest risk, will affect the largest number of users, and so on. Take a phased approach based on a broad, long-term strategy. Each phase is a significant project and will benefit from a strong overall direction and experience in preceding phases.
"You need to take comprehensive look; when you get into IT departments everything is connected to everything," says Jeff Nielsen, vice president of engineering for BeyondTrust. "Here's the financial database connected to the CRM database, which is connected to an order-fulfillment app. There's sensitive data throughout the chain."
A broad plan with a staged implantation will also help demonstrate to auditors that you have a program and tools in place to that will address shortcomings on a defined schedule.