ISO/IEC 27001 Control 8.2: Privileged access rights

Control

The allocation and use of privileged access rights should be restricted and managed.

Necessity of MidPoint

MidPoint is necessary to implement this control properly.

MidPoint features and capabilities are essential for efficient implementation of this control. While it is theoretically possible to implement this control without a comprehensive IGA platform in place, the implementation is likely to be inefficient, costly, slow and unreliable in the long run. MidPoint can make implementation of this control efficient and reliable.

Implementation Overview

MidPoint has numerous features to support management of privileged access rights.

Implementation Details

Privileged access rights can be represented as entitlements in midPoint, their assignment to users is recorded, tracked and synchronized from identity resources. Given sufficient coverage by identity connectors, midPoint can have comprehensive record of privileged access rights assignments across the organization. Role-based access control (RBAC) is primary mechanism for organization and automation of privileged access rights management. RBAC can be used to assign privileged access rights to appropriate roles or business responsibilities, automating assignment of privileges to users. Even more importantly, RBAC automates unassignment of privileged access rights, automatically removing unnecessary privileges. Furthermore, policy-based RBAC is extending the access control with dynamic rules, which further organizes and automates management of privileged access rights. Role-based mechanisms and policies can be used to make sure that the "minimum requirement" criterion of this control can be satisfied. Privileged access rights determined by the policies can be automatically provisioned to user accounts, and automatically de-provisioned (revoked) as needed. Assignment of privileged access rights to the users are recorded in midPoint, including the meta-data, which satisfies the recording requirement of this control ("record of all privileges allocated"). Role mining capabilities can be used to find patterns in usage of privileges, creating appropriate business roles. This approach increases the degree of automation and reliability of privileged access rights management. Privileges access rights that cannot fit into business roles can be managed by access request process, subject to appropriate approval. Policy rules can be used to make sure requests for privileged access are subject to additional approval step, and cannot be assigned without explicit approval, which satisfies requirement of this control for "maintaining an authorization process". MidPoint provides ability to assign privileged access rights temporarily, using activation schema in the assignment. Access certification campaigns can be used to regularly review and certify assignment of privileged access rights. Micro-certifications can be used to momentarily review privileged access rights of a user when an important change or event occurs, such re-assignment of the user in organizational structure. Mechanisms of information classification and clearances can be used to make sure user has appropriate competence for use of privileged access rights. Personas can be used to create separate identities for users that accumulate significant amount of privileged access rights, such as system administrators. Such users can have special personas with privileged access rights, separated from their common user personas. Such privileged personas may be subject to stricter security requirements, such as requirement for stronger password or multi-factor authentication. Special accounts in identity resources can be marked as "protected", avoiding any unintended modification, linking or other abuse of the accounts. This mechanism can be used to protect emergency and hardwired accounts such as "root" or "administrator", avoiding unintended use of such accounts. Capabilities for management of non-human identities (NHI) can be used to manage application accounts, accounts that represent devices and other technical accounts. Such accounts can be managed with the same mechanisms as user accounts, using roles, policies and approval processes as necessary. Reporting and dashboarding capabilities can be used to list all privileged access and apply analytics for better understanding and improvements of privileged access structure. Audit trail provides complete record of changes in privileged access right assignments.

Implementation Notes

  • MidPoint fully supports and encourages assignments of privileged assignments to personalized accounts of the users, avoiding use of shared accounts and accounts with generic user identifiers (such as "root" or "administrator"). MidPoint supports indirect approaches, such as the "sudo" mechanism, or "Domain Admins" group. Roles and entitlements in midPoint are designed to assign privileged access rights to user accounts, recording them, managing them and revoking them as necessary.

Rationale

MidPoint provides numerous features to properly manage privileged access rights at scale. Management of privileged access rights in medium-to-large organizations without such features is very unrealistic. Manual management of privileged access rights at such scale is certain to require huge effort, while being slow to react and very unreliable. Strong identity administration and governance (IGA) platform such as midPoint is absolutely necessary to satisfy this control in larger organizations.

Was this page helpful?
YES NO
Thanks for your feedback