Keep Privileged Accounts Under Lockdown

Attackers find ingenious ways to access accounts, but what they’re really looking for is the highest value targets: accounts with the most privileges. Finding their way into a single superuser account is the goal where an attacker could easily take over a whole organization. The risks of privileged account takeover get bigger, too, as companies grow and permission scope grows out of control. Privileged access management (PAM) becomes a bigger problem, but with tightened budgets sometimes buying a standalone solution isn’t possible. So how do you solve this problem before it gets out of hand? That’s why we’ve released Delegated Administration, a tool that allows administrators to create custom, granular privileges for users, apps, and roles. Here’s how you can get our lightweight privileged access management tool working for you.

Create thin privileges that work for your organization

The principle of least privilege states that a user or account must be able to access only the information and resources that are necessary for its legitimate purpose. For example, if you want a user to have access only to certain apps and certain users, in read-only mode, that is now possible with our new privileges model. We structured our model after the well known and widely adopted policy format from Amazon AWS, which allows you to define a privilege with resources, actions, and scopes.

Delegated Administration Actions checklist

Here are a couple of examples of how you could use Delegated Administration to limit permission sets:

  • A local branch of the organization wants their local IT admin to handle all the helpdesk cases in the area, but not have access to any of the other distributed users.
  • The marketing department wants their project manager to manage all of their team’s own apps, and only reset passwords for their own department.
  • An IT department wants to outsource password resets and temporary passwords to a partner, but doesn’t want the partner to be able to edit any user information.

Use Lifecycle Management to automate privileged access management

What if you didn’t even have to worry about escalated privilege requests? It’s a long process sometimes – waiting for manager approval in particular. Now, you can assign a privilege to a role, and then anytime an employee is onboarded within a particular role, they’ll receive the privileges that are suited to their role. To further automate, create a mapping that grants roles based on third-party directory attributes, and those users will automatically receive the privileges assigned to that role.

With an organized approach, and a lightweight privileged access management tool, you won’t be giving attackers much of a chance to infiltrate a highly-privileged account.

About the Author

Kayla Gesek

Kayla is a product manager at OneLogin with a passion for balancing user experience and strong security practices. With 10+ years of experience in Silicon Valley, ranging from small startups to corporate giants like, Kayla loves to champion data, customer feedback, and advocacy.

Related Articles