“My corporate security division recently performed an audit and said that I had several privileged entitlements attached to my account. What are they, and why is it something security is looking into?”
A reader recently wrote in to us asking about privileged entitlements and why corporate security teams show interest in them:
Think of privileged entitlements like people who can access a cookie jar:
If you have kids, they may only be allowed to have cookies in very specific circumstances: after they eat their vegetables, do their chores, etc., but they can’t just get them from the cookie jar at any time they choose or there will be repercussions. They are only allowed to access the cookie jar when someone else grants them the right to have the cookie.
As a parent, you may delegate the right to others – such as a babysitter – who can grant access to the cookie jar, but only within a set of rules as to when they allow access. This babysitter might be permitted to allow access to a cookie if the child behaves, but can allow no more than two cookies during any one babysitting session.
The parents have full access the cookie jar themselves, and can grant access to the children whenever they feel is appropriate. A parent must have both a lot of willpower, and the best interest of the child in mind or the parent and/or the child could indulge in unhealthy habits.
Privileged entitlements work in the same way. A regular user is like the child in our hypothetical example above. They can be given the files, applications, and data they need to do the job, but they do not get to freely gain access to anything, especially anything outside their normal job description.
Then you have super users. These accounts are like the babysitter, in that they can grant access to things outside of their job responsibilities, but only when certain rules and restrictions are satisfied, and never without reason or more often than required. They also have strict limits set on their ability to grant these privileges, so that they cannot accidentally over-entitle a user.
Finally you have administrators – the parents in our analogy. Administrators can access everything within their domain, but have to be extremely careful since that access can easily lead to security breaches or other problems if the proper procedures are not followed at all times and the company’s compliance guidelines are not strictly enforced.
Each time you step up the ladder from user to administrator; you create more and more privileged accounts with more and more privileged entitlements. This can create a large number of problems if those privileged entitlements are not handed out and governed very carefully, ensuring that no one can do anything they aren’t supposed to be doing; or allow anyone else to do so by delegation.
Most organizations follow the principle of “least privileged access” to help reduce privileged entitlement problems. This principle says that each employee only gets the explicit entitlements and access required for their job – nothing more under any circumstances. Super-users and administrators have the level of privilege they do because it is required for their job. And, as job requirements change, those privileged entitlements change along with them to make sure no one is over-provisioned and potentially putting the company at risk.
So, when your company is showing concern over privileged entitlements, what they’re actually saying is that they need to review who can access what resources, when they can access them, and what requirements must be met to be able to access them. You may not see any change at the end of such an audit, or you may see that access to systems you no longer need within your job description are removed. Much like our cookie jar, corporate IT wants to be sure that no one can get hold of more cookies than they should, or share them with anyone who shouldn’t be eating them.