According to Gartner, IT outsourcing will be a $335 billion industry by 2019. Within the growing number of IT organizations adopting this approach to managing infrastructure, outsourced IT administrators are routinely granted broad privileges to accomplish even the most narrowly focused tasks.
However, traditional privileged identity management solutions require organizations to create and manage identities for outsourced IT administrators within their internal environment and grant full VPN access. This practice increases risk, as the gap between the number of disconnected privileged accounts and an authoritative identity provider grows, and more laptops establish VPN connections to internal networks. The result is an expansion of potential attack points for hackers, disgruntled insiders, and malware.
The following 5 steps can help mitigate the risks.
Step 1 – Minimize the attack surface
Organizations should start by deploying a cohesive, cross-platform privileged identity management solution to implement least privilege access and gain more robust control over administrative accounts. A privileged identity management platform lets the enterprise consolidate identities and control shared accounts while also securing remote access and auditing all privileged sessions.
This step reduces an organization’s identity-related risk by consistently controlling access to hybrid infrastructure for both on-premises and remote users.
Step 2 – Govern privileged access
Central enforcement policies for governing privileged access are critical. Governance should include monitoring privileged sessions across on-premises and cloud-based infrastructure to identity inappropriate use of privileged accounts or the source of a security incident. IT can also implement termination policies to revoke access privileges when violations are identified.
Governing all privileged user activities with session monitoring and auditing allows IT organizations to identity suspicious user activity, conduct forensic investigations, and prove compliance.
Step 3 – Implement federation
Creating and managing identities for outsourced personnel within the enterprise environment can become unmanageable and introduce unnecessary risks. But federated trust between organizations allows the enterprise to maintain an efficient separation of responsibilities.
The outsourcing service organization should have their own identity store in place so they retain management of their employee identities. Privileged access to specific resources should be governed through automated request and approval workflows, monitoring with optional termination of privileged sessions and reconciliation of approved access versus actual critical infrastructure access.
Your outsourced IT partners should be responsible for managing their own employee authentication, directories, and identity solutions, and you can leverage federated trust to provide them with secure access to your shared applications.
Step 4 – Control hybrid infrastructure
As organizations increasingly opt for a hybrid IT infrastructure — moving their workloads to the cloud — maintaining or gaining control becomes more challenging. To mitigate risk, IT must consistently control access to hybrid infrastructure for both on-premises and remote users. This requires a privileged identity management solution that enforces a consistent privileged access security model across public cloud, private cloud, and on-premises apps and infrastructure.
For example, Centrify provides a comprehensive privileged identity management solution to protect access and simplify enterprise adoption of Infrastructure-as-a-Service (IaaS). Organizations can extend and apply their on-premises security model for infrastructure and apps to the cloud, while keeping sensitive data secure.
Step 5 – Manage auditing and compliance
The enterprise needs audit and compliance safeguards that include detailed session recording and comprehensive compliance reporting. This should include the ability to centrally capture detailed audit logs and user session recording across the hybrid infrastructure. Major industry compliance regulations often require organizations to link access controls, provide role-based privileges, and track user activity to identifiable users. Failure to comply can lead to penalties or the loss of business accreditations, and may result in public loss of confidence and/or brand damage.
To meet audit and compliance requirements, organizations can implement a cost-effective solution that leverages existing infrastructure and enables consolidated, centralized management of user identities combined with user authentication, role-based access control, and session recording and reporting services. This allows the enterprise to identify suspicious user activity, conduct forensic investigations, and prove compliance of administrative accounts shared with outsourced IT providers.
The bottom line
As your enterprise grows beyond the traditional network perimeter, so does the complexity of securely managing access to critical resources. Implementing these five steps allows you to minimize the attack surface, thwart in-progress attacks, and govern privileged access while enabling secure remote access for outsourced IT administrators and third-party developers.