Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Excerpt

Context

IAM

Title

Privileged Access

Classification

Contributors

Contributors
modelist
showCounttrue
columnsedits,comments
showLastTimetrue

Version

1.2

Status
colourYellow
titleDraft

Summary

The objective of this article is to document existing privileged access taxonomies and typologies and possibly to develop a new one that is operationally adequate to support the PAM processes of organizations.

See Also

Table of Contents
typeflat

Classification

For an introduction to classification, please refer to An introduction to classifications, taxonomies and typologies (Doret, 2020).

Classification Objectives

Considering a classification of privileged accesses, the following objective is proposed:

The purpose of the privileged access classification is to facilitate the operational management and supervision of privileged access by organizations in such a way as to help organizations meet their PAM / TAM goals.

Existing Classifications

  •  Include literature review on privileged and technical access definitions.

Source

Dimensions

Classes

KPMG, 2018

  • Risk

  • # of users

  • Privileged (Managed by PAM Solution)

    • Domain Admins

    • Database, Infrastructure, Platform Admins

    • Application Admins

  • Powerful (Managed by IAG Solution)

    • Application Super Users, Database Users, Platform Remote Access Users

  • Regular (Managed by IAG Solution)

    • Standard Application Users

Defining the Population under Study

What is it that we are trying to classify?

  •  Provide here a clear definition of privileged access in the context of this particular note.
  •  Include def of pseudo-identities, partial identities and secrets

Dimensions

By definition, a classification must be based on observable properties of population being studied.

  •  List candidate dimensions
  •  Mention the extent to which dimension categories are mutually exclusive
  • Entities using the access (e.g.: Gartner taxonomy)

    • by people

    • by software

      • by dedicated person or shared among multiple persons

  • Entities using the access (2)

    • by technical people

    • by business people

  • Genesis

    • by system (e.g. “native” accounts)

    • by people (“users” created by admins)

  • Scope of privilege

    • Single system

    • Limited set of systems (e.g. cluster admins)

    • Pervasive in the IS (e.g. domain admins)

  • Operational constraints

    • Can be deactivated or not

    • Can be renamed or not

    • Can be…

  • Level of operational risks

    • This is organization specific

  • Software stack level

    • OS

    • Middleware

    • Application

    • Others (e.g. hypervisor)

  • IAM superpowers including impersonation

    • None

    • May impersonate some other identities

    • May create other identities

    • May modify other identities, including granting and revoking accesses

...

User Access Management versus Secret Management

  •  Propose candidate classifications

Bibliography

...

Jira LegacyserverSystem JIRAserverId9411959f-b612-3964-8e12-668a6d15259ekeyhttps://open-measure.atlassian.net/browse/CM-5