Context | IAM |
---|---|
Title | Privileged Access Classification |
Contributors |
|
Version |
|
Summary | The objective of this article is to document existing privileged access taxonomies and typologies and possibly to develop a new one that is operationally adequate to support the PAM processes of organizations. |
See Also |
Classification
For an introduction to classification, please refer to An introduction to classifications, taxonomies and typologies.
Classification Objectives
Considering a classification of privileged accesses, the following objective is proposed:
The purpose of the privileged access classification is to facilitate the operational management and supervision of privileged access by organizations in such a way as to help organizations meet their PAM / TAM goals.
Existing Classifications
- Include literature review on privileged and technical access definitions.
Source | Dimensions | Classes |
---|---|---|
|
|
Defining the Population under Study
What is it that we are trying to classify?
- Provide here a clear definition of privileged access in the context of this particular note.
- Include def of pseudo-identities, partial identities and secrets
Dimensions
By definition, a classification must be based on observable properties of population being studied.
- List candidate dimensions
- Mention the extent to which dimension categories are mutually exclusive
Entities using the access (e.g.: Gartner taxonomy)
by people
by software
by dedicated person or shared among multiple persons
Entities using the access (2)
by technical people
by business people
Genesis
by system (e.g. “native” accounts)
by people (“users” created by admins)
Scope of privilege
Single system
Limited set of systems (e.g. cluster admins)
Pervasive in the IS (e.g. domain admins)
Operational constraints
Can be deactivated or not
Can be renamed or not
Can be…
Level of operational risks
This is organization specific
Software stack level
OS
Middleware
Application
Others (e.g. hypervisor)
IAM superpowers including impersonation
None
May impersonate some other identities
May create other identities
May modify other identities, including granting and revoking accesses
…
User Access MAnagement va Privileged Access Management
User Access Management versus Technical Access Management
User Access Management versus Secret Management
- Propose candidate classifications