|
Privileged Identity Management (PIM) is a domain within Identity Management focused on the special requirements of powerful accounts within the IT infrastructure of an enterprise. It is frequently used as an Information Security and governance tool to help companies in meeting compliance regulations and to prevent internal data breaches through the use of privileged accounts. The management of privileged identities can be automated to follow pre-determined or customized policies and requirements for an organization or industry. Please also see Privileged password management -- since the usual strategy for securing privileged identities is to periodically scramble their passwords; securely store current password values and control disclosure of those passwords. Different market participants refer to products in this category using similar but distinct terminology. As a result, some analyst firms refer to this market as "PxM" indicating multiple possible words for "x": * Privileged Access Management * Privileged User Management * Privileged Account Management * Privileged Identity Management * Privileged Password Management * Privileged Account Security The commonality is that a shared framework controls the access of authorized users and other identities to elevated privileges across multiple systems deployed in an organization. == Special Requirement of Privileged Identities == A Privileged Identity Management technology needs to accommodate for the special needs of privileged accounts, including their provisioning and life cycle management, authentication, authorization, password management, auditing, and access controls. * Provisioning and life cycle management – handles the access permissions of a personal user to shared/generic privileged accounts based on roles and policies. * * Note: built-in privileged accounts are not normally managed using an identity management system (privileged or otherwise), as these accounts are automatically created when an OS, database, etc. is first installed and decommissioned along with the system or device. * Authentication * * First use case -- control authentication into the privileged accounts, for example by regularly changing their password. * * Second use case -- control authentication into a privileged access management system, from which a user or application may "check out" access to a privileged account. * Authorization -- control what users and what applications are allowed access to which privileged accounts or elevated privileges. * * First use case -- pre-authorized access ("these users can use these accounts on these systems any time."). * * Second use case -- one-time access ("these users can request access to these accounts on these systems, but such requests for short-term access must first be approved by ..."). * Password Management -- scheduled and event-triggered password changes and password complexity rules, all applying new password values to privileged accounts. * Auditing – both event logs (who accessed which account, when, etc.) and session capture (record/replay what happened during a login session to a given account?). * Access Controls - Control what a given user, connected to a given privileged account, on a given system, can do. Two design principles need to be balanced here: the principle of least privilege and a desire to minimize the need to develop and maintain complex access control rules. * Session Recording - The ability to record access to privileged accounts is vital both from a security and compliance perspective. * Session isolation - Controlling access to privileged accounts using a session proxy (or next generation jump server) can prevent issues such as pass-the-hash attacks and malware propagation. 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Privileged Identity Management」の詳細全文を読む スポンサード リンク
|