Privileged Access – Did you define it first?
As many know (and dislike), I am big on understanding the CONTEXT of words/terms when it comes to (physical / fraud / cyber) security, so today, I was thinking about “privileged access”. I have to do this, because I am always thinking about how do you scale the management of some security control.
The default, I think many, people, suppliers, vendors, think of, is ‘root’ or ‘admin’ or some ‘god-like’ access in the cyber world. In the physical world, “master key”, “All zones” badge access, etc.
General American English definition
“having special rights, advantages, or immunities”
If you have “read only” access to a application/dataset and Billy Bob has some authorization above “read only”, does Billy Bob have “privileged access”? Is “read only” more privileged then NO access?
I think its more like, if Billy Bob has some level of access above “Read Only”, he can (potentially) impact confidentiality, integrity, AND availability, whereas, I, with ONLY “read only” can only impact confidentiality. (Impact is relative, I know)
If Billy Bob is considered to have “privileged access” with access greater then “read only”, does the person with ‘root’ on the same system, have “privileged access”?
You only have access to the front door and employee entrance door, is your access “privileged” because you have more access then the public? If Billy Bob has access to ALL the doors, does he have “privileged access”? But what about the person that sets up your and Billy Bob’s building access privileges in the access control application/system? Do they have “privileged access”?
Knowledge / Information World
CEO has access to the latest merger information, whereas a payroll reporting expert has “read only” access to all the PII for all employees, whereas a supplier JUST has physical access to your core router 24×7.
Things to Ponder and Ask Yourself and Your Organization
Have I/we defined what is and what isn’t “privileged access” in my organization? Do we inventory ALL “privileged access”? Do we log ALL “privileged access”? When our favorite auditor comes along and they ask for a list of “privileged access”, what do we give them? Does any of my supply chain have “privileged access” to my organization? Have I ever considered graphically mapping (network link analysis) of our totality of “privileged access”? You know, the easy questions.
Normal Disclaimers: http://mychurchsecurity.com/disclaimers