How is your organization addressing Identity and Access Management (IAM)? More important, how are you handling administrative and service accounts?A lot of organizations are pumping money into Identity and Access Management (IAM). Yet many of those same companies tend struggle to address the challenge of managing the administrative and service accounts. It\u2019s not uncommon to see password-protected spreadsheets and notebooks stored in a locked desk drawer.The challenge is for many is what to do with Privileged Identity Management. Turns out part of the challenge might be the way we\u2019re thinking about it.Jonathan Sander (@sanderiam,\u00a0LinkedIn),VP of Product Strategy at Lieberman Software, takes a different approach. He\u2019s an enterprise security veteran with over 20 years of experience. He\u2019s worked with some of the world\u2019s largest and smallest organizations to improve their programs and results. Currently working in the Privileged Identity Management space running product strategy for Lieberman, he did the same for STEALTHbits Technologies, and built what became the Quest One Identity Suite from the ground up with Quest Software and then Dell.His experience is remarkable. But even better is the conversation. Jonathan is witty, sharp, and always brings value to the table. That's why I trust him as an advisor to me (disclosure: I consider Jonathan a friend and an advisor.\u00a0He's not a client. I'm not his client.\u00a0He's just that good).\u00a0This time was no different\u2026In our opening, he caught my attention by suggesting that privileged identity is a blind spot in the reality of Identity and Access Management (IAM). Or maybe that\u2019s how I heard it\u2026Explain how the reality of IAM creates a blind spot for privileged identity managementSecuring privileged identities, all the admin credentials, root accounts, enable accounts, and everything that has lots of power like that, has been a big hole in many security programs. I\u2019m not sure I would call it a blind spot because if you ask any security pro about this, they will absolutely agree there is a terrible risk associated with these accounts.The problem is how we frame the issues and solutions. Privileged identity management is seen as a subcategory of identity management. Whether or not it is is an academic debate, but the effect has put it in competition for budget and resources with single sign on projects, multi-factor authentication roll outs, provisioning programs, and other items that are connected to end user security. When you give the security teams and IT folks a choice of locking down the end users or the admins, it\u2019s not too hard to guess who they will choose. Of course they go after the end users.Another effect of being a subcategory of IAM is privileged identity hard to fit into the models and approaches people use.Policies in identity are strongly linked to humans. You are provisioned an entitlement because of who you are and what roles you play. Systems make rules about how and when your authentications are valid based on the same ideas. Ultimately, the policies of IAM revolve around individuals. Linking policies to control privileged identities to people is an anti-pattern. Sure, you may have rules about what humans can handle what privileges. But the privileged identities themselves need to be locked down and those policies need to revolve around the risk associated with the underlying systems and data to which they are closely linked.I recently spoke with a CIO who told me their research applications all run under one specific account. I pressed him about who has access to the account, and it boiled down to just about every admin. At some point they required it, and since that account was so widely used they couldn\u2019t really change its password or other attributes. So every admin in the company was running with scissors and the way this guy slept at night was \u201cwe have two factor for all the initial logins.\u201dThe policy about people requiring two factor doesn\u2019t do a thing to actually protect against accidental - or malicious - use of this very powerful account. People are simply too trusting of their admins in many cases.How does the trust factor impact the way we think about privileged identity management?Trust plays a big role in how people approach the privilege problem. It makes sense that people trust their staff. They hired them. They work with them every day. From a simple, psychological viewpoint, people are wired to trust those they are in constant contact with and in whom they have something invested like the thought \u201cI hired them so they must be a good choice.\u201dBut recent history - and headlines - are littered with examples of people who went from trusted employee to insider threat in the space of one misplaced comment or change in HR policy. And if you don\u2019t buy the massive scale of insider threat, then you have to realize that no one is perfect. If everyone runs around with scissors, eventually someone\u2019s going to put someone\u2019s eye out.What\u2019s really interesting is what often happens when we get the over trusting executives together with the admins in whom they are placing that trust. IT leaders very often came from the IT ranks. I\u2019m old enough to remember when having the root password was a sign of being one of the cool kids. Lots of executives still think that their admin users want to have that cool factor.They trust them, and they want them to be happy. So they let them keep what they see as a perk. But the odd thing is that a massive majority of smart admins today don\u2019t want it. They have come up in the times of a new breach every day and see the direct connection privilege has to that.When you offer the notion of a system that will lock all those risky accounts without interrupting operations or their day to day lives, they\u2019re all over it. The admins see automated security as a lot cooler than a memorized root password.They\u2019re also smart enough to know that when the breach or the big \u201coops\u201d happens, if they can prove they were *not* the last one with their hand on the stove, then they will be a lot better off. The bigger adjustment is often for the more senior folks and the leaders who still think of privilege in terms of the superintendent of a building.Share your example about the \u201csuperintendent of the building\u201dWhen many people think about IT administrators, they picture the super in a building. What\u2019s one of the first things you picture when you think \u201cbuilding super?\u201d It\u2019s likely the big ring of keys they have on their belt. The super has this big keyring so they can get into any room in the building to do what they need to do any time they need to do it.This is pretty much exactly how we have been treating privileged identity. The admin has a big keyring filled with passwords, SSH keys, certs, and more. They have unfettered access to it. They may even pass it around to be used by a whole group of folks.However, there is one huge problem with the superintendent metaphor. When a super uses a key from the keyring and then leaves, the key goes away, too. Often when an admin uses her key to get into a system, a piece of that key is left behind. On Windows it\u2019s a ticket. On other systems it may be a key, a record in a log, or some other fragment.Those little pieces are a big problem.The bad guys can land on a system through a phishing email filled with malware and luck out to find a ticket left there from a helpdesk engineer who recently got on the system to clean on this luser\u2019s last bout of malware infection. Once they have that key left behind, they can use it to start spreading out, going lateral, and that\u2019s what the bad guys are really after.Because of the superintendent image, many folks have focused on the wrong part of the privilege challenge.They figure, like with IAM policies, if they can lock down the user then they have controlled that keyring the user has as well. That thinking is fraught with problems, but the worst problem is that the keys on that keyring have a whole life of their own outside of being on the super\u2019s belt. Bad guys know that and they are ransacking our properties with keys they basically find on the ground every time they get someone to click on the wrong email.You suggest a better way is to think about the way security guards handle keys. How does that work?If the superintendent is the wrong image, then we need to get a better one. My suggestion is to think about all the administrators more like security guards in a locked down facility. We\u2019ve all seen it in movies, and maybe some of us have seen it in real life.In a facility like that, the keys aren\u2019t on anyone\u2019s belt. They live in a locked box in a locked room.If you need a key, you go there, go through a sign out process, and you get the key on a provisional basis. If that key isn\u2019t back in the box in a certain amount of time, then someone is going to go looking for it because that means there is something wrong. Someone is going to find that key, and whoever has got their hands on it.This is exactly how you can envision privileged identity management in your shop. Now all the credentials are locked up in a secured library. When they are needed, people and systems can check them out. Some maybe just require a simple log in to check out, maybe others require prior authorization or approval steps.And the key part is what happens after that.Once the checkout expires, then the credential must be rotated. The password must be changed, or the account swapped, or whatever makes sure that the access which was granted is now revoked. And that rotation is not just for checkouts. The people we deal with who have the highest levels of security awareness are rotating their privileged identities aggressively all the time.That helps protect against the \u201ckey on the floor\u201d problem. You can\u2019t stop Windows from keeping a copy of that ticket, but if you\u2019re rotating that account aggressively then you\u2019ll pull the rug out from under that bad guy who found it on the floor and tries to use it. Not to mention that if you integrate the PIM system with your SIEM and analytics, you could know for sure that someone using that key right now is not using it in tandem with a valid checkout. That means you should go get \u2018em. That\u2019s someone doing something wrong.One thing people often think is this will cause a lot of problems for your admins and automated systems. Of course, you could implement the wrong solution or the right solution the wrong way and get that result. But executed well, PIM shouldn\u2019t disturb anything. It will put a layer of abstraction between admins and privileges - they don\u2019t have that keyring on their belt anymore. But most of them don\u2019t even want that is the high risk world we have today.As for automation, PIM goes with that like a hand in a glove when you do it well. You can actually make the automation and orchestration more efficient by hooking it up to a highly automated PIM system rather than relying on humans to update every single place a password or other credential needs to be touched. The system won\u2019t forget a spot once it\u2019s set up and let loose.This has actually led to some of our most advanced customers hooking up PIM to their DFIR systems. Security has moved fast into a \u201cdetect and respond\u201d mindset to fight automated foes, but the \u201crespond\u201d side has largely been about smart security analysts doing things. With PIM in place, in response to any credible threat they can rotate all the connected credentials. This does nothing to the good guys since they would be going to the lock box to get the keys anyway, and the box is as up to date as the last rotation all the time. The bad guys, however, are now starting from zero again as we just pulled the rug out from under them.To get started - perhaps in realigning PIM with incident response - it starts with a conversationIf you\u2019re starting from zero or even starting over after doing the wrong thing with your privilege approach, then my suggestion is you find your best administrator and talk to them. I\u2019m not talking about the security person or even that person in operations who is always talking about security. Find that one person everyone recognizes as the one who knows it all. Every shop has one or two of these folks. Ask her how privilege is really used. Have her map out how admins use it, where it\u2019s used in automated systems like backups and updates, and all the likely surprising spots where your team has found to tuck away privileged identities to make all the IT magic happen smoothly.That\u2019s going to be your actual set of requirements. Starting from the idea that you should get a \u201cvault\u201d and build out from there is a broken mindset. The problem is not the place you\u2019ll put all these privileged identities, it\u2019s how you\u2019re going to get them integrated into your real processes and actual operations.Solving the privileged identity management challenges isn\u2019t all that different than all the other big problems IT has taken on over the years. It will take a deep understanding of the requirements, commitment to a layered solution, and all that jazz. But if you start from the point of view of your fighter pilot level admins and go after the use cases they think have the biggest risk impact, then you\u2019re doing things right. If the system you build can knock over those big challenges, then the simple stuff will be easy.