Once upon a time, in an IT kingdom very familiar to you, an elite group of employees called themselves “IT Admins.”
They sat in a special room with a round table and controlled the keys to the kingdom (quite literally). If somebody needed to get access to a system, reset a password, or install new software, they were your knights in shining armor. They took care of it. These were trusted knights of the realm, and their methods and techniques were inscrutable and well-documented.
Until one day, clouds formed on the horizon. Specifically, Google Cloud Platform (GCP), Amazon Web Services (AWS), and Microsoft Azure.
A group of IT Admins developed specialized knowledge and powers. They used new workflows and tools and didn’t always share them with the rest of the table. While they spun up very positive potions for the kingdom, the king worried those potions might fall into the wrong hands.
Additionally, the IT Admins realized they didn’t need to sit at the round table together. They could travel far and wide across the land and still keep the kingdom running.
Thank you for indulging me in telling that brief fairy tale. You may have noticed it didn’t have an ending—not yet at least.
This simple story reflects how reality has changed for modern organizations. Just as the king in the fairy tale is concerned about risk, so are security leaders responsible for protecting critical IT infrastructure and sensitive data.
In this blog, the first part of our series on the different identity types operating in the modern organization, we’ll cover how the definition of IT Admin has changed and share strategies to keep your kingdom safe.
What is an IT Admin?
The term “IT Admin” used to have a very clear definition that IT, management, and regular employees widely understood.
The classical definition of an IT Admin is a person in the IT department with elevated rights to perform a task or enable some capability in the organization. They hold badged credentials and have titles with the words ‘administrator’ in them, such as firewall administrator, network administrator, help desk administrator, proxy server administrator, AD administrator, and domain administrator. They are typically members of an Active Directory (AD) group with other people with similar titles.
Their activities, such as how long they can be in an application or system, are recorded and audited. Their credentials are most certainly vaulted in some type of Privileged Access Management (PAM) vault where passwords and keys are stored and rotated.
In this traditional model, processes such as provisioning identities, setting permissions, vacation coverage, and business continuity/disaster recovery situations are standardized and well-documented, whether they are managed manually or with the support of automated tools.Traditionally, IT Admins sat in the data center, inside the network perimeter.
No magic wand here, just seven steps to regain control
Most organizations are awash with privileged users. If any one of these gets compromised, it could spell disaster for the organization. Think ransomware, remote access toolkit (RAT), data exfiltration, and more.
Here are 7 things you can do to help find and regain control over IT Admin identities:
1. Discover and inventory all your privileged users
This sounds obvious, but it’s kind of hard to do. Currently, many organizations have one of their IT staff use cloud tools (one for each in their multi-cloud environment) or run scripts against the cloud to attempt to inventory privileged users. These are typically presented in Excel or Confluence, but are outdated almost the instant they are created.
A better way is to run a solution that scans all of your multi-cloud environment, scans your identity providers (IdPs) like Azure AD, Entra ID, Okta, Ping and traditional AD, and creates a complete up-to-the-second inventory of every single admin, privileged user (a regular user who happens to have more than normal access), and shadow admins. In this manner, a single view of privileged across the entire organization can be presented on a single screen. Elements of AI systems, such as AI agents, can even be discovered and inventoried.
2. Vault (all) admin credentials
Now that we have a single view of privilege, the security fun can begin. As a policy, most organizations require their traditional administrators to have their credentials vaulted. The vault can securely store, rotate, and replay credentials to applications, taking the burden off the IT admin to manage them. It also presents other policy and monitoring tools that we’ll discuss further down, which can now be applied uniformly across the organization.
3. Apply modern MFA
Is anybody here still using a RADIUS server for authentication? Be honest. Of course not (ahem). Modern multi-factor authentication (MFA) refers to using the latest standards and user-accepted methods, such as authenticating on a mobile device. It includes using authentication from Duo, Entra ID, FIDO2. In most organizations, a one-size-fits-all authentication process doesn’t work for every user.
Now you can enforce MFA consistently for all your privileged users and admins across the organization using the type of MFA that meets your security needs and their access preferences. It allows you to better balance security and convenience.
4. Roll out policy management
When can an admin access a certain target resource, and under what conditions? That’s the heart of policy management. Having a complete view of every IT admin throughout your environment gives you the power to enforce consistent policies regardless of what system the user has access to or whether they are a cloud user. Time-bound access. Check. Allow for remote access to certain systems but not to others. Check.
5. Engage session management
Cloud developers, especially, consider themselves immune to any type of security controls that sit between them and their code. So care must be taken. Session management adds a gentle layer of protection, requesting the admin to “check out” the application. A screen comes up, and a reason field may be requested to help justify access.
The entire interaction spans 20 seconds but can be paired with other security requirements, such as multi-factor authentication (MFA), to ensure it is a legitimate user requesting access. Session recording and post-session forensics can evaluate behaviors and actions deemed suspicious for potential follow-up.
6. Enforce the Principle of Least Privilege
No user or machine identity should have more privileges than are necessary to do its job. That’s the principle of least privilege. That sounds great, but enforcing that uniformly across all IT admin identity types can present a significant challenge. After all, who or what knows what each role should and should not have.
Here is where advanced analytics comes in. By normalizing user behavior across groups and by having anomaly detection in place, it’s possible to baseline a normal set of user permissions for any particular IT type. If an IT admin has not used a particular system in, say, six months, do they really need that access?
Least privilege should be a continuous exercise done in an automated fashion across all admins, and a “re-factoring” of the most egregious over-privileged admins should be done consistently to ensure any account takeover doesn’t get very far.
7. Activate threat protection
Scanning all user accounts, not just IT admins, for anomalous behavior and potential indicators of compromise continuously may sound like a fairy tale, but it’s actually within your reach.
A new breed of Identity Threat Detection and Response (ITDR) solutions working alongside a next-gen PAM solution take a deep look across your clouds, your traditional applications, your identity providers, and your software as a service (SaaS) apps to normalize behavior and correlate activities. They present the most consequential (likely to be compromised) identities and circumstances to your security operations team for resolution, so they can resolve them and best protect the organization.
And they lived happily ever after—Delinea style!
By implementing these seven recommended measures, you can regain control over your identity security and PAM environments, ensuring robust security and operational efficiency in the face of evolving threats and technologies. Reach out to Delinea for more information about anything you read in this blog. We’re here to help.
Ensure all your identities are secure: Securing IT admin, workforce, machine, and developer identities
