Ever been told that a “Static” admin account is a vulnerability?
The Claim: if every technician has a unique account for every client site, domain, tenant, or local machine they need to access, then each one of those accounts represents an opportunity for compromise – instead of safeguarding access to one privileged account, now you need to protect hundreds – potentially thousands of possible points of entry for a bad actor.
The Effect: This has lead to the misguided belief that minimizing the total number of Admin Accounts reduces the attack surface for bad actors.
The Risk: The alternative to a unique account for every technician everywhere they need access almost always result in some form of account sharing. Too many eggs are placed into one basket, traceability is fuzzy at best, and both security and operational issues abound.
The Strawman: An account is not necessarily the mechanism by which a user is granted access to the site or system to which it belongs, but rather the CREDENTIALS and PRIVILEGES granted to those respective accounts. We posit that rather than eliminate a multitude of Privileged Accounts to reduce attack surface, what really is needed is automation to manage not only the creation and distribution of Admin Accounts, but also the credentials and privileges of those accounts. Reduce standing privilege and access – NOT the number of privileged accounts.
WHAT IF:
→ a Technician’s credentials are only known to them in the exact moment they need them? Just-in-Time?
→ those credentials will only be valid for a very narrow window of time? Changed… Just-in-Time?
→ the account is only granted any privilege exactly when the Technician needs those privileges? Just-in-Time?
Now we have dramatically shrunk any attack surface associated with the privileged account by reducing it to a temporal attack surface – meaning almost as soon as one of these accounts’ credentials were theoretically breached, they would be completely useless to the bad actor.
Just like a car isn’t going anywhere without keys and a battery, an Admin account with no known credentials and the privileges stripped away is not granting access to anything or anyone.
Proper privileged account management of unique accounts is a need. Creating and managing individual accounts for your technicians is a substantial time commitment without automation. This is where TechIDManager steps in. Book a demo with us and see what TechIDManager would mean to you!