Technical Field
This disclosure relates generally to security within an enterprise computing environment and, in particular, to a policy-based approach to control whether users are permitted access to privileged accounts associated with the enterprise resources.
Background of the Related Art
Every organization that deploys an IT infrastructure has a requirement for privileged users. These privileged users, including system accounts, administrators, managers, and business executives, are typically granted administrative or special rights to manage business-critical resources, such as operating systems, databases, ERP systems, and many other applications, systems, and platforms. A “privileged identity” (or ID) refers to any type of user or account that holds special or extra permissions with respect to a particular resource. A typical example is root on a Unix®-based system, Administrator on a Windows®-based system, dbadmin on a DB2®-based system, and so forth. These types of non-personal accounts may exist on or be associated with virtually any type of enterprise resource. The privileged IDs, which are usually shared among a pool of users, can cause accountability and compliance issues, and they can increase the risk for sabotage and data theft. The trends towards data center consolidation, cloud computing, and virtualization in today's IT infrastructures can create an even greater number of privileged IDs, thereby exacerbating these security concerns. Increased outsourcing trends, where resources are used all over the world with historically high turn-over rates of employees, create an even greater need to centrally manage and secure privileged IDs.
A typical strategy to secure a privileged account identity is to periodically scramble the account password, store current passwords securely, and control disclosure of the current password. This type of approach, however, has several difficulties including, without limitation, increased computational overhead (due to the requirement to scramble the password periodically), a requirement that only one user at a time may login using the privileged identity, the inability to consider a particular context associated with the access request, an inability to distinguish/identify whether the entity accessing the account is a person or some automatic/programmatic entity, and an inability to track and audit accurately which user has logged into a particular privileged account.
It is known in the prior art to provide products and services that can help enable an organization to centrally manage and audit a pool of privileged user IDs, which can be checked in and checked out by authorized people when needed. One such commercial offering is the IBM® Integration Services for Privileged Identity Management (also known as IBM Privileged Identity Management solution), which enables privileged user IDs to be checked in and checked out by authorized people when needed. This solution also can be integrated with other identity management and enterprise single sign-on (ESSO) solutions to simplify the user experience. Using these tools, users do not have to manually enter the password associated with the privileged account, which can help keep the organization's privileged user IDs more secure.
While systems of this type provide advantages, they do not address the problems identified above.