At UChicago, privileged access management (PAM) is a major service that helps keep UChicago's sensitive data and assets secure. Knowing who to contact is important, especially when an emergency arrives due to an outage, security breach, or an urgent change in assets. Therefore, this article provides the key roles and responsibilities of those who support PAM.
Onboarding Roles and Responsibilities
There are multiple steps in the process of onboarding assets into PAM. The following summary table indicates who is responsible for each high-level step. Detailed plans will be followed for each onboarding group.
| Responsibility |
Asset Owner |
First Level Support |
PAM System Administrator |
Vendor |
Service Owner |
| PAM policies |
|
|
|
|
X |
| Covered assets* |
|
|
|
|
X |
| Configure system |
|
|
X |
|
|
| Identify and categorize privileged accounts* |
X |
|
X |
|
|
| Prioritization of privileged accounts* |
X |
|
X |
|
|
| Build roadmap* |
X |
|
|
|
|
| Onboard accounts |
|
|
X |
|
|
| Set password management |
X |
|
X |
|
|
| Test password rotation and access |
X |
|
X |
|
|
| Prepare lower environments (Dev, Test, etc.) |
X |
|
|
|
|
| Prepare production environments |
X |
|
|
|
|
| Go-live |
|
|
X |
|
|
*Description
- Covered assets. Any device or other that has been identified as using privileged accounts. For example:
- Local server/workstation admin accounts
- Application accounts
- Help desk/support accounts with higher privileges
- Mainframe accounts
- Network administration accounts
- Database administration accounts
- Cloud-based admin accounts
- Privileged business users
- Service accounts
- Identify and categorize privileged accounts. Each account will need to be attributed to a specific owner(s) and classified into their respective categories (e.g., Domain Administrator, Local Server Account, Root Account, Database Account, Service Account, etc.).
- Prioritization of Privileged Accounts. Determine which accounts are the most important and vulnerable. Examples of our risk criteria include:
- Likelihood of compromise
- Potential to jeopardize critical infrastructure
- Impact on organizational reputation if compromised
- The risk that privileged accounts could be abused by staff
- Financial risks if compromised
- Build roadmap. When planning your roadmap, also focus on the following:
- Eliminate irreversible network takeover attacks
- Control and secure infrastructure accounts
- Limit lateral movement
- Protect credentials for third-party applications
- Manage *nix SSH keys
- Prioritize the most critical areas to best protect your business, but do not lose sight of these for future initiatives.
Operational Roles and Responsibilities
The following are key responsibilities for groups already operating within PAM.
| Responsibility |
Asset Owner |
First Level Support |
System Administrator |
Vendor |
Service Owner |
| Day-to-day management of activities |
X |
|
|
|
|
| Triage service requests |
|
X |
|
|
|
| Backups |
|
|
|
X |
|
| Disaster recovery plan |
X |
|
X |
X |
|
| Instance Upgrades |
|
|
|
|
X |