Defining privileged access
A term we commonly encounter in the realm of access management is privileged access. The term seems pretty self-explanatory, but finding a good definition isn’t easy.
In the book Privileged Attack Vectors, Morey Haber defines the term privilege as:
A special right or permission granted, or available only to, a particular person or group to perform special or sensitive operations upon or within a resource. These are typically associated within information technology as administrator or root accounts or groups and any accounts that may have been granted elevated entitlements.
That seems like an acceptable description, but it’s hardly a good definition because neither sensitive operation nor elevated entitlements are well-defined terms.
Do other sources have a more compelling definition to offer?
According to the Australian cyber security center, privileged access:
… allows administrators to perform their duties such as establishing and making changes to key servers, networking devices, user workstations and user accounts. Privileged access or credentials are often seen as the ‘keys to the kingdom’ as they allow the bearers to have access and control over many different assets within a network.
Heimdal’s definition: is even more vague:
A simple definition for privileged access would be that speaking of a corporate context, this embodies those functionalities or types of access that exceed standard user access.
But BeyondTrust suggests that privileged access is related to risk and defines privileged accounts as:
any account that provides access and privileges beyond those of non-privileged accounts. A privileged user is any user currently leveraging privileged access, such as through a privileged account. Because of their elevated capabilities and access, privileged users/privileged accounts pose considerably larger risks than non-privileged accounts / non-privileged users.
CyberArk adds that privileged access also has something to do with maintaining the confidentiality of data and infrastructure:
Privileged access is a term used to designate special access or abilities above and beyond that of a standard user. Privileged access allows organizations to secure their infrastructure and applications, run business efficiently and maintain the confidentiality of sensitive data and critical infrastructure.
Relating privileged access to risk and confidentiality makes sense: Any access that puts the confidentiality of critical data or systems at risk should be considered privileged.
But speaking of confidentiality – what about the other elements of the CIA triad, integrity and availability?
Tying it back to the CIA triad
Maintaining confidentiality of critical data and systems is crucial, but we also need to worry about their integrity and availability::
- If somebody can delete critical data or shut down important systems, then that compromises availability. Obviously, such access must be considered privileged access too.
- If somebody can modify or tamper with critical data, then integrity is at risk. Again, we must consider such access as privileged.
With that in mind, here’s my take on a definition for privileged access that takes all three elements of the CIA triad into account:
Privileged access is the ability to perform operations that can put the confidentiality, integrity, or availability of business-critical data or systems at risk.
Examples for privileged access include reading sensitive data, changing access permissions, or deleting data.