Single Sign on for privileged access
Posted by Ok_Consideration7553@reddit | sysadmin | View on Reddit | 5 comments
Hi All, I would like to understand the best practice when using privileged access and single sign on. I understand it's likely better to not have this enable as it would increase the blast radius if compromised, but on the other side it allows for centralised identify management.
If using SSO you can also limit access via conditional access to certain privileged machines, this is something being considered.
Thanks!
TheFluffiestRedditor@reddit
Been doing this since the mid noughties. We use different directory servers for admin access, and general user access, and different sets of access methods. Eg all admin access has to originate from this vpn, or network segment.
theoriginalharbinger@reddit
For privileged access? In order of "Must have" to "You probably want,":
- MFA
- Contextual access, to include "Is the user on a trusted device," "Has the user passed the requisite behavioral context (like time of day, place of login, etc.)," "is the user on a corporate network?", or however you choose to lock this down. If you're making dramatic ops changes, "On corporate laptop while on corporate network" is fairly common.
- Transient/ephemeral access, which codes as "Is there an outstanding ticket, claim, or other request that requires this user have access to this resource at this time?" This almost always goes alongside some kind of governance platform, in which some level of approver "approves" access for the change control window or the underlying ticket is closed, whichever comes first.
You should be using SSO for privileged access. Separate creds/accounts for privileged access just means double the attack surface, especially when privileged users are rarely logging on and need to reset their credentials for privileged operations.
8gxe@reddit
You use SSO + MFA + CA on privileged admin accounts. You DONT for break glass.
Ok_Consideration7553@reddit (OP)
Thanks for your advice. So you believe the risk of enabling SSO for a privileged account that can access other privileged services is acceptable when paired with MFA and CA policies in place?
Substantial_Crazy499@reddit
It’s not a belief…it’s best practice, especially to target these accounts with stronger authentication (phishing resistant fido2/cert based auth for example) and something like PIM to provide access requests and “just in time” access.