manage privileged accounts or privileges themselves?

Interesting article on privileged account management at SC magazine. whenever i read about this i can’t help thinking there’s a problem with the model. i think of it like a house. and password vaults, the primary vehicle for privileged account management, are a place you store the keys to the house. but once you’re inside, you could walk over to the priceless vase on the mantle and knock it over. the better model is to control the access at the level of individual entitlements – don’t give someone root, give them the ‘restart webserver’ right. it’s like having them in the house and allowed to look at the vase but not touch. the analogy always breaks down there unless you invoke crazy glue, though. but i bet you get the point.

of course, i can feel dimikagi getting ready to chide me that managing stuff at the individual entitlement level requires a previously sophisticated and mature approach to get right. and that’s correct. but most organizations could easily identify many use cases where they have whole communities of people getting access to privileged accounts just to run one command – the classic use case where every DBA has the oracle account just to restart the network listener for the database. so i think there could be some very easy things to knock off the list in even the most chaotic shop. otherwise we’d all have to take the nice things off the mantle or stop letting in guests all together.