The process of performing an effective privileged access audit involves the accurate determination of effective access (i.e. effective permissions) provisioned in the organization's Active Directory because all privileged user accounts and groups are stored and managed in Active Directory and all privileged access/power is provisioned, delegated and controlled in/from within Active Directory.
A 30-Second Primer on Effective Access and Effective Privileged Access
Today, in most organizations, all building blocks of cyber security (e.g. user accounts, computer accounts, security groups etc.) are stored in Active Directory and protected by access control lists (ACLs) that specify who has what privileged access to/on them. In each ACL, access is specified in the form of permissions that can be allowed or denied to any user or group, directly or indirectly.
Since access can be specified for users and groups, be allowed and denied, and be specified directly (explicit) and indirectly (inherited), what determines the actual (effective) access a user has on a(ny) building block are his effective permissions i.e. the permissions that he actually ends up with, in light of the collective impact of every permission and its type (Allow, Deny, Explicit, Inherited).
Effective access is thus the actual access that a user has on a building block / IT asset, in light of the collective impact of all permissions and their types (Allow, Deny, Explicit, Inherited) in its ACL.
Effective privileged access is simply effective access that is privileged in nature, i.e. effective access that gives the user restricted (delegated) or unrestricted elevated (administrative) access.
The 5 Ws of Effective Privileged Access Audit –
What – An Effective Privileged Access Audit is an audit that organizations perform to determine exactly how many privileged users there are in the organization, and identify who they are.
Why – Organizations need to know exactly how many privileged users there are in the organization, and an Effective Privileged Access Audit is the only way to make that determination.
Who – An Effective Privileged Access Audit is generally commissioned by the organization's Executive / IT Leadership Team, and it is generally performed by senior audit / IT personnel.
Where – An Effective Privileged Access Audit is targeted at, and involves determining effective permissions / effective access on, all objects contained in the organization's Active Directory.
When – Considering that 100% of all major recent cyber security breaches (E.g. Snowden, Target, JP Morgan, Sony, Anthem, OPM) involved the compromise of just 1 privileged user, to minimize the possibility of a cyber security incident involving the compromise of a privileged user, an initial audit should be performed immediately, and subsequently on a quarterly basis.
How to Perform an Effective Privileged Access Audit –
Organizations have 3 options to select from to perform an Effective Privileged Access Audit –
Manual Audit – Organizations can manually attempt to accurately determine effective permissions on the entirety (1000s) of objects that exist in the organization's Active Directory.
Semi Automated Audit – Organizations can use an Active Directory Effective Access Calculator to determine effective privileged access on all Active Directory objects, 1 object at a time.
Fully Automated Audit – Organizations can use an Active Directory Effective Privileged Access Audit Tool to swiftly determine effective privileged access on all Active Directory objects.