When I think about managing identities and privileges within an organisation, one of my favorite analogies for the whole privileged identity lifecycle is biblical. Everything starts 'in the beginning' with a super user. Whether someone starts with a server or a workstation, creates on-premise solutions for their network infrastructure or builds out a cloud, they'll always have to start out with an account with god-like power that will control all other accounts accessing that resource going forward in the future.

Now, if you were not there at the set-up of new resources, you'd probably be unaware that there was a super-user account created at the genesis. But that super-user account never goes away and in most cases is used day-to-day, either by someone or something (either applications or automated systems). As time goes on, the knowledge of these super-users accounts, where they are, how they're being used and so on, gets lost. Just as the history of how the bible originated is a mystery to most people except for scholars, so it goes with privileged identities.

As time goes on, things change in the world of IT and, again, most people don't understand the implications. Add new appliances, switches, routers and software and new root accounts pop up. Blend that in with new super-user accounts for things like intrusion detection devices, antivirus systems or DLP and you get a whole new layer of privileges added to the environment. People don't really think about it, they simply interact with it at the user level and the environment continues to evolve and morph.


But when auditors and regulators come in and ask 'Who created all of this?' and ‘Who has access to these accounts?’, you've got a good old fashioned debate on par with creationism and evolution; because there’s no one still around who can answer where the accounts came from and no records detailing who can access them.

Mining the infrastructure with privileged identity management

So where does privileged identity management play in this metaphor? I like to think of it like being the archeologist of the bunch. When you're managing these identities, your job is to go out and mine the infrastructure, looking for 'fossils,' or those clues that provide your organisation with a view of where those god-like accounts are, how they're being used and what they're being used to do.