At the primitive level, most privileges are associated with a user identifier and a reuseable password. In order to provide coverage, these are often known to and used by multiple parties with a subsequent loss of accountability, just where we need it most.
However, there are solutions, called Privileged Access Management (PAM) packages, that can be used to provide some automated control and accountability over these users. These applications work by acting as proxies for the privileged controls, hiding them, controlling access to them, and recording their use. Instead of connecting directly to the privileged controls, the administrator connects to the proxy which then connects him to the privileged control.
These packages may provide:
- hiding of all privlleged controls
- strong authentication of privileged users
- management control over the granting and withdrawing of privileges
- logging of all connections, events, and uses, content.
- multi-party controls (two or more people must cooperate)
- restriction of use to a time of day or shift
- restriction of use to specified (e.g., supervised) locations (e.g., device, network address, VPN, VLAN)
- restriction to a single user at a time (checkout/checkin)
The PAM becomes the sole process with access to the privileges and uses them on behalf of its user as directed by management or policy.
If your enterprise, network, system, or application has only one privileged user or administrator, then you have good accountability; whatever was done, that person did it. However, that will apply to only very small enterprises. Everyone else should be using a Privileged Access Manager. There are now dozens on the market. Choosing the right one will require some effort but the usual sources (e.g., Gartner, Capterra, Solutions Review) will assist you.