Admin Powers: Too Little, Too Much, or Just Right?

“Privileged accounts” hold the keys to your business. A privileged account is how administrators, typically in the IT organization, log in to everything they manage, like workstations, database servers, routers, firewalls, and countless applications. As their name implies, these privileged accounts have the highest level of access in the organization. In the case of LastPass, they essentially have control over all passwords in use, across the entire business.

What happens when admins have too many or too few privileges, or the admin accounts don’t have the proper oversight? That’s when problems emerge. No matter the size of your business, a measured approach to managing, protecting, and sharing privileged accounts is essential to your security, and your bottom line. And when you choose to deploy a business password manager, flexible admin permissions are also key to a successful deployment and efficient day-to-day management of all passwords.

Balancing Power with LastPass Roles

Not only can a password manager like LastPass help IT organizations provide centralized oversight for privileged accounts, privileged access to the password manager itself can be customized for better risk mitigation, too. Given that LastPass admins can essentially control all users, policies, reports, and by effect, all passwords, it’s essential that only the right privileges are granted to the right people to do their jobs, and nothing more.

With the recent addition of our new custom admin role, businesses using LastPass can delegate less-privileged LastPass access across the IT organization – or to anyone in the business if needed. That way, less-privileged LastPass admins can still help employees with LastPass and complete basic upkeep tasks from the LastPass admin dashboard, without needing full admin access rights. You don’t have to worry about giving admins too many or too few privileges. With LastPass, businesses can feel confident that all privileged admin accounts are protected and managed, while privileged access to LastPass itself is role-based and secure.

Too Little Admin Power Kills Efficiency

Recognizing that privileged accounts can essentially do or change anything in the business’ IT infrastructure, some businesses may err on the side of having very few privileged admins. The business in theory may be more secure by reducing their attack surface to a smaller number of accounts. However, this scenario can have a significant impact on day-to-day productivity of the organization, and may even create bigger problems down the road.

If only a small handful of people – or, in some cases, just one person – has access to systems for day-to-day maintenance, that small group becomes a bottleneck. They likely have too much to do, with too little time, and are constantly fielding issues from employees, business leaders, and even vendors or contractors, all while juggling new projects and shifting priorities. Plus, if only one person has privileged access, failure to adequately prepare a disaster recovery plan could leave the business stranded without access in a worst-case scenario.

Too Much Admin Power Threatens Security

On the other hand, too many admins with full access rights is a security nightmare, especially when poorly managed. Whether IT is managed in-house, or outsourced to other vendors and contractors, too many privileged accounts can increase the business’ attack surface. Privileged accounts are often a critical success factor in the 81% of data breaches caused by weak, reused, or compromised credentials*.

A lack of oversight and enforceable policies for privileged accounts means they may be protected by weak or default passwords, shared in a way that loses trackability and accountability, or left active and ripe for abuse after an admin departs. All of these situations can increase the likelihood of a data breach and cause far-reaching damage to the business.

Getting Admin Access Just Right

Given the above, the mismanagement of privileged accounts can be detrimental, even disastrous, for businesses. At best, companies will experience inefficiencies and day-to-day frustrations, and at worst, they’ll experience costly data breaches. It’s key to find the right solutions, like a business password manager, that can help with managing and strengthening privileged accounts.

*As published in Verizon’s 2017 Data Breach Investigations Report