Self Service PIM

The Affordable Self-Service Privileged Identity Management Solution

In any IT environment, privileged accounts are everywhere: IT administrators, privileged users, external vendors, and business applications all use them to access critical information systems in your network. They are high value targets for cyber criminals because the elevated permissions allow them to navigate through multiple servers undetected, to access highly confidential information and to make administrative-level changes to mission critical applications and systems. Furthermore, when IT admins don't know what employees are doing with their privileges, malicious insiders can abuse their position without anyone noticing. To win this battle, both inside and outside your organization, you need a solution that protects, tracks, and manages all your privileged accounts. Reducing the amount of these overpowered accounts is the first step to redemption. Making sure that privileged accounts are only valid for a restricted period is the next. This is where Self Service PIM comes into play.

SSPIM (Self Service Privileged Identity Management) is a mechanism that will enable authorized users to elevate their permissions to a higher level. A higher level of permissions is obtained with the help of AD/AAD group memberships. SSPIM will for example enable users to obtain full control access over an Organizational Unit by adding those users to a group that was given these permissions (via delegate control for example). Other example would be obtaining Contributor permissions on an Azure resource, becoming a Global Administrator on a tenant etc. SSPIM scopes to Active Directory Domain Services and Azure AD environments and is based on group memberships. These AD/AAD environments can contain multiple forests, domains and tenants.

Self Service PIM is comprised of 4 main components:

  • An Admin console to define which users can get what privileges for a given duration
  • A cloud hosted web application that allows users to request privilege escalation
  • Onprem agent(s) that will fulfil escalation requests on on-prem AD
  • A serverless process that will process escalations on Azure AD tenants (assigning privileges on any Azure AD integrated application/platform, including Azure subscriptions)

The web application and administrator console are cloud-based SaaS applications, hence fully managed by Inetum-Realdolmen. The web application has no direct ties into the customer’s physical infrastructure. The only notable integration with the customer’s environment is integration with the Azure Active Directory tenant for authentication and authorization purposes.

All privilege escalations are audited, and auditing information can be queried dynamically using the Admin console. Admins can schedule audit information receival to their own likings. SelfServicePIM can be ordered via the Azure Marketplace.