Forum Discussion

woettmeier's avatar
woettmeier
Copper Contributor
Jan 19, 2021
Solved

The value of PIM without approvals

It seems that for Privileged Identity Management (PIM) to be effective you would always need to "require approval" for each role. Is there any security benefit to PIM without using this feature? It would seem that if an account is compromised the bad actor could simply activate the role themself if no approval is required.

security
  • Thijs Lecomte's avatar
    Thijs Lecomte
    Jan 20, 2021
    Two advantages IMO:
    - One access is JIT. Sure an attacker can activate the role, but it's an extra step to make the life of an attacker harder
    - Auditing. With PIM you have an audit trail when and why a role was activated

3 Replies

  • Porquemada's avatar
    Porquemada
    Copper Contributor
    Jan 30, 2023
    It's security through obscurity and allows the implementer to check the "JIT" and "Privileged Access Management" boxes, without taking any responsibility what so ever. It is beyond stupid.


    .... IMO.
  • Luis_Antonio_Marquez's avatar
    Luis_Antonio_Marquez
    Copper Contributor
    Jan 21, 2021
    I agree with William Oettmeier. At least PIM should be complemented with a robust audit applied to the roles' activation and the activities privileges role are performing. A kind of Privileged Access Management.
  • Thijs Lecomte's avatar
    Thijs Lecomte
    Bronze Contributor
    Jan 20, 2021
    Two advantages IMO:
    - One access is JIT. Sure an attacker can activate the role, but it's an extra step to make the life of an attacker harder
    - Auditing. With PIM you have an audit trail when and why a role was activated

Resources