IT Operating Environments Best Practices

Overview

Penetration Testing environment access requires governance controls that are more stringent than any other lower environment, for a reason that is specific to the nature of PEN activities: the individuals who access PEN environments are specifically authorized to simulate adversarial behavior - to exploit vulnerabilities, bypass authentication, escalate privileges, and exfiltrate data. This authorization is appropriate and necessary within the defined scope of the penetration test. It is catastrophic if the same access and authorization are held by individuals whose engagement has concluded, whose scope was broader than intended, or who are not in fact authorized penetration testers. PEN environment access governance failures are not ordinary access control failures - they are failures that place adversarial-level access to sensitive organizational infrastructure in hands that have no legitimate purpose for holding it.

Best Practice

Govern PEN environment access through a formal authorization framework that is distinct from the standard access management process used for other environment tiers. Before any penetration testing engagement begins, require a formal authorization document - a rules of engagement or statement of work - that defines the specific individuals authorized to conduct the testing, the specific systems and environment components within scope, the testing methodologies and techniques permitted, the timeline of the authorization, and the process for expanding or modifying scope during the engagement. Provision PEN environment access only to the individuals named in the authorization document, only for the duration defined in the authorization, and only for the scope defined therein. Revoke all PEN environment access immediately upon conclusion of the engagement, and conduct a post-engagement access audit confirming that no access credentials provisioned for the engagement remain active after revocation. PEN environment access should be fully logged throughout the engagement, with logs retained for a defined period following engagement conclusion.

Benefit(s)

Formal authorization-based governance of PEN environment access ensures that adversarial-level access to the enterprise technology environment is held only by individuals with a legitimate, time-bounded, scope-bounded authorization to hold it. The risk of adversarial access capability persisting after an engagement concludes - through credential exposure, scope creep, or access revocation failure - is controlled through governance mechanisms that are specifically designed for the unique access risk that PEN environments present. The organization can conduct penetration testing with confidence that the security activity itself does not create a residual access risk that outlasts the security value it was conducted to provide.