Many companies feel confident about their identity management security largely because they've protected the perimeter of their organization. They're only partly right. About half of the threats facing today's businesses are internal. In fact, insiders with access to privileged accounts pose a greater risk. They essentially hold the keys to the castle and have endless opportunities to sabotage the organization from within. Even unintentional use of generic passwords can wreak havoc on a business from a security, compliance and liability standpoint. In fact, one of the most common reasons cited for regulatory compliance failure is improper management of privileged identities.
Regulations—from Basel II to Sarbanes-Oxley to Gramm-Leach-Bliley—are coming down hard on organizations that don't safeguard the use of privileged identities. These unprotected passwords pose an often overlooked but very real security threat.
The Unspoken Truth about Privileged Identities
Most organizations have more privileged identities than personal ones. These powerful accounts within critical applications and servers include generic accounts such as administrator on Wintel platforms, root on UNIX systems, DBA passwords, and hard-coded passwords within application scripts. Often organizations simply share the vendor's default password among authorized users. This introduces numerous problems. First, it's very easy for hackers to guess the password and infiltrate the system without being noticed. Since they're logging-in as a privileged user, no one is the wiser. Second, with dozens or even hundreds of individuals using the same generic password in an organization, there's no way to ever trace activities back to one specific user should a problem arise. Third, regulatory bodies require that organizations have a means to identify what individuals and actions are being performed via privileged identities, and that these identities are being safeguarded.
In addition to privileged passwords, embedded application passwords are another growing security concern. When two
unattended software applications connect, they need a user name and password, which is stored in clear text or
embedded in the software code, configuration file, or script. However, a recent survey found that 42% of enterprises
never change these passwords.1 Not only does this cause serious vulnerabilities, it violates numerous compliance regulations because there is no personalization in place for tracking and auditing individual system access.
The Obstacle to Securing Privileged Identities
Companies are losing millions of dollars a year in regulatory fines due to the mismanagement of administrative passwords and clear-text, hard coded credentials in their application code and scripts. The answer seems simple. Just create unique passwords and change them regularly.
However, when you consider the sheer volume of computers and applications in an organization, changing these passwords on a routine basis is nearly impossible without placing an inordinate burden on IT staff. Moreover, the dispersed nature of today's IT environments make it exceedingly difficult for one group to keep tabs on all new systems and applications and associated passwords in use across the enterprise. According to a recent IDC report, manually changing privilege passwords on a monthly basis would cost more than $500,000 for a typical Fortune 2000 company.2
Traditional identity management implementations were not designed for tracking privileged users. They focused on enterprise end users, such as employees and contractors. However, they did not take into account privileged passwords and "identities" of one application accessing another. Ironically, this left the most powerful information sources inadequately protected.
Another common problem that has arisen is the use of legitimate access privileges for unauthorized purposes. A system administrator, for example, might have full access rights so that he can perform specific functions on a sales database, but what if he decided to share that confidential data with a competitor to retaliate against his employer? Or leak unflattering information to the press, harming the company's financial standing? Until recently there was little means for a company to prevent these user privileges were being abused.
A Better Alternative
To resolve these challenges, the identity management market has shifted from one focused on reducing help desk costs and password resets to a core information security market that is addressing real regulation, audit, and security questions about who is doing what within an organization's infrastructure and content. As an industry, we need to move towards a more holistic view of identity management by expanding the very definition to include two classes of users: privileged and application identities. Moreover, we need a way to prevent privileged users from misusing their access rights.
Today's more sophisticated identity management systems encompass privileged identity management (PIM) to secure, automate, and audit privileged password accounts and application identities. In this way, organizations are able to provide a strong, unique password for each application, database, and server. PPM systems use multiple security layers such as firewalls, VPN, authentication, access control, encryption, and more. In addition, more sophisticated PPM solutions are enacting "on-demand privileges" as a means to rein in unfettered user rights. To that end, privileged users' rights are granted on an as needed basis and tracked for auditing purposes. For example, an administrator may be given the right to access a server but not the the ability to copy or modify sensitive information housed within it.
Applying Security Best Practices
To gain control over privileged passwords and embedded application passwords, organizations must tackle a host of challenges. However, these issues are not insurmountable. They merely require the application of several best practices. At a base level, any efficient PPM approach should include the ability to:
- Secure and manage all identities across the enterprise, regardless of identity type or requirement.
- Centralize management and enforcement of password management to ease administrative tasks and ensure the organization is applying security measures consistently across the enterprise.
- Audit actions of privileged users so that you know exactly who used a specific password and what they did with it, without having to pour over log files.
- Provide a secure means for protecting these password objects, including passwords and their properties via means such as strong authentication, granular access control, encryption, and auditing.
- Ensure that password properties are dynamic and can be changed by authorized users.
- Ensure automatic password refreshes at regular intervals.
- Provide a streamlined mechanism for disabling passwords immediately when an employee leaves the company.
The sheer volume and complexity of today's computing enterprises make it unfeasible to manage privileged identities manually for much longer. While IT staff may be initially reticent to adopt yet another security measure, ultimately PIM mechanisms will make their lives easier-freeing them of the time-consuming and unrewarding burden of manual password management. By enabling automated processes for managing, auditing, and monitoring privileged identities businesses are finally able to meet regulatory mandates and prevent system misuse.
1 Privileged Password Management: Combating the Insider Threat and Meeting Compliance Regulations for the Enterprise, IDC, January 2007
About the Author
Adam Bosnian is the Vice President of Products, Strategy and Sales at Cyber-Ark Software.