This month's topic is a follow-up to the bizarre situation with the rogue Systems Administrator in San Francisco. This e-newsletter deals with how organizations establish Privileged Account Management.
A standard part of the installation process whether it is an operating system, database or application, is the creation of privileged accounts. Similar to the Unix's root and Windows' administrator accounts, privileged system accounts are required for systems to function and are frequently used by system administrators to do their jobs, granting special system privileges that average users don't need, and that even administrators need only from time to time when making major changes. However, privileged accounts have no accountability, as they do not belong to any individual user and are commonly shared by many administrative staff.
Because these accounts have elevated access rights, meaning those with access can bypass the internal controls of the target platform. Once these controls are bypassed, users can breach confidential information, change transactions and destroy audited data. Need another reason? The security of privileged accounts is likely at the top of your compliance examiner's concerns. This tip will offer an introduction to the latest technology available for managing the security of privileged accounts, and best practices to consider when developing an implementation strategy.
Privileged account management solutions can help secure these overarching accounts. Such solutions control access to privileged accounts by enforcing the retrieval of the account's password and changing it. The solutions can be configured to change the password periodically or every time the password is retrieved. Privileged account management solutions also can provide two password retrieval modes. One is interactive and the other is programmatic. With interactive retrieval, the administrator authenticates to the privileged account management portal, receives the privileged account management password, and then logs on to the target platform. A good example is if you telnet or RDP (Remote Desktop Protocol) to the host. Conversely, batch jobs, scripts and services check out passwords programmatically. With this method, the privileged account management solution locally installs middleware, which can retrieve the credentials for the batch job or script. In basic use, the privileged account password is removed from the script or batch job and replaced with a few lines of code to retrieve the privileged account password when needed. Some of the privileged account management vendors include Cloakware Inc., Cyber-Ark and Passlogix Inc.
Here are a few key items enterprises should consider when choosing and preparing to implement a privileged account management solution:
Due to the heterogeneous nature of the target platforms, programmatic retrieval is generally more challenging to implement as compared to interactive retrieval. Most organizations tackle interactive retrieval first, followed by programmatic retrieval. This approach enables the organization to get comfortable with the privilege account management solution.
The introduction of the privileged account management solution can be stressful to the organization because it forces behavioral changes on the system administrators. Some highly distributed environments require that the privileged account management middleware have the capability to temporarily cache the privileged account password. Some solutions have this capability, and some do not. The interruption of nightly processing, or the inability of a system administrator to do his or her job because of the privileged account's unavailability, is the surest way to kill an integration deployment.
Several of the privileged account management solutions have provisioning interfaces. A provisioning interface enables the organization to provision a system administrator to the privileged account management system, while also restricting the privileged accounts accessible to an administrator. When a system administrator changes his or her job function or geographical location, the provisioning system will cue the privileged account management solution to change the system administrator's access rights.
Most privileged account management tools support the ability to strongly authenticate system administrators, typically via one-time password device or smart card. Many large organizations have already deployed strong authentication to their system administrators. For high identity-assurance environments, it makes sense for an administrator to strongly authenticate to the privileged account management solution.
The privileged account management solution records the retrieval of all privileged account passwords. However, in a forensic investigation, the system does not provide the complete picture. When possible, organizations should integrate the privileged account management system with the SIM system, which automates the process of monitoring logs from firewalls, IDS/IDP appliances and other devices. The integration enables organizations to have a 360 degree view of when and by whom, the privileged account password was retrieved, as well as the subsequent actions taken by the account on the target platform.
Privileged account management solutions can help control who has access to privileged accounts, but they cannot control what actions are taken with the privileged account once the password is checked out. Organizations should implement controls that limit the damage that privileged accounts and privileged account users, can do. For example, the Unix sudo utility enables privilege delegation to normal users, which reduces the need to use the privileged account.
There you have it. Enterprises have struggled with the scalable security of privileged accounts for decades. These accounts are created upon installation and are shared by many people in order to do their job. These powerful accounts can access sensitive data because they bypass most of the platform's security controls. Today's privileged account management solutions can limit account access to authorized personnel. However, privileged account management products don't provide everything an organization might need in the event of a forensic investigation, so look into SEIM provisioning and similar security tools to complete the job.
To view more articles:
or to inquire about an on-site presentation, please feel free to call me at 508-995-4933 or email me at firstname.lastname@example.org.
Until next time.....
Founder & Principal Consultant
Managing Your Security and Risk Needs
Got something to add? Send me email.
More Articles by Michael Desrosiers © 2009-11-07 Michael Desrosiers