IAM INSIGHTS
The steps of privileged account management implementation
Mark Diodati, Contributor
07.24.2008
Rating: -4.12- (out of 5)
|
This tip is part of the SearchSecurity.com Identity and Access Management Security School lesson on the 'new school' of enterprise authentication . Visit the New school of enterprise authentication lesson page for additional learning resources.
A standard part of the application installation process -- be it an operating system, database or other application platform -- is the creation of privileged accounts. Similar to Unix's root and Windows' administrator accounts, privileged accounts are required for platforms to function and are frequently used by system administrators to do their jobs, granting special privileges that average users don't need, and that even administrators need only from time to time when making major changes. Privileged accounts, however, have no accountability, as they do not belong to real users and are commonly shared by many people.
So why should you care about these boring, hum-drum privileged accounts? Because these accounts have elevated access rights, meaning those with access can bypass the internal controls of the target platform. Once these controls are bypassed, users can breach confidential information, change transactions and destroy audit data.
Need another reason? The security of privileged accounts is likely at the top of your compliance auditor's concerns. This tip will offer an introduction to the technology available for managing the security of privileged accounts, and best practices to consider when developing an implementation strategy.
What is privileged account management?
Privileged account management products can help secure these overarching accounts. Such products control access to privileged accounts by (1) enforcing the checkout (that is, retrieval) of the account's password and (2) changing the password frequently. The products can be configured to change the password periodically (for exam
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
ple, every few hours) or every time the password is checked out.
Privileged account management products provide two password-checkout modes: interactive and programmatic. With interactive checkout, the system administrator authenticates to the privileged account management portal, receives the privileged account management password, and then logs on to the target platform (examples include telnet and Remote Desktop Protocol). Conversely, batch jobs, scripts and services check out passwords programmatically. With this method, the privileged account management product locally installs middleware, which can retrieve the credentials for the batch job or script. In the basic use case, the privileged account password is removed from the script or batch job and replaced with a few lines of code to retrieve the privileged account password when needed.
Privileged account management vendors include Cloakware Inc. (a subsidiary of Irdeto Access B.V.), Cyber-Ark Software Inc., Lieberman Software Corp., Passlogix Inc. and Symark International Inc.
Recommendations
Here are a few key points enterprises should consider when choosing and preparing to implement privileged account management technology.
Enterprises have struggled with the scalable security of privileged accounts for decades. These accounts are created upon installation and are shared by many people in order to do their job. These powerful accounts can access sensitive data because they bypass most of the platform's security controls. Today's privileged account management products can limit account access to authorized personnel. However, privileged account management products don't provide everything an organization might need in the event of a forensic investigation, so look into SEIM, provisioning (or LDAP), and similar security tools to finish the job.
|
|
Rate this Tip
|
To rate tips, you must be a member of SearchSecurity.com.
Register now
to start rating these tips. Log in if you are already a member.
|
DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.
|
|
|
|
|
|
|
