Many companies fail to adequately monitor superuser accounts that often fall outside the realm of identity management systems. Privileged identity management tools enable organizations to monitor these accounts and change the credentials on targeted platforms. The mechanisms for discovery and changing embedded passwords can be interactive or programmatic. These tools are often integrated with SIEM and identity management systems.
But taking inventory of privileged accounts and monitoring their usage can present unique challenges for senior security management. What are the components of a privileged identity program that reduce risk but still enable system administrators and executives to access the technology and information needed to perform their work without interference?
"What we've seen in all of the privileged identity projects that we've worked on is that fundamentally you really have to start at the very top of the organization," said Philip Lieberman, founder and CEO of Los Angeles-based Lieberman Software, in an interview at the 2014 RSA Conference. "Effectively, the one inhibitor of a success project is the lack of adoption or resistance from the rank and file of the organization."
That means getting privileged identity management program sponsorship from the CEO and CFO so security professionals can get visibility into the systems, middleware and infrastructure of all parts of the organization, many of which are siloed. According to Lieberman, implementing a successful privileged identity management program involves access to enterprise systems to perform discovery, remediation, delegation, and finally, operations. He also recommended enterprises implement multifactor authentication.
A common mistake some organizations make is setting unrealistic goals when implementing a privileged identity program, such as immediately attempting to address legacy issues that have occurred over a lengthy period. "You have to prioritize," said Lieberman, who advised security professionals to focus on "harvesting the low-hanging fruit" to secure the organization, and then look at issues that may require architectural changes.