Why privileged account management is hard to scaleDate: Jun 20, 2014
Many companies do a better job of managing user accounts and passwords than they do of managing the elevated privileges often shared among administrators. According to recent surveys, these practices continue despite the fallout from the high-profile breach of the National Security Agency by Edward Snowden, a former contractor who leaked sensitive information. How can companies securely allow employees to perform tasks that require elevated permissions?
Privileged identity management (PIM) tools enable security professionals to monitor super user accounts and change the credentials on targeted platforms. The mechanisms for discovery and changing embedded passwords can be interactive or programmatic. These tools are often integrated with SIEM and identity management systems.
"There is an entirely different class of identity, known as the super user accounts," said Philip Lieberman, president and chief executive officer of Lieberman Software, in an interview with SearchSecurity at the 2014 RSA Conference. "These are also sometimes called root or administrator, but these are generic accounts. There are also cases where regular user accounts have taken on different attributes or additional power, and in fact have become pseudo super user accounts. [You] would have a user name, which might be associated with a service."
At many organizations, no one is really managing these machine accounts, according to Lieberman, who noted that applications are using these identities and they don't respond to emails or change passwords. In these scenarios, IT and security professionals need to list all of the organization's machines and identities to determine which ones are associated with users, super users and service accounts.
Once the organization has identified these accounts, IT needs to implement a process to manage those identities and figure out where those credentials are being used. In small organizations, this can often be done manually, according to Lieberman. But for enterprises -- especially those that use virtualization -- the task can be a lot harder. Mergers, acquisitions and widespread outsourcing, which can lead to contractors with elevated privileges to multiple systems, have also contributed to a general loss of control and attribution. Privileged identity management at scale can be hard to do, and tools can help automate the discovery and the change process.
"Today, most organizations are either trying to do this by hand or they are trying to coerce a vault-type of a solution that is effectively a password spreadsheet that stores this information and then trying to merge scripts together with it, and it is pretty hard to do at scale," said Lieberman.
Security professionals need to have a privileged account management process in place and then have the mechanisms to enforce it.