This tip is part of the SearchSecurity.com Identity and Access Management Security School lesson on the 'new school' of enterprise authentication . Visit the New school of enterprise authentication lesson page for additional learning resources.
A standard part of the application installation process -- be it an operating system, database or other application platform -- is the creation of privileged accounts. Similar to Unix's root and Windows' administrator accounts, privileged accounts are required for platforms to function and are frequently used by system administrators to do their jobs, granting special privileges that average users don't need, and that even administrators need only from time to time when making major changes. Privileged accounts, however, have no accountability, as they do not belong to real users and are commonly shared by many people.
Mark Diodatisenior analyst, Burton Group
So why should you care about these boring, hum-drum privileged accounts? Because these accounts have elevated access rights, meaning those with access can bypass the internal controls of the target platform. Once these controls are bypassed, users can breach confidential information, change transactions and destroy audit data.
Need another reason? The security of privileged accounts is likely at the top of your compliance auditor's concerns. This tip will offer an introduction to the technology available for managing the security of privileged accounts, and best practices to consider when developing an implementation strategy.
What is privileged account management?
Privileged account management products can help secure these overarching accounts. Such products control access to privileged accounts by (1) enforcing the checkout (that is, retrieval) of the account's password and (2) changing the password frequently. The products can be configured to change the password periodically (for example, every few hours) or every time the password is checked out.
Privileged account management products provide two password-checkout modes: interactive and programmatic. With interactive checkout, the system administrator authenticates to the privileged account management portal, receives the privileged account management password, and then logs on to the target platform (examples include telnet and Remote Desktop Protocol). Conversely, batch jobs, scripts and services check out passwords programmatically. With this method, the privileged account management product locally installs middleware, which can retrieve the credentials for the batch job or script. In the basic use case, the privileged account password is removed from the script or batch job and replaced with a few lines of code to retrieve the privileged account password when needed.
Privileged account management vendors include Cloakware Inc. (a subsidiary of Irdeto Access B.V.), Cyber-Ark Software Inc., Lieberman Software Corp., Passlogix Inc. and Symark International Inc.
Here are a few key points enterprises should consider when choosing and preparing to implement privileged account management technology.
- Start Slowly -- Due to the heterogeneous nature of the target platforms -- as well as the multiplicity of languages and shells -- programmatic checkout is generally more challenging to implement as compared to interactive checkout. Most organizations tackle interactive checkout first, followed by programmatic checkout. This approach enables the organization to get comfortable with the privilege account management system.
- Make the technology available -- The introduction of the privileged account management product can be stressful to the organization because it forces behavioral changes on the system administrators. Make sure that the product is highly available. Some highly distributed environments require that the privileged account management middleware have the capability to temporarily cache the privileged account password. Some products have this capability, and some do not. The interruption of nightly processing, or the inability of a system administrator to do his job because of the privileged account's unavailability, is the surest way to kill a deployment.
- Integrate with the provisioning system -- Several of the privileged account management products have provisioning interfaces. A provisioning interface enables the organization to provision a system administrator to the privileged account management system, while also restricting the privileged accounts accessible to a system administrator. When a system administrator changes his or her job function or geographical location, the provisioning system will cue the privileged account management system to change the system administrator's access rights.
- Use strong authentication -- Most privileged account management tools support the ability to strongly authenticate system administrators, typically via one-time password device or smart card. Many large organizations have already deployed strong authentication to their system administrators. For high identity-assurance environments, it makes sense for system administrators to strongly authenticate to the privileged account management system.
- Integrate with the security information management (SIM) system -- The privileged account management system records the checkout of privileged account passwords. However, in a forensic investigation, the system does not provide the complete picture. When possible, organizations should integrate the privileged account management system with the SIM system, which automates the process of monitoring logs from firewalls, IDSes and other devices. The integration enables organizations to have a 360º view of when (and by whom) the privileged account password was checked out, as well as the subsequent actions taken by the account on the target platform.
- Implement more controls -- Privileged account management systems can help control who has access to privileged accounts, but they cannot control what actions are taken with the privileged account once the password is checked out. Organizations should implement controls that limit the damage that privileged accounts (and privileged account users) can do. For example, the Unix sudo utility enables privilege delegation to normal users, which reduces the need to use the privileged account. Unix security products from CA Inc. and Symark Software Inc. can also minimize the privilege of Unix accounts.
Enterprises have struggled with the scalable security of privileged accounts for decades. These accounts are created upon installation and are shared by many people in order to do their job. These powerful accounts can access sensitive data because they bypass most of the platform's security controls. Today's privileged account management products can limit account access to authorized personnel. However, privileged account management products don't provide everything an organization might need in the event of a forensic investigation, so look into SEIM, provisioning (or LDAP), and similar security tools to finish the job.
For more IAM info
- Check out other lessons in our Identity and Access Management School.