SYS-CON MEDIA Authors: Adine Deford, Cynthia Dunlop, Harry Trott, Xenia von Wedel, Peter Silva

News Feed Item

Three Ways CXOs Can Avert Super-User Security Threats with Privileged Account Management

Today, on Cyber Monday, online retailers and banks are bracing for the likelihood of increased data breaches and security threats, while online shoppers are taking extra precautions to protect personal information. Every day, Americans trust that the corporate and government IT systems handling their critical identity information, such as credit card numbers, social security numbers and tax returns, are equipped with appropriate security measures to keep personal data safe. Heightening awareness of potential security risks is an essential step to thwarting malicious attacks. All too often, however, public and private entities must also recognize that even more risky exposure exists when administrative privilege is exploited, regardless whether by external adversaries or internal threats. Quest Software (now part of Dell) has a deep understanding of the problems organizations face when they don’t properly control and audit administrative access and “super-user” accounts.

According to a survey conducted earlier this year at The Experts Conference, an annual gathering of global IT pros co-sponsored by Quest and Microsoft, half of the responding organizations reported that their No. 1 compliance issue is ensuring correct user access rights (including privileged user access). In the case of managing privileged accounts, this challenge intensifies when administrators are given the “keys to the kingdom,” with far-reaching, shared anonymous access rights to vital IT systems. In the private sector, failure to manage access to information and compliance with security mandates can mean lost revenues, failed audits and damage to the brand. In government, managing user access rights represents a high stakes game in which getting out ahead of emerging threats is a matter of national security. To this point, Privileged Account Management is noted in many security standards, including ISO 27001 and NIST 800-53. A new report developed by Enterprise Management Associates, on behalf of Quest, identifies inadequate administrative access controls as “one of the most egregious IT risk gaps in many organizations.”

The report, “Why You Need to Consider Privileged Access Management (And What You May Not Know About It That You Should),” examines some of the most common excuses companies give to justify this oversight, and offers useful insight into how modern Privileged Account Management (PAM) practices and corresponding technology solutions can close the risk gap with flexible policy control, automated workflows and comprehensive reporting to enhance security, achieve compliance and improve efficiency.

To further help CXOs avert these all-to-common security risks, Quest offers three pragmatic tips:

1. Assign individual accountability to super-user activity

Shared and unmanaged administrative access is more than just a bad idea—it’s one of the fastest and easiest ways to expose an organization to undue risk, especially since these super-user accounts typically have extensive power over IT operating systems, applications, databases, etc. With shared accounts, any security or compliance breach can be traced back only to the account, and not to an individual administrator using that account.

A much better approach to risk containment involves granting administrators access rights only to what they need, as they need it, nothing more or less. Credentials should be issued only on an as-needed basis, accompanied by a full audit trail of who used them, who approved the use, what they did with them, as well as how and why they received them – and the password should be immediately changed once the use is completed. The ability to automate and secure this entire process is an effective way to manage administrative access across an entire organization. Similarly, PAM is essential to enabling federal, state and local agencies to work together, and can make or break government-wide information sharing and collaboration.

2. Implement and enforce a “least privilege” security stance for administrative access

Many administrative accounts, including those for Unix root, Windows or Active Directory admin, DBA, etc., provide unlimited permissions within their scope of control, and, when shared, open the door for malicious activity. For example, the widely publicized security breach at Fannie Mae involved an employee who used this type of super-user access to maliciously plant a logic bomb that, if undiscovered, would have crippled the entire organization and compromised the personal and financial information of approximately 1,100 people.

A more prudent approach is to establish a policy that clearly defines what each administrator (or administrator role) can and cannot do with their access. Since this process can be complicated and often difficult to enforce across diverse systems, Quest recommends the addition of granular delegation tools that are optimized for the designated platforms, and integrated with other PAM technologies such as a privilege safe, multifactor authentication or Active Directory bridge.

3. Reduce privileged account management complexity

One of the overarching PAM challenges comes from navigating diverse IT systems, each with their own unique capabilities and requirements for privileged account management. This often results in the use of specialized tools, along with ad-hoc policies and practices to control privileged account access. Unfortunately, this approach frequently complicates the audit process, making it difficult to prove that all access is controlled and that separation-of-duties principles are established and enforced.

For that reason, consolidating disparate systems into a common identity structure creates an environment where a single PAM approach can be readily enforced with greater consistency across a much larger portion of an organization, eliminating errors borne from multi-system complexity, reducing risk and lowering the expense of managing multiple systems. In addition, any consolidation of PAM capabilities under a common management and reporting interface provides enhanced efficiency.

The EMA report referenced above indicates that organizations focused on achieving a high level of discipline in configuration and change management tend to have better outcomes, not only in lower incidences of disruptive security events, but in better IT reliability, less unplanned IT work, more successful IT changes, higher server-to-system administrator ratios, and more IT projects completed on time and within budget.

Quest® One Identity Solutions Centralize and Simplify Privileged Account Management

Quest Software provides a modular, yet integrated, approach to identity and access management, specifically Privileged Account Management that controls insider threats and improves IT efficiency, as it enables organizations to eliminate the dangers of unchecked super-user access, adverse audit findings, direct penalties, and negative press exposure.

Supporting Quotes:

Jackson Shaw, senior director of product management, Quest Software
“Privileged Account Management will be one of the fastest-growing areas of IAM over the next few years, for good reason. Most of the recent high-profile security breaches, including the UBS Paine Webber attack and the City of San Francisco breach, happened due to lack of control over privileged accounts. What’s more, these breaches do not discriminate; they can cause equally horrific damage to any organization, no matter how large or small. It’s time for companies to take note of the severe security risk posed by poor PAM practices, and seek out a comprehensive solution befitting the task. Quest One offers a complete set of PAM capabilities, providing comprehensive controls in a flexible, modular architecture.”

Scott Crawford, Enterprise Management Associates (EMA)
“Poor controls over administrative access have resulted in real damage. PAM capabilities can help mitigate such risks and improve controls, through techniques such as ‘privilege safe’ technologies that deliver a more disciplined approach to control that supports responsible IT governance. Quest helps IT improve performance and reduce support costs by closing one of the most readily managed gaps of all: the weakness exposed when individuals have broad, anonymous, and unmonitored administrative access to the most sensitive capability in IT.”

Supporting Resources:

About Quest Software (now a part of Dell)

Dell Inc. (NASDAQ: DELL) listens to customers and delivers innovative technology and services that give them the power to do more. Quest, now a part of Dell’s Software Group, provides simple and innovative IT management solutions that enable more than 100,000 global customers to save time and money across physical and virtual environments. Quest products solve complex IT challenges ranging from database management, data protection, identity and access management, monitoring, user workspace management to Windows management. For more information, visit http://www.quest.com or http://www.dell.com.

RSS Feeds:

Technorati Tags:
Quest Software

Dell is a trademark of Dell Inc. Dell disclaims any proprietary interest in the marks and names of others.

Quest, Quest Software, and the Quest logo are trademarks or registered trademarks of Quest Software in the United States and certain other countries. All other names mentioned herein may be trademarks of their respective owners.

More Stories By Business Wire

Copyright © 2009 Business Wire. All rights reserved. Republication or redistribution of Business Wire content is expressly prohibited without the prior written consent of Business Wire. Business Wire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

Latest Stories
15th Cloud Expo, which took place Nov. 4-6, 2014, at the Santa Clara Convention Center in Santa Clara, CA, expanded the conference content of @ThingsExpo, Big Data Expo, and DevOps Summit to include two developer events. IBM held a Bluemix Developer Playground on November 5 and ElasticBox held a Hackathon on November 6. Both events took place on the expo floor. The Bluemix Developer Playground, for developers of all levels, highlighted the ease of use of Bluemix, its services and functionalit...
Some developers believe that monitoring is a function of the operations team. Some operations teams firmly believe that monitoring the systems they maintain is sufficient to run the business successfully. Most of them are wrong. The complexity of today's applications have gone far and beyond the capabilities of "traditional" system-level monitoring tools and approaches and requires much broader knowledge of business and applications as a whole. The goal of DevOps is to connect all aspects of app...
The 4th International DevOps Summit, co-located with16th International Cloud Expo – being held June 9-11, 2015, at the Javits Center in New York City, NY – announces that its Call for Papers is now open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's large...
SAP is delivering break-through innovation combined with fantastic user experience powered by the market-leading in-memory technology, SAP HANA. In his General Session at 15th Cloud Expo, Thorsten Leiduck, VP ISVs & Digital Commerce, SAP, discussed how SAP and partners provide cloud and hybrid cloud solutions as well as real-time Big Data offerings that help companies of all sizes and industries run better. SAP launched an application challenge to award the most innovative SAP HANA and SAP HANA...
Want to enable self-service provisioning of application environments in minutes that mirror production? Can you automatically provide rich data with code-level detail back to the developers when issues occur in production? In his session at DevOps Summit, David Tesar, Microsoft Technical Evangelist on Microsoft Azure and DevOps, will discuss how to accomplish this and more utilizing technologies such as Microsoft Azure, Visual Studio online, and Application Insights in this demo-heavy session.
When an enterprise builds a hybrid IaaS cloud connecting its data center to one or more public clouds, security is often a major topic along with the other challenges involved. Security is closely intertwined with the networking choices made for the hybrid cloud. Traditional networking approaches for building a hybrid cloud try to kludge together the enterprise infrastructure with the public cloud. Consequently this approach requires risky, deep "surgery" including changes to firewalls, subnets...
DevOps is all about agility. However, you don't want to be on a high-speed bus to nowhere. The right DevOps approach controls velocity with a tight feedback loop that not only consists of operational data but also incorporates business context. With a business context in the decision making, the right business priorities are incorporated, which results in a higher value creation. In his session at DevOps Summit, Todd Rader, Solutions Architect at AppDynamics, discussed key monitoring techniques...
Cultural, regulatory, environmental, political and economic (CREPE) conditions over the past decade are creating cross-industry solution spaces that require processes and technologies from both the Internet of Things (IoT), and Data Management and Analytics (DMA). These solution spaces are evolving into Sensor Analytics Ecosystems (SAE) that represent significant new opportunities for organizations of all types. Public Utilities throughout the world, providing electricity, natural gas and water,...
The security devil is always in the details of the attack: the ones you've endured, the ones you prepare yourself to fend off, and the ones that, you fear, will catch you completely unaware and defenseless. The Internet of Things (IoT) is nothing if not an endless proliferation of details. It's the vision of a world in which continuous Internet connectivity and addressability is embedded into a growing range of human artifacts, into the natural world, and even into our smartphones, appliances, a...
How do APIs and IoT relate? The answer is not as simple as merely adding an API on top of a dumb device, but rather about understanding the architectural patterns for implementing an IoT fabric. There are typically two or three trends: Exposing the device to a management framework Exposing that management framework to a business centric logic Exposing that business layer and data to end users. This last trend is the IoT stack, which involves a new shift in the separation of what stuff happe...
The 3rd International Internet of @ThingsExpo, co-located with the 16th International Cloud Expo - to be held June 9-11, 2015, at the Javits Center in New York City, NY - announces that its Call for Papers is now open. The Internet of Things (IoT) is the biggest idea since the creation of the Worldwide Web more than 20 years ago.
The Internet of Things is tied together with a thin strand that is known as time. Coincidentally, at the core of nearly all data analytics is a timestamp. When working with time series data there are a few core principles that everyone should consider, especially across datasets where time is the common boundary. In his session at Internet of @ThingsExpo, Jim Scott, Director of Enterprise Strategy & Architecture at MapR Technologies, discussed single-value, geo-spatial, and log time series dat...
An entirely new security model is needed for the Internet of Things, or is it? Can we save some old and tested controls for this new and different environment? In his session at @ThingsExpo, New York's at the Javits Center, Davi Ottenheimer, EMC Senior Director of Trust, reviewed hands-on lessons with IoT devices and reveal a new risk balance you might not expect. Davi Ottenheimer, EMC Senior Director of Trust, has more than nineteen years' experience managing global security operations and asse...
The Internet of Things will greatly expand the opportunities for data collection and new business models driven off of that data. In her session at @ThingsExpo, Esmeralda Swartz, CMO of MetraTech, discussed how for this to be effective you not only need to have infrastructure and operational models capable of utilizing this new phenomenon, but increasingly service providers will need to convince a skeptical public to participate. Get ready to show them the money!
SYS-CON Media announced that Centrify, a provider of unified identity management across cloud, mobile and data center environments that delivers single sign-on (SSO) for users and a simplified identity infrastructure for IT, has launched an ad campaign on Cloud Computing Journal. The ads focus on security: how an organization can successfully control privilege for all of the organization’s identities to mitigate identity-related risk without slowing down the business, and how Centrify provides ...