Summary : Millions have been invested in securing the periphery, however little or no investment is made in securing the access to the core of any system i.e. Privileged Identities
A BIG hole in Identity Management
The last decade has seen several debates on Identity Management and the best possible ways to address the growing disconnect in the much interconnected world. While there has been substantial efforts in managing the identities of an organization either with manual processes or recently by implementing IDM technologies, there has been a glaring hole in the approach as most of the identity management solutions are not able to address the challenges posed by privileged accounts.
Privileged accounts such as those of the administrators, allow users to log on and control systems/applications and have unrestricted access to view, alter or extract data/information on those systems. Most organizations have multiple workstations, servers, routers, databases, scripts and applications that require administrative privileges. There are scenarios, where-in many organizations have hundreds or even thousands of privileged accounts and passwords, interestingly in most of the cases, the number of these accounts are more than the end-user accounts. This is further made complex as the passwords of these accounts are mostly shared amongst the limited technical support staff.
If one were to look at the recent security breaches, wherein systems have been hacked and data has been compromised or modified for example: money balance in accounts (saving accounts, debit cards etc). It is abundantly clear that all external/ internal attackers eventually try to acquire access to the privileged accounts. The risk categorization is HIGH, typically for any industry which has business sensitive data and/or customer information.
Insider threat being the biggest challenge, regulators across the world are now demanding granular access controls on the privileged accounts with comprehensive tamper proof logs. References can be found in various standards/guidances. This is pushing beyond the outer boundaries of many existing privilege identity solutions/ technologies, which have only session recording capabilities.
The selection of such evolving technologies is generally a challenge and more so in the case of technologies which encompass the entire IT ecosystem. The critical components of a PAM solution that one needs to carefully assess includes the following:
- The PAM solution must have Plug-n-Play connectors for Operating Systems, Databases, Network devices and Applications.
- The PAM(Privileged Account Management) solution must have Plug-n-Play connectors for Operating Systems, Databases, Network devices and Applications.
- The Password Management module should be robust to ensure that all dependencies like service accounts, task, scripts etc. are systematically managed.
- In the recent past, there has been a requirement to monitor systems offline, especially in distributed environment, where local support on the console is significantly high.
- Solutions having the ability to capture commands should be considered. This would also enhance the capability to provide real time alerts and analytics.
- Flexibility is the key requirement for the IT support staff, thus the solution should not only provide ease of access to the target systems but also ensure that there is no undue overheads for the technical staff. Thus scalability, high availability and ease of deployment is an important aspect.
Source:- This article was also featured in the Secure Magazine 2013 IT Security Edition.
Authored by Nirma Varma – Associate Director
ARCON is a leading technology company specializing in risk control solutions. ARCON offers a proprietary unified governance framework, which addresses risk across various technology platforms. ARCON in the last one decade has been at the forefront of innovations in risk control solutions, with its roots strongly entranced in identifying business risk across industries it is in a unique position to react with innovative solutions/products.
Learn more about us at arconnet.com