|
| [November 26, 2012] |
 |
Three Ways CXOs Can Avert Super-User Security Threats with Privileged Account Management
ALISO VIEJO, Calif. --(Business Wire)--
Today, on Cyber Monday (News - Alert), online retailers and banks are bracing for the
likelihood of increased data breaches and security threats, while online
shoppers are taking extra precautions to protect personal information.
Every day, Americans trust that the corporate and government IT systems
handling their critical identity information, such as credit card
numbers, social security numbers and tax returns, are equipped with
appropriate security measures to keep personal data safe. Heightening
awareness of potential security risks is an essential step to thwarting
malicious attacks. All too often, however, public and private entities
must also recognize that even more risky exposure exists when
administrative privilege is exploited, regardless whether by external
adversaries or internal threats. Quest
Software (now part of Dell) has a
deep understanding of the problems organizations face when they don't
properly control and audit administrative access and "super-user"
accounts.
According to a survey conducted earlier this year at The
Experts Conference, an annual gathering of global IT pros
co-sponsored by Quest and Microsoft (News - Alert), half of the responding
organizations reported that their No. 1 compliance issue is ensuring
correct user access rights (including privileged user access). In the
case of managing privileged accounts, this challenge intensifies when
administrators are given the "keys to the kingdom," with far-reaching,
shared anonymous access rights to vital IT systems. In the private
sector, failure to manage access to information and compliance with
security mandates can mean lost revenues, failed audits and damage to
the brand. In government, managing user access rights represents a high
stakes game in which getting out ahead of emerging threats is a matter
of national security. To this point, Privileged Account Management is
noted in many security standards, including ISO 27001 and NIST 800-53. A
new report developed by Enterprise Management Associates, on behalf of
Quest, identifies inadequate administrative access controls as "one of
the most egregious IT risk gaps in many organizations."
The report, "Why
You Need to Consider Privileged Access Management (And What You May Not
Know About It That You Should)," examines some of the most common
excuses companies give to justify this oversight, and offers useful
insight into how modern Privileged Account Management (PAM) practices
and corresponding technology solutions can close the risk gap with
flexible policy control, automated workflows and comprehensive reporting
to enhance security, achieve compliance and improve efficiency.
To further help CXOs avert these all-to-common security risks, Quest
offers three pragmatic tips:
1. Assign individual accountability to super-user
activity
Shared and unmanaged administrative access is more than just a bad
idea-it's one of the fastest and easiest ways to expose an organization
to undue risk, especially since these super-user accounts typically have
extensive power over IT operating systems, applications, databases, etc.
With shared accounts, any security or compliance breach can be traced
back only to the account, and not to an individual administrator using
that account.
A much better approach to risk containment involves granting
administrators access rights only to what they need, as they need it,
nothing more or less. Credentials should be issued only on an as-needed
basis, accompanied by a full audit trail of who used them, who approved
the use, what they did with them, as well as how ad why they received
them - and the password should be immediately changed once the use is
completed. The ability to automate and secure this entire process is an
effective way to manage administrative access across an entire
organization. Similarly, PAM is essential to enabling federal, state and
local agencies to work together, and can make or break government-wide
information sharing and collaboration.
2. Implement and enforce a "least privilege"
security stance for administrative access
Many administrative accounts, including those for Unix root, Windows or
Active Directory admin, DBA, etc., provide unlimited permissions within
their scope of control, and, when shared, open the door for malicious
activity. For example, the widely
publicized security breach at Fannie Mae involved an employee who
used this type of super-user access to maliciously plant a logic bomb
that, if undiscovered, would have crippled the entire organization and
compromised the personal and financial information of approximately
1,100 people.
A more prudent approach is to establish a policy that clearly defines
what each administrator (or administrator role) can and cannot do with
their access. Since this process can be complicated and often difficult
to enforce across diverse systems, Quest recommends the addition of
granular delegation tools that are optimized for the designated
platforms, and integrated with other PAM technologies such as a
privilege safe, multifactor authentication or Active Directory bridge.
3. Reduce privileged account management complexity
One of the overarching PAM challenges comes from navigating diverse IT
systems, each with their own unique capabilities and requirements for
privileged account management. This often results in the use of
specialized tools, along with ad-hoc policies and practices to control
privileged account access. Unfortunately, this approach frequently
complicates the audit process, making it difficult to prove that all
access is controlled and that separation-of-duties principles are
established and enforced.
For that reason, consolidating disparate systems into a common identity
structure creates an environment where a single PAM approach can be
readily enforced with greater consistency across a much larger portion
of an organization, eliminating errors borne from multi-system
complexity, reducing risk and lowering the expense of managing multiple
systems. In addition, any consolidation of PAM capabilities under a
common management and reporting interface provides enhanced efficiency.
The EMA (News - Alert) report referenced above indicates that organizations focused on
achieving a high level of discipline in configuration and change
management tend to have better outcomes, not only in lower incidences of
disruptive security events, but in better IT reliability, less unplanned
IT work, more successful IT changes, higher server-to-system
administrator ratios, and more IT projects completed on time and within
budget.
Quest® One Identity Solutions Centralize and Simplify Privileged
Account Management
Quest Software provides a modular, yet integrated, approach to identity
and access management, specifically Privileged Account Management that
controls insider threats and improves IT efficiency, as it enables
organizations to eliminate the dangers of unchecked super-user access,
adverse audit findings, direct penalties, and negative press exposure.
Supporting Quotes:
Jackson Shaw, senior director of product management, Quest Software
"Privileged
Account Management will be one of the fastest-growing areas of IAM over
the next few years, for good reason. Most of the recent high-profile
security breaches, including the UBS Paine Webber attack and the City of
San Francisco breach, happened due to lack of control over privileged
accounts. What's more, these breaches do not discriminate; they can
cause equally horrific damage to any organization, no matter how large
or small. It's time for companies to take note of the severe security
risk posed by poor PAM practices, and seek out a comprehensive solution
befitting the task. Quest One offers a complete set of PAM capabilities,
providing comprehensive controls in a flexible, modular architecture."
Scott Crawford, Enterprise Management Associates (EMA)
"Poor
controls over administrative access have resulted in real damage. PAM
capabilities can help mitigate such risks and improve controls, through
techniques such as 'privilege safe' technologies that deliver a more
disciplined approach to control that supports responsible IT governance.
Quest helps IT improve performance and reduce support costs by closing
one of the most readily managed gaps of all: the weakness exposed when
individuals have broad, anonymous, and unmonitored administrative access
to the most sensitive capability in IT."
Supporting Resources:
About Quest Software (now a part of Dell)
Dell Inc. (NASDAQ: DELL) listens to customers and delivers innovative
technology and services that give them the power to do more. Quest, now
a part of Dell's Software Group, provides simple and innovative IT
management solutions that enable more than 100,000 global customers to
save time and money across physical and virtual environments. Quest
products solve complex IT challenges ranging from database management,
data protection, identity and access management, monitoring, user
workspace management to Windows management. For more information, visit http://www.quest.com
or http://www.dell.com.
RSS Feeds:
Technorati Tags:
Quest
Software
Dell is a trademark of Dell Inc. Dell disclaims any proprietary
interest in the marks and names of others.
Quest, Quest Software, and the Quest logo are trademarks or
registered trademarks of Quest Software in the United States and certain
other countries. All other names mentioned herein may be trademarks of
their respective owners.
[ InfoTech Spotlight's Homepage ]
|
