As nearly every enterprise is expanding its digital architecture, the management of multiple clouds and operating systems, distributed and variable applications, and versions across all are becoming increasingly hard to do. The more systems and applications, the greater the complexity.
IT is hard enough, especially now that they are also dealing with a steep rise in remote workers and having to work themselves remotely. How is it possible for stressed-out IT and OT teams to provision and manage every endpoint on the network – and every privileged user?
How can the C-Suite, including the CISO and compliance department, understand and control who is doing what, on which server, and why?
Out of frustration, or based on limited resources, and given the uncertainty today, IT teams have naturally resorted to using privileged accounts, with a single password shared by all administrators to those systems.
Makes sense – right? With a common password, every admin knows the root password for all servers and can log in to any of the servers to perform any task.
But experts caution that this creates an unacceptable level of risk and can lead to major compliance violations, especially given increasing and increasingly sophisticated threats.
We caught up with Ali Gomulu, an expert in this area, and a Solutions Architect at Ironsphere (a Privileged Access Management solution provider), to learn what he is seeing in this “next normal” environment.
“Applications and systems with privileged access can do more harm than good, should an insider turn malicious and go rogue,” Gomulu explained. “This unacceptable risk exists for any organization in which privileged user passwords are shared.”
Gomulu described a typical scenario where root, administrator, super user, and domain admins have unlimited access when given privileged accounts. “While we all wish to trust colleagues, we are now in a Zero Trust world, and with multiple users using the same account ID and password, there is zero accountability. In this setting, privileged accounts threaten the organization because these accounts can lead to exfiltration of personal data, the completion of unauthorized transactions and can lead to catastrophic events, including denial-of-service attacks. We’ve even seen cases where a super user takes nefarious actions, then hides that activity by deleting audit data.”
Until now, Gomulu explained, it has been difficult to impossible to automate this and centralize, especially in large organizations that are often decentralized.
“The benefits of automation—savings of time and reduction of errors—are obvious, but until now, doing customized coding to unify has been costly, complicated, and impractical. We have been developing frameworks for years to automate and simplify having to manage across so many disparate parts, but our clients understand the urgency: generic administrative IDs and password sharing create disasters ready to happen.”
Gomulu says the demand is being driven by an array of compliance legislation, including GLBA, HIPAA, PCI (News - Alert), SOX, and others, mandating the enterprise be able to prove they have control over their privileged users by tracking everything those users do. Failure to comply can lead to hefty penalties.
“The use of all privileged accounts must be audited on a regular basis, and the audit logs must reside on a separate computer from the one being audited, so the privileged user does not have rights to change the stored audit logs,” Gomulu said, “but when a motivated bad actor understands the value of what he or she may steal or enable an outsider to steal, they have found workarounds and have altered records.”
With advanced PAM technology, it is no longer necessary for any user to know the root password, which is driving the popularity of least privilege, which means that for each task or process, the administrator is granted the minimum rights required to perform the current task.
“Given the current environment, the number of attacks and sophistication of adversaries, and given human nature, privileged user malfeasance will grow,” Gomulu concluded. “Managing privileged users in heterogeneous IT environment is a big problem worth solving. CISOs and their IT/OT teams can no longer afford to manage their privileged user accounts manually.”
One way to go about solving this is through advanced password management; without a software solution, using shared passwords makes changing/rotating passwords very difficult, as some team members might lose access, or they need to be notified before changes. Enforcing and managing a company-wide password policy is a huge task without automation, Gomulu said.
“Within the PAM space, there are two architectural approaches to this: the proxy approach (man-in-the-middle) and the agent approach. These approaches are based on where the point of control is. With the proxy approach, the solution is placed between the users and the servers in a network, and all traffic is funneled through the proxy. With the agent approach, the solution is installed on individual servers.”
There are a few trade-offs with these scenarios. The proxy approach is faster to deploy in large networks; according to Gomulu, “it is easier to maintain and operate and adds no resource overhead on servers. The agent approach provides more in-depth/granular control on servers and provides a more reliable point of control. Most organizations benefit from having access to both software solutions.”