This month's topic is a follow-up to the bizarre situation with the rogue
Systems Administrator in San Francisco. This e-newsletter deals with how
organizations establish Privileged Account Management.
A standard part of the installation process whether it is an operating
system, database or application, is the creation of privileged accounts.
Similar to the Unix's root and Windows' administrator accounts, privileged
system accounts are required for systems to function and are frequently
used by system administrators to do their jobs, granting special system
privileges that average users don't need, and that even administrators
need only from time to time when making major changes. However, privileged
accounts have no accountability, as they do not belong to any individual
user and are commonly shared by many administrative staff.
So why care about privileged accounts?
Because these accounts have elevated access rights, meaning those with
access can bypass the internal controls of the target platform. Once
these controls are bypassed, users can breach confidential information,
change transactions and destroy audited data. Need another reason? The
security of privileged accounts is likely at the top of your compliance
examiner's concerns. This tip will offer an introduction to the latest
technology available for managing the security of privileged accounts,
and best practices to consider when developing an implementation strategy.
What are some of the privileged account management solutions?
Privileged account management solutions can help secure these overarching
accounts. Such solutions control access to privileged accounts by enforcing
the retrieval of the account's password and changing it. The solutions can
be configured to change the password periodically or every time the
password is retrieved. Privileged account management solutions also can
provide two password retrieval modes. One is interactive and the other is
programmatic. With interactive retrieval, the administrator authenticates
to the privileged account management portal, receives the privileged
account management password, and then logs on to the target platform. A
good example is if you telnet or RDP (Remote Desktop Protocol) to the
host. Conversely, batch jobs, scripts and services check out passwords
programmatically. With this method, the privileged account management
solution locally installs middleware, which can retrieve the credentials
for the batch job or script. In basic use, the privileged account password
is removed from the script or batch job and replaced with a few lines of
code to retrieve the privileged account password when needed. Some of the
privileged account management vendors include Cloakware Inc., Cyber-Ark
and Passlogix Inc.
Here are a few key items enterprises should consider when choosing and
preparing to implement a privileged account management solution:
Due to the heterogeneous nature of the target platforms, programmatic
retrieval is generally more challenging to implement as compared to
interactive retrieval. Most organizations tackle interactive retrieval
first, followed by programmatic retrieval. This approach enables the
organization to get comfortable with the privilege account management
Make the solution readily available
The introduction of the privileged account management solution can be
stressful to the organization because it forces behavioral changes on
the system administrators. Some highly distributed environments require
that the privileged account management middleware have the capability
to temporarily cache the privileged account password. Some solutions
have this capability, and some do not. The interruption of nightly
processing, or the inability of a system administrator to do his or her
job because of the privileged account's unavailability, is the surest
way to kill an integration deployment.
Integrate with the provisioning system
Several of the privileged account management solutions have provisioning
interfaces. A provisioning interface enables the organization to provision
a system administrator to the privileged account management system, while
also restricting the privileged accounts accessible to an administrator.
When a system administrator changes his or her job function or geographical
location, the provisioning system will cue the privileged account management
solution to change the system administrator's access rights.
Use strong authentication
Most privileged account management tools support the ability to strongly
authenticate system administrators, typically via one-time password device
or smart card. Many large organizations have already deployed strong
authentication to their system administrators. For high identity-assurance
environments, it makes sense for an administrator to strongly authenticate
to the privileged account management solution.
Integrate with the security information management (SIM) system
The privileged account management solution records the retrieval of all
privileged account passwords. However, in a forensic investigation, the
system does not provide the complete picture. When possible, organizations
should integrate the privileged account management system with the SIM
system, which automates the process of monitoring logs from firewalls,
IDS/IDP appliances and other devices. The integration enables organizations
to have a 360 degree view of when and by whom, the privileged account password
was retrieved, as well as the subsequent actions taken by the account on the
Implement more controls
Privileged account management solutions can help control who has access to
privileged accounts, but they cannot control what actions are taken with
the privileged account once the password is checked out. Organizations
should implement controls that limit the damage that privileged accounts
and privileged account users, can do. For example, the Unix sudo utility
enables privilege delegation to normal users, which reduces the need to
use the privileged account.
There you have it. Enterprises have struggled with the scalable security
of privileged accounts for decades. These accounts are created upon
installation and are shared by many people in order to do their job.
These powerful accounts can access sensitive data because they bypass
most of the platform's security controls. Today's privileged account
management solutions can limit account access to authorized personnel.
However, privileged account management products don't provide everything
an organization might need in the event of a forensic investigation, so
look into SEIM provisioning and similar security tools to complete the