Compelling IT Survey, Weak Solution

Deploy Adaptive Privilege Management to Block Land and Expand Cyber Attacks

Last week a software vendor published a survey stating that over 40% of IT staff abuse administrative passwords to access sensitive information that’s not relevant to their jobs.

The vendor that conducted the survey holds claim to the password vault market, promoting an approach to controlling privileged logins that relies on spreadsheets and other handmade documents to control access. The lists are maintained in a secure data store with monitored access.

Use of a password vault might keep the privileged identity problem out of sight from auditors, but it disguises the fact that the spreadsheets often contain never-changing passwords known to too many individuals inside and outside of IT. The unfortunate consequence remains that too many people still have too much access for too long with a complete disregard to even the most basic requirements of “need to know.”

Like others in this market, this vendor also develops a product to automate the changing and recovery of privileged passwords. Our advice is to treat the claims of all vendors in this category with skepticism. We’ve heard from more than a few organizations about deployments that bring the buyers into a trough of misery as soon it’s discovered that the products fail to cover changing IT environments for more than a few weeks – that is, unless the vendor stages expensive professional services staff permanently on site.

A Better Solution Than Using a Password Vault 

The right solution is to implement technology that can autonomously, automatically and dynamically find and manage all of the privileged (sensitive) accounts without reliance on human beings or professional services contracts to keep the security working.  This includes not only the administrator logins used by IT staff, but also the privileged identities coded into line-of-business applications, databases, web apps, directories, and other IT assets. Left unsecured, any of these credentials can be used to access your most sensitive data.

To solve the problem of unsecured privileged identities, organizations should expect controls to operate and be verifiable 24 hours a day. Consider that in some environments passwords ought to be changed every 1 to 24 hours; without the right technology this is impossible to accomplish.

A second important mindset is to accept that privileged credentials should only be provided for a limited amount of time and only for authorized purposes.  After the approved time interval is over, an issued password must be changed automatically and all applications that use it must also be updated by a solid re-key process.

The move to real privileged identity security can be accomplished in weeks with the right technology and the proper mindset: super-user credentials must be requested and it is understood that they will no longer work after a few hours.  This means that administrators and Help Desk staff will need to follow a process and be accountable for their access and actions.

Even with the best technology, in some organizations the individuals’ desire to avoid accountability can hinder progress unless C-level staff guide the change for the benefit of the operation as a whole. Poor security as a convenience to IT is a dangerous way to run an organization.

Funny thing about this improvement: your auditors can become a lot happier and your IT staff will find its workload reduced.  Once there’s a process in place to grant IT staff fast, audited access and your hardware is protected from viruses and hackers that can gain access through common credentials you’ll find that fewer IT staff hours are wasted.  Even mandated 30-90 day service and application password changes can now be handled in minutes without disruption to the business.

It is amazing how easy and trouble-free security can be to accomplish with the right technology.  The TCO is miniscule compared to choosing the wrong solution – or no solution at all.

2 Comments on "Compelling IT Survey, Weak Solution"

  1. I know you guys are selling hard, but as a satisfied customer of the “weak solution” – I think you are lying about a competitor’s solution. I think it lowers the IQ of all those you are selling to when you do that, and suggest that you stop. The password vault solution includes a facility for finding and changing passwords as a part of managing them. We moved from a secret spreadsheet to this solution – it’s far more complete than your posting says –
    Stop the misinformation!

    • Hi Mike,

      Thank you for your comments.

      The determination of what is a weak or strong solution must be made in the context of your organization.

      If you have evolved past common and shared passwords, sticky notes and widely-viewed password spreadsheets you are better off than most organizations.

      For those companies that have relatively simple and static environments with limited need for integration and propagation, many of the solutions on the market work well. The number of accounts that are being stored is generally not the issue; several of our competitors have no problem handling thousands of static accounts.

      On the other hand, most products on the market simply can’t handle very large, complex, dynamic, highly regulated enterprises.

      The key consideration is the complexity of credential usage within each company. Local administrator and root accounts on workstations and servers are simple enough to manage. However, once we start to manage credentials all the way through the stack – from the hardware, through multiple types of hypervisors, multiple types and versions of hosted operating systems, multiple vendors, versions and configurations of databases, middleware, connection strings, and applications – that’s a different story.

      Life gets complicated in big, heterogeneous, distributed IT shops. This is where we feel our products differentiate themselves.

      Having said all that, if you have a solution that randomizes all of your administrator passwords on a regular basis wherever they are referenced, and if you have implemented need-to-know and a segregation of duties with respect to accessing sensitive systems, then you have done a great job irrespective of the solution you’ve chosen.

      We simply suggest that customers not blindly select a vendor based on analyst representations, nor on the representations made by a salesperson. Get all the facts, test competing solutions in your environment, and let the results guide your decision.

      There is no single right choice for every company. The only wrong decision is to do nothing about this potentially dangerous problem.

1 Trackbacks & Pingbacks

  1. It Box @ All Around the World News

Leave a comment

Your email address will not be published.


Time limit is exhausted. Please reload CAPTCHA.