The security and compliance officer at a large financial services firm was worried.
An internal study revealed that IT overhead to prepare for compliance audits and address auditor findings was growing faster than his organization could sustain. The executive suspected that manual processes for updating privileged identities were a key component of the costs.
What could he do to resolve the problem?
Before exploring his solution, let’s first examine privileged identities. We’ll define why securing these identities is a critical component of regulatory compliance.
Privileged Identities and Regulatory Compliance
Privileged identities hold elevated permission to access data, run programs, and change system configuration settings. Commonly used by IT staff to perform routine maintenance and emergency system repairs, privileged identities exist virtually everywhere in IT.
A single server can have privileged identities in local and domain accounts, in configured services and scheduled tasks, and in a wide range of applications including COM+ and DCOM applications, IIS websites, databases such as Oracle and SQL Server, and so on.
Multiply these identities by the many computers and network devices in your organization. You’ll get an idea of the challenges of manually documenting each account and its interdependencies. And in changing each account password frequently enough to comply with regulatory mandates.
Identity Access Management (IAM) frameworks don’t manage privileged identities. Rather, they provision and de-provision users, manage normal user login activity, and in some cases grant single sign-on to systems and applications. Because they are outside the control of IAM technologies, unsecured privileged identities are a significant security concern and a focus of regulatory compliance audits.
Key regulatory standards – including PCI-DSS, HIPAA, Sarbanes-Oxley and others – share common requirements when it comes to securing privileged identities. These include directives to:
- Discover and change default privileged passwords on every hardware and software asset before deployment on production networks,
- Maintain minimum complexity and change frequency standards for privileged passwords,
- Maintain detailed audit trails of privileged access requests,
- Document a need-to-know when it comes to each privileged access, and
- Change account passwords when people with access leave the organization or change job roles.
The Penalties of Unsecured Privileged Identities
Control over privileged identities is essential to maintain security wherever electronic payment records or healthcare records are present. Unsecured privileged access can result in failed compliance audits and higher business costs. For example, organizations processing credit card payments that fail to comply with PCI-DSS pay increased transaction fees and fines.
Beyond direct financial losses and negative media exposure, the lack of adequate policies to manage privileged accounts can make an organization unable to:
- Quantify and address its security risks by determining where privileged account vulnerabilities exist.
- Protect its assets by verifying that cardholder data and other sensitive information is accessible only by authorized personnel.
- Providing an audit trail of individuals granted access to sensitive data or to make changes to business-critical IT processes.
- Eliminate inefficient manual processes that can waste time while failing to address significant vulnerabilities.
- Eliminate undesired system changes and service disruptions when privileged accounts are used for tasks that don’t need them.
Automated Privileged Identity Management
Fortunately, automated processes exist that can help you regain control in a cost-effective manner. Privileged identity management solutions can:
- Automate the task to track your organization’s privileged accounts,
- Change privileged passwords according to your organization’s policy,
- Facilitate rapid password recovery so that your IT staff can perform routine services and emergency repairs, and
- Change each privileged password after check-out to prevent unaudited access.
A next-generation privileged identity management solution can scale to the largest enterprise. This ensures that all privileged accounts are secured. It can also rapidly and continuously change all the passwords for privileged accounts in these large environments. This ensures that the value of any stolen credential is time limited. And it can operate in cross-platform enterprises – on-premises and in the cloud.
The Security and Compliance Officer Regains Control
As for the security and compliance officer charged with lowering costs during IT security audits? His focus turned to automating the manual controls that were in place to manage, audit and report on the use of privileged accounts.
He contacted Lieberman Software and deployed our privileged identity management platform in a pilot program. After examining the results of the pilot program, the firm determined that significant time savings were realized through:
- The automation of logging and reporting to show privileged account password changes by system and account.
- Logging and reporting of each privileged access request, including the stated purpose for each request.
- Auto-discovery of new systems and applications as they are introduced on the network.
The demonstrated efficiencies were significant enough that the organization deployed the Lieberman Software product at all of its sites.
Best of all, the executive later reported that the product met his project goals wherever it was deployed.
If you like this topic, please leave a comment below and follow us on Twitter.