Guest Commentary by
Gábor Marosvári, Product Marketing Manager, BalaBit IT Security
Lieberman Software‘s recent survey of IT professionals revealed that 42% of the IT staff share passwords to access systems in their organizations. Lieberman’s technology partner BalaBit also conducted a survey which revealed that 74% of IT professionals have already misused their company’s IT system. (Lieberman Software survey, BalaBit survey).
With standalone password management tools it is not possible to restrict users based on their actual activity, only general access to the account can be controlled. So, to better manage the threat represented by “super-users” – and answer the question of “who did what?” – integrating password management with activity monitoring should be considered.
Why complement password management with activity monitoring?
An advanced Privileged Activity Monitoring (PAM) appliance can control access to remote servers or networking devices, and record the activities of the users accessing these systems. In addition, it offers a way to store user credentials (for example, passwords or certificates) and utilize them to login to the target server, without the user having access to the credentials. That way, users only have to authenticate on the PAM device with their usual password.
By integrating PAM with a password management solution organizations can enjoy the benefits of both technologies. Users can continue to access servers just as before, while PAM controls and monitors their activities, without disclosing privileged account passwords.
Users are authenticated by the PAM device, and credentials for accessing the server are retrieved transparently from the password manager by the PAM impersonating the authenticated user. This automatic password retrieval is crucial, as this method protects the confidentiality of passwords.
How PAM integration supports IT forensics
As we’ve already noted, not only the authentication process, but the whole privileged working session can be recorded by a PAM tool. Gateway-based PAMs extract auditing information directly from the network communication – providing reliable, easy-to-access content. The recorded audit trails can be played back like a movie – recreating all actions of the administrator.
Audit trails are invaluable for both real-time and post-event investigations. They enable the auditor to search, for example, for all the users who accessed a specific account number in a specific time-frame across any platform in the enterprise. Or, in the case of an unexpected shutdown or database manipulation, the circumstances of the event are readily available in these audit files so the cause of the incident can be quickly identified. This is especially important for business-critical servers, or if your company has outsourced its server administration to an external company.
In a sense, combining PAM and PIM technology results in a single-sign-on solution for your privileged users. This simplifies the password management on your servers and improves your activity control and audit capabilities. And, from the auditor point of view, the question of “who did what” can be easily answered.
About the Author
Mr. Marosvari joined BalaBit in early 2011. As a product marketing manager he covers BalaBit’s activity monitoring and network security products, and supports sales and marketing communication activities by defining target groups, product positioning and go-to-market strategy. Prior to joining BalaBit, Mr. Marosvari worked a decade for global technology research firm, IDC as a regional software research manager covering security software and mobile devices research programs. He also worked as a business analyst for Hungarian solution provider Hypermedia Systems Ltd. as well as a system administrator for the Hungarian Television Company. Mr. Marosvári holds a Bachelor of Arts degree in IT engineering from Denis Gabor College in Hungary, an MBA and a degree in info-communication management from the Budapest University of Technology and Economics.