To gain control of a corporate network and access an organization’s most critical systems, a hacker often hijacks an existing, legitimate identity. Information Technology (IT) professionals are well aware of this attack vector and the need to secure identities.
But before IT can do anything, they must first know where these identities exist, and what these identities do. And many organizations are still a long way from being able to do so.
IT deals with two different types of identities that are managed in different ways – user accounts and privileged accounts.
About User Accounts
The general public are more familiar with user accounts. Most people have experience with them. When a new employee starts a job, he’s usually set up through a provisioning system and given a user account and beginning password. There’s a process of attestation and a password change that are required. Basically, an entire segment of Governance, Risk and Compliance (GRC) is dedicated to managing the lifecycle of a typical user.
About Privileged Accounts
Privileged accounts – sometimes also referred to as superuser, root, administrator or service accounts – are a different class of identity. They’re accounts with access to sensitive systems or data, not necessarily just those accounts with “administrative privileges”.
These are generic accounts not tied to an individual human. In fact, a standard end-user may never even know that these types of accounts exist. But they’re out there, in the background, granting permission to access files, install programs, and change system configuration settings.
It’s up to the IT group to manage privileged accounts. And to accomplish that, they first need to find these identities. Next, they need to understand how the identities are used. Then, they need a process to secure the credentials tied to these accounts.
In a small organization this is often done by hand, if it’s done at all. The IT group will document privileged accounts, and perhaps keep a password spreadsheet that lists current credentials. But once you get into mid-size or large organizations, or companies that use virtualization to spawn lots of systems, the job of managing privileged credentials becomes tougher. It’s not just finding and securing the credentials. You must also find where they’re used. That means digging into services, COM, tasks, databases, scripts, and other places that reference privileged credentials.
Most companies tend to do a better job managing standard user accounts than privileged accounts. Essentially, the challenge for IT is having a good source of privileged account information that is continuously up to date. And they must combine that information with domain specific knowledge about where privileged accounts are used. That’s difficult to do manually at scale.
What Are the Drivers for Privileged Identity Management?
My company has been involved in privileged identity management for as long as this market has existed. In recent years, it really took off. We’ve identified several key drivers for the growing adoption of privilege management solutions in the enterprise.
Former Employees and Contractors
A lot of places suffer loss of knowledge about where privileged identities exist and how they’re used. There can be more than one reason this may occur. Often, mergers and acquisitions between companies cause different IT infrastructures to combine. Other times, it stems from a simple lack of documentation or from outsourcing IT operations.
Regardless of the cause, the result is the same. When former employees or contractors leave an organization, they often take with them historic privileged identity knowledge. This can include the accounts they set up, as well as how to access these accounts.
Without any automated or established privileged account management processes, IT employees and contractors can generally do what they want, where they want, and when they want, with little oversight. This can increase IT efficiency sometimes, but it harms IT security every time. According to an information security survey we commissioned, almost 20% of IT security professionals can still access systems at all previous employers using their former privileged access.
Another primary driver of privileged identity management is regulatory compliance. Controlling and documenting privileged access is part of every major regulatory requirement out there – PCI-DSS, HIPAA, NIST and more.
But even though there is a rule to do this, some companies still don’t comply. Why not? Because effective cyber security is sometimes politically charged. It requires executives to implement new processes in established organizations. A CISO may look at these new security processes and think, I’m taking a risk. What is my reward for that risk? What is the cost of remediating compliance issues versus the penalties for non-compliance? And what are the silos I have to break down inside my organization to get there?
Cloud migrations are changing the technology landscape. They’ve also influenced the rise in privileged identity management. Think about the cloud and all the identities that go into the cloud for a large company. We’re talking about, potentially, millions of systems and tens of millions of privileged identities. This gets us into an area called orchestration. Orchestration, or programmatic access, is a new way of handling identities.
When a thousand machines are brought into the cloud, there’s an automated process of enrolling the machines, putting certificates on them, randomizing the credentials, setting up delegations, and so on. Security in the cloud is an automated process – as is effective privileged identity management. For example, we go into an existing cloud provider and use our automated discovery to find the privileged accounts. But on an ongoing basis we’re providing programmatic interfaces that go well beyond credential check in and check out. Privileged identity management becomes part of the management lifecycle of the systems.
It’s really cyber defense against nation-state attackers and professional criminal hackers that drives privileged identity management now. Privileged accounts are the first vector hackers go for once they penetrate the network with zero day attacks or other sophisticated hacking tools. Taking over privileged accounts gives the intruders land and expand capability.
So any company that doesn’t have privileged identity management nowadays is easy pickings. And we would know. We hear from them once they start incurring fines and showing up in the news.
What is your take? Leave a comment below.