Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

HCLT Whitepaper: The Privileged Access Conundrum


Published on on Infrastructure Management

This white gives an insight to the Privileged Access Challenges and the benefits of using a PAM solution to prevent them to turn into a catastrophe.

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

HCLT Whitepaper: The Privileged Access Conundrum

  1. 1. SOLVINGThe Privileged Access Conundrum
  2. 2. IT managers everywhere feel overwhelmed with the risingtide of IT security threats they have to deal with in the face ofan increasing regulatory burden and the ever expandingvision of the IT infrastructure. It is not surprising then that theytend to overlook one particular area of IT security, which is theprivileged access that they grant to themselves and/or theircolleagues in order to do their jobs. Not only are thechallenges of privileged access moving up and down thestack from the hardware layer up to the business applicationlevel, they are also moving outside those boundaries to thecloud and virtual computing environments. Regardless of theenvironment, there are administrators responsible formanaging those environments and privileged users withaccess to highly sensitive information that must be managed,monitored and controlled.The British hacker Gary McKinnon, who the US governmentwanted to extradite after he hacked Pentagon IT systems,gained much of his access through privileged user accountswhich had been left with the default settings.
  3. 3. PrivilegedAccess ChallengesToday, organizations spend a lot of resources building an infrastructurefor securing the enterprise and assuring their business continuity andcompliance. Every typical IT environment comprises of hundreds orthousands of servers, databases, network devices and more, allcontrolled and managed by a variety of privileged and sharedidentities – also known as break-glass, emergency or fire IDs – whichare the most powerful in any organization. This includes the ‘Root’account on UNIX/Linux, ‘Administrator’ in Windows, Cisco ‘enable’,Oracle ‘system/sys’, MSSQL ‘sa’ and many more. What is a Privileged User/Access Someone with IT permissions toThese identities are often neglected; it is difficult to monitor their sessionactivities, and passwords are rarely changed. In some cases, theseidentities are required not only by the internal IT personnel, but also byexternal third-party vendors and, thus, require extra care, such assecure remote access and secure session initiation without exposing thecredentials. Powerful passwords are also often found hard-codedinside applications, scripts and parameter files, leaving themunsecured and rarely changed. Mismanagement of privileged accessimposes great risks to organizations. These include the following:Insider Threat – One of the biggest concerns today is the risk of insiderthreat. In many organizations, the same Root or Administratorpassword is used across the organization, making it easier for adisgruntled insider to abruptly take down core systems. ? Access highly sensitive data Change critical IT systems Conduct high value transactions Cover their tracks in the audit trail Administrative Overhead – With hundreds of network devices, privileged access can be extremely time-consuming to manually control and report on, and more prone to human errors. Moreover, inaccessibility of such a password by an on-call administrator may cause hours of delay in recovering from system failure. Despite often being employees of a relatively low rank, the level of access to sensitive data given to Privileged users is often the highest any employees have had in the history of business. Worst still, poor practice can leave Privileged user accounts easily accessible to outsiders. So, the Privileged access issue is first about managing the Privileged user accounts and then about managing the actual Privileged users, andin many cases they are not well aligned. Why Privileged Access can turn Catastrophic There are a number of reasons a once seemingly trustworthy Privileged user might go rogue; one of the most obvious reasons being for financial gains. This can either be straight forward theft, such as the 2007 case of a “lowAudit and Accountability – Compliance regulations (such as Sarbanes- level” database administrator at the US banking services companyOxley, PCI and Basel II) require organizations to provide accountability Fidelity National Information Services who was found to have stolen 2.3about who accessed shared accounts, what was done, and whether million credit card records and selling them on to a data broker.passwords are protected and updated according to policy. Another reason is plain spite; a disenchanted privileged user mayLoss of Sensitive Information – Privileged accounts usually have choose to wreak havoc, just because they can. A former systemsunlimited access to backend systems. Compromising such accounts administrator of the Swiss bank UBS, RogerDuronio, was convicted inmay lead to uncontrolled access, bypassing the normal system 2006 of sabotaging his employers IT systems in retaliation over aoperation. For instance, this can result in manipulating billing records compensation dispute. UBS never reported the cost of lost business, butand loss of money. did say the attack cost the company more than $3.1 million to get the system back up and running.
  4. 4. The theft of intellectual property by employees leaving one employer PAMS is not just about protecting the data and intellectual propertyfor another is also adanger. There are many examples of “normal” assets of the business and paying regards to the privacy of employees inusers doing this, but privileged users have even greater opportunity general; it is also about complying with the requirements of regulatorswith their wide-ranging access rights. that are often explicit about privileged users in their requirements.Solution: HCL Privileged AccessManagement Services (PAMS) PAMS BenefitsTo bring all this under control requires that Privileged Users are given There are many benefits not afforded by otherunique access; their individual accounts must be the only way ofgaining access to IT systems at the Privileged User level and their approaches:individual activity, whilst operating at that level, should be monitoredand audited. Privileged user accounts can be scanned for andThe access granted also needs to be modular; too often Privileged monitored to ensure default settings are never leftAccounts are assigned broad access rights that are far more than is in place.necessary for a given individual to do their job. It is much safer toassign fine-grained access controls at the account level. Such Privileges can be assigned to named users at the“appropriate role separation” ensures privileged users cannot overstep the mark, accidentally or intentionally, and, should their accounts account level on a case-by-case basis, with thebe compromised, the unauthorized user is similarly restricted. This is appropriate granularity of access, enabling theknown as the “least privilege principle”. “least privilege principle”. The activity of privileged users can be continuously monitored and the activities recorded; the system will record who requested for a password, when, and what actions they took. Compliance with standards and regulations can be audited and proven when necessary. In the event of a privileged user accountbeing compromised, auditors will be able research the incident forensically.This has become especially true with the increasing use of For particularly sensitive systems, it ispossible tovirtualization. In the past, granting a given privileged user access to asingle physical server still gave them fairly limited access rights but, if assign one-time passwords.virtualized, there may be many different systems running on the sameserver to which access is possible, if unlimited rights have been Dual control (maker and checker) can be enabledgranted at the physical level. when required.A further benefit of this level of control over the assignment ofprivileges in virtualized environments is that it allows competing Around the clock support for mission-organizations to share the same physical resources. This is criticalsystems by geographically distributedincreasingly likely with the move to “cloud computing”. For the team scan be easily and safely enabled.outsourcers like HCL that provide these managed services, thegranular granting of privileges and the auditing system managementactivity is essential. The granular granting of privileges can be extended to the management of virtualized environments. PUM tools ease the integration of IT systemswhen organizations come together followinga merger or acquisition.