Privileged identity management (PIM) products automate control over administrative accounts, which typically put too much power in too many people's hands with too little accountability. They address the security, operational and compliance issues posed by the widely shared administrative accounts and passwords, excessive administrative rights, poor separation of duties, embedded passwords in legacy applications and scripts, and poor or nonexistent privileged-password rotation. They also provide individual accountability and an audit trail to prove that policies and controls are actually being enforced.
Ironically, enterprises often do a better job managing standard user accounts and passwords than privileged accounts. The reasons are complex—a maze of practical, historical and cultural impediments. Typically, it's almost impossible to find all the interdependencies among the applications, systems and services an account may touch. As a result, IT mangers and the business people they serve are reluctant to change passwords and alter accounts lest they break critical production processes. And trusted admins are accustomed to being trusted—trusted with sweeping administrative rights, trusted to keep passwords within their tight group.
Also see the companion article Privileged Identity Management: 7 tips to make it work for you [full article requires Insider registration].
But, in fact, access to privileged accounts is extended in emergencies or when procedures are bypassed to get something done quickly. So users get sweeping privileges beyond their business needs and, once granted, those privileges are seldom taken away.
"With a small staff and a range of support issues that came up, people became aware of what accounts there were, what passwords there were," says the security lead for a midsize manufacturing company that now uses Cyber-Ark PIM products. "There was no tracking around who did what and what kind of account they were using."
A combination of a growing awareness of the security issues posed by poorly controlled privileges and increased audit scrutiny has prompted enterprises to attempt to address the issue. Home-grown and manual control processes have proven unwieldy: They are time-consuming and labor-intensive, provide spotty coverage and are difficult to validate for an audit.
What PIM Does
PIM products are designed to rein in the shared-privileged-account sprawl, automate manual processes and provide an audit trail and monitoring of privileged account and user activity. Several vendors have established themselves in the PIM market, most notably BeyondTrust, Cyber-Ark, e-DMZ Security and Lieberman Software. The suites vary somewhat, but they have four primary capabilities:
Privileged password and account management: This is the core capability of any PIM suite, which addresses the primary pain points around privilege management. The PIM product is a secure repository that internally and automatically generates new passwords and controls user access and authorization for all systems according to corporate policies. So the privileged user logs in and is granted access and authorization for that session based on company-defined roles. The idea is to eliminate account and password sprawl and grant the user only those rights that are required to perform his job. (You should also consider how you handle password resets while you're cleaning things up.) The tool also provides detailed audit trails and should integrate seamlessly with corporate directories, ticketing systems, and so on.
Also read Role management software dos and don'ts
Managing services, scripts and applications: The PIM will manage non-human accounts, such as those required by services and accounts in legacy applications. This ensures that system password changes will be extended to all dependent services. Passwords for embedded applications, which enterprises are reluctant to touch lest they break the app, will no longer be compromised.
Session control and monitoring: This capability allows enterprises to authorize privileged-user connections on a per-session basis and monitor and record activity during the session. This may include a DVR-like recording function that allows investigators to watch exactly what was done.
Command control: This allows granular control and monitoring of commands a user can run based on her role and required tasks.
Audit: The Big Stick
Vendors say regulatory compliance and audits are still the primary drivers in the PIM market. "Seventy percent of our customers or prospects come in as a result of some open audit issue," says Martin Ryan, e-DMZ Security's vide president of worldwide sales.
Initially, SOX was the main market driver, but now PCI is generating a lot of interest, along with HIPAA, the North American Electric Reliability Council's Critical Infrastructure Protection Standards, and European regulations. (See CSOonline's directory of security laws, regulations and guidelines for more details on those requirements.)
"Compliance is the big issue for us," says an information security analyst for a large federal credit union that uses Lieberman Software. "We had open audit issues associated with service accounts, passwords that hadn't been changed since dirt was clean."
The effort required to identify and change all the service accounts was prohibitive, she says. "There are all those dependencies. It was problematic—a huge security lapse. We got nicked six different times over several years in audits."
PIM tools can help address audit issues in several ways, including:
- Discovery of privileged accounts throughtout the enterprise
- Replacement of shard accounts with granular role-based access and authorization
- Automated password generation and rotation
- Integration with identity management and authentication tools
- Secure storage of password data
- Detailed audit trails to prove controls are in place and effective