Too much access? Privileged Identity Management to the rescue
PIM aims to help you limit access to those who truly need it, especially for high-privilege accounts
By Neil Roiter
November 17, 2010 — CSO —
Privileged identity management (PIM) products automate control over administrative accounts, which typically put too much power in too many people's hands with too little accountability. They address the security, operational and compliance issues posed by the widely shared administrative accounts and passwords, excessive administrative rights, poor separation of duties, embedded passwords in legacy applications and scripts, and poor or nonexistent privileged-password rotation. They also provide individual accountability and an audit trail to prove that policies and controls are actually being enforced.
Ironically, enterprises often do a better job managing standard user accounts and passwords than privileged accounts. The reasons are complex—a maze of practical, historical and cultural impediments. Typically, it's almost impossible to find all the interdependencies among the applications, systems and services an account may touch. As a result, IT mangers and the business people they serve are reluctant to change passwords and alter accounts lest they break critical production processes. And trusted admins are accustomed to being trusted—trusted with sweeping administrative rights, trusted to keep passwords within their tight group.
Also see the companion article Privileged Identity Management: 7 tips to make it work for you [full article requires Insider registration].
But, in fact, access to privileged accounts is extended in emergencies or when procedures are bypassed to get something done quickly. So users get sweeping privileges beyond their business needs and, once granted, those privileges are seldom taken away.
"With a small staff and a range of support issues that came up, people became aware of what accounts there were, what passwords there were," says the security lead for a midsize manufacturing company that now uses Cyber-Ark PIM products. "There was no tracking around who did what and what kind of account they were using."
A combination of a growing awareness of the security issues posed by poorly controlled privileges and increased audit scrutiny has prompted enterprises to attempt to address the issue. Home-grown and manual control processes have proven unwieldy: They are time-consuming and labor-intensive, provide spotty coverage and are difficult to validate for an audit.
What PIM DoesPIM products are designed to rein in the shared-privileged-account sprawl, automate manual processes and provide an audit trail and monitoring of privileged account and user activity. Several vendors have established themselves in the PIM market, most notably BeyondTrust, Cyber-Ark, e-DMZ Security and Lieberman Software. The suites vary somewhat, but they have four primary capabilities:
Privileged password and account management: This is the core capability of any PIM suite, which addresses the primary pain points around privilege management. The PIM product is a secure repository that internally and automatically generates new passwords and controls user access and authorization for all systems according to corporate policies. So the privileged user logs in and is granted access and authorization for that session based on company-defined roles. The idea is to eliminate account and password sprawl and grant the user only those rights that are required to perform his job. (You should also consider how you handle password resets while you're cleaning things up.) The tool also provides detailed audit trails and should integrate seamlessly with corporate directories, ticketing systems, and so on.
Also read Role management software dos and don'ts
Managing services, scripts and applications: The PIM will manage non-human accounts, such as those required by services and accounts in legacy applications. This ensures that system password changes will be extended to all dependent services. Passwords for embedded applications, which enterprises are reluctant to touch lest they break the app, will no longer be compromised.