Unraveling The Riddle Of Privileged Identity

  /     /     /  
Publicated : 22/11/2024   Category : security


Unraveling The Riddle Of Privileged Identity


Some argue for monitoring to take a greater role in refining privileged identity policies, but root accounts pose problems



Whether theyre network administrators, DBAs, or just people who know the username and password of certain shared root accounts, privileged users have long been a difficult nut to crack for security and compliance professionals seeking to keep information on a need-to-know basis. Most experts will agree that it is time for enterprises to make a change in how they deal with privileged accounts and users -- they just might not necessarily see eye-to-eye on how it needs to be done.
Some experts think that the current failings of todays identity and access management tools point to a need for organizations to better use their logging and monitoring solutions already in place to help refine privileged user access. But others warn it isnt as simple as that.
Regardless of the stance, it is clear that as things stand, many organizations are not keeping a tight enough rein on privileges. New data out today validates what grizzled security vets have been saying for what seems like forever: People have way too much access to sensitive data that they dont really need to do their jobs. The numbers come by way of a survey conducted by Ponemon Institute on behalf of HP, which queried more than 5,500 security and operations managers around the world about privileged identity issues.
The survey shows that 64 percent of organizations say it is likely that privileged users think it is OK to access all of the information they can view, and 61 percent report that privileged users access sensitive information for the sake of curiosity rather than job function.
Many organizations are winging it when it comes to assigning and keeping track of who can access what sensitive resources. A little more than 40 percent of organizations say the way they assign such privileged user access is ad-hoc, with just 27 percent of organizations reporting that they use some kind of technology-based identity and access management controls to detect sharing of system administration rights sharing or root level access
[ How can enterprises quickly provision new users with secure access and off-board users who should no longer be on the system? See
Tech Insight: Securely Adding New Users -- And Subtracting Old Ones
. ]
Its almost impossible in an organization of almost any size whatsoever to understand exactly what rights everybody needs to every single application and service that they need to get their job done, says Ryan Kalember, senior director of solutions marketing for HP Enterprise Security. Even worse than that, if you ask them the question of what rights they need, theyll probably ask for the maximum access that is possible because they never want to talk to a security admin again.
According to Kalember, one of the problems with managing privileged users today is that current identity management deployments dont scale well across the entire enterprise; organizations just cant keep track of every possible privileged account using a federated approach.
There are billions of dollars essentially flushed down the toilet in failed IDM deployments because its just too complicated, depending on the organizations culture and their IT architecture, the breadth of applications theyre using, and lots of other variables, he says. So then it becomes a matter of looking at it differently.
What he and HP advocate is utilizing logging and monitoring infrastructure to take a snapshot of user activity, develop a baseline of what is normal, create policies around that, and begin enforcing privileged access from there.
If youre monitoring, you can build up a picture of what is normal, and you can use that to properly configure an IDM. You have a very good idea of which permissions are being used on what systems, how and when they are being used, and by whom if you chose to correlate that with your identity management system. And that means you can take a picture of user activity and figure out what is happening, living in the messy real world and acknowledging that nothing is going to be perfectly corresponding to your vision of what roles should be defined as or what access rights, Kalember says. You actually just look at whats happening and then build up the picture of roles based on that. That becomes a positive feedback loop. That becomes self-sustaining.
But Phil Lieberman of privileged identity management vendor Lieberman Software says there is a big Achilles heel in that method.
So essentially you understand where to put the locks after you put the cameras up after theyve broken in? The assumptions theyre making are just wrong, he says. In privileged identity, there are two classes of identity: There are those that are named and then those that are generic accounts. There is some validity to their statement that if you use the named accounts, a logger is a great idea. But most privileged accounts are those like root or administrator, and you dont know who is using those accounts. Theyre essentially using the camera to take pictures of who you can get a picture of, but in other cases it is people with ski masks on who all look exactly the same.
Kalember agrees that shared accounts arent always easy to root out. But he says there are methods for monitoring tools to tie specific users to these accounts.
One of the big use cases in ArcSight for our customers has been using IP address attribution, which doesnt sound like a very entertaining thing. But you can basically say, I know Joe is on 192.168.1.2, so even though he logged into an account that is hard-coded into an application that got written in 1998, and that account is called root or admin, I know its Joe because hes on that IP address, Kalember says. So then all that activity I can attribute back to him. I can pass an audit. That stuff comes up very frequently, so youre sort of extending the useful lifetime of legacy applications where rewriting them may not even be an option.
However it is done, tying identity of the user to privileges rather than tying accounts to those access rights is the key to getting a better handle on who sees what within the organization.
The discussion should morph from being about controlling the credential to controlling the users access, says Patrick McBride, vice president of marketing for privileged access management firm Xceedium. Thats what theyre really trying to control: Who has access to what. You have to have the identity established to do that. So tying an individual -- not an IP address or not something called root -- tying the person whos actually doing something to what theyre doing, thats what the auditors want.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security

▸ Homeland Security Background Checks Breach Raises Concerns. ◂
Discovered: 23/12/2024
Category: security

▸ Fully committed to the future world of technology. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Unraveling The Riddle Of Privileged Identity