As we close out 2014 and start to look ahead into the new year, IT and security teams are gearing up to ensure adequate budgets and updated protocols are in place to protect against the latest risks. An area of threat prevention that we at BeyondTrust are seeing emerge more often is in relation to privileged account management (PAM). Companies are slowly beginning to realize that most of the serious security attacks come from people inside the organization or from privileged accounts that have been compromised. Too often, rogue accounts are left unmanaged or updated credentials and passwords aren’t properly taken care of when organizational shifts occur. Upon creation of your 2015 security checklist, make sure these eight privileged password management pitfalls are things you keep an eye out for in the start of the new year.
Stale passwords are probably the biggest downfall of manual processes for handling privileged passwords. Stale, static passwords are a serious liability and introduce a scary honesty factor for data security. Privileged employees with access to files become the gatekeepers and can distribute access to whomever they wish, effectively vaporizing security protocols. It’s critical to consistently rotate passwords, regardless of who may be coming or going within the organization, in order to maintain a secure environment.
If you’re ready to make the move to a privileged password management technology solution, make sure you understand just how many components you need to install, configure, and manage prior to sending in your purchase order. Integrated solutions are much easier to implement and maintain, requiring only a couple appliances for high availability and minimal professional services, even for large deployments.
Gaps in Coverage
Many products require that IT administrators rely on Active Directory or manually input new accounts for management. This requirement is not only a drain on productivity, but will also miss local, database, and other distributed accounts, backdoors, and other unknowns. It's especially true of any organization experiencing growth; the more employees, systems, and processes are incorporated, the more time and resources are needed to keep up with changes to your password management solution. A growing backlog of changes leaves sensitive information unsecured for prolonged periods of time and creates a significant security hazard.
If you have a solution for managing and distributing privileged access, it only makes sense to then facilitate, control and monitor the user’s activities on the asset via session management. It seems like every password management vendor has a different approach to this, so there are a few things to be cognizant of. First, find out whether the vendor offers native session management capabilities or relies on a partner solution (which can mean more complexity and higher cost). If the vendor does offer native capabilities, are they included with the standard offering, or do they carry an extra cost?
While java in your coffee cup might ease headaches, session management that relies on Java agents can slap you with a migraine. Java requires regular security patches, and sometimes you'll need to downgrade security on the applet for it to run. Java agents can also put a damper on user experience with clunky interfaces and performance problems that discourage end user adoption.
Lack of Visibility
There’s a reason why it’s tough to find analytics and reporting screenshots on many password management vendors’ websites: It’s because what they offer can be pretty hazy. While looking at solutions, examine the asset and password discovery and reporting capabilities to ensure that you have no gaps in assessment. It should be easy to identify and understand aging passwords, view password update schedules, and generate audits of password changes for compliance purposes. Also, be wary of solutions that lack a foundational data warehouse for aggregating and correlating information over time. Make sure you can filter and drill down to hone in on granular results for specific business and compliance needs.
Gaps between Vendors
It’s common for an organization to rely on several vendors for different but related processes—password management, UNIX/Linux server privilege management, and least-privilege management for Windows servers and desktops— because many vendor solutions claim to work seamlessly with competitor solutions. Integrating solutions from multiple vendors can be expensive and labor intensive, while inevitably leaving gaps in asset and account coverage.
While the fundamental driver behind privileged password management is security, a solution that always requires human intervention from an administrator to act as a gatekeeper can hamper scalability and productivity, especially in emergencies.
I realize these words of caution won’t ease all of your security headaches, but hopefully this list will help you rest a bit easier over the holiday season. Which tip shared above will be most useful to your organization?