Regulations such as PCI, HIPAA and Sarbanes Oxley and others apply stricter controls on privileged data access and availability. Privileged and shared account management software allows controlled and traceable access through delegation, policies, password checkouts and various other key features as recommended here in this article, to ensure maximum security to sensitive corporate data.

According to analysts, average cost of an internal security breach is US$2.7m compared to US$50K for an external breach. Additionally, the fact that 70 percent of the breaches are internal makes protecting Privileged account information critical to any enterprise Privileged accounts such as “root” contain means to access information on various systems which could range from Salary information to Credit Card or even sensitive data on defense. Additionally these accounts are often shared between different administrators which add in an additional element of traceability. Privileged and Shared account management systems provide means to control the access to this data and also allow traceability required by various laws such as PCI, Sarbanes Oxley, and FIPS for any corporation.

This can be further understood in two basic methods such as

• Delegation: Here parts of the root privilege are delegated to other users by using policies. This allows the root function to be distributed amongst other users who may need only part of the privileges where earlier they would have had to be given complete root privileges. Additionally this delegation model allows traceability in terms of which “root” or “root”-like user has exercised the right.

• Privileged password Checkouts: In this method the privileged password is stored in a vault and this can be checked out programmatically or by a user based on policies and used. This allows tying the action of the root with the specific user.

Both these above methods could have policies which designate access based on time (how much time should privileged password be valid), resource (which machines could they be used on), scope (what parts of root access are available to whom)

With the above context, it is important to ensure that the Privileged and Shared account management software that a corporation buys has the most flexible and best features. This article covers the different aspects of Privileged and Shared account management to recommend a few important features to ponder that any corporation or user or developer can consider in the product.

Few important features to ponder:

For privileged and shared account management solutions, few important features are described here below which ensure maximum security for the privileged user accounts and benefits for the customers.

Compliance ability: PCI, FIPS, SOX, FERC, FISMA, HIPAA.
With the current set of international laws corporations need to adhere to such as Sarbanes Oxley (SOX) or the Credit card standard such as PCI “Compliance Ability” is one of the key features that any Privileged account management systems need based on the industry of the product. This is achieved by ensuring that the privileged user management product ensures appropriate Audit logging and traceability features. These could include keystroke logging and also appropriate risk level logging for the commands that are run on a privilege level.

Choice of a hard and soft Appliance and Non appliance solution

A Privileged Access Management solution could be in the forms of an appliance that you need to have and alternately could be a non appliance solution. Some could require you to have a “hardened” dedicated server for this. Another interesting concept could be the use of on-demand technology to get the software. If you are looking for a privileged access management solution these choices in a product would be useful. Appliances could be a hard or a soft/virtual appliance. Use of VMware based soft appliances is something that should be considered as an option as it allows pre installed existing software to easily be provided and deployed.

Primary and Hot Standby Vaults

This is a must have in case of a Vault based architecture for storing of the privileged account data. Vaults are essentially database stores where the privileged account passwords can be checked in and out as required. Failovers and syncs between the primary and the standby vaults should be available and additionally standby vaults should be protected to not allow unauthorized access.

Dual Control in both Administrative and Programmatic Checkout

If your passwords are very sensitive or you are asking a third party to do the administration this feature is something you should consider. This adds in an extra layer of approval process such that on a checkout request of a privileged password it requires one additional password. This could be implemented both in the administrative checkout option where a administrator authenticates to a privileged management system and gets access or in a programmatic checkout where this is done through scripts.

Multi Factor Authentication

Considering the high sensitivity of the passwords incorporation of two factor authentication such as OTPs, smart cards are another factor that should be considered at various points such as checkout and also at usage of these passwords. This could be done at points of all checkouts and also usage to ensure that the person using the account is actually the person who was authorized to check it out. This adds further value to the dual control mechanism.

Password Caching

In an enterprise there will be applications requiring high availability and this could require places in the distributed network to have some sort of password caching mechanism. This is a feature you should consider for large enterprise deployments where there can be a possibility of network outage.

Exclusive Option for changing password

Password changes could be possible based on a specific interval or on need or reset after a specific time after checkout. However the one method you should consider as the most secure is the exclusive one which is like a mutual exclusion lock such that once a system administrator checks out a password no other administrator is allowed to check this out. This helps in very high risk target machines to allow a hard coupling of the administrator with the password and machine.

VCR like playback

This is a really good feature in addition to the usual logging. If it could play back to you the actions taken in a VCR like method this adds to the logging methods. This method essentially helps the user be able to see commands like a playback including commands such as forward, back, pause options like in a VCR. It is an essential component for traceability.

Strong integration with provisioning systems and auditing systems

Integration with provisioning systems is the key to making sure the rights are appropriately assigned and removed as required. In a Privileged Access product it would be important to ensure that it has ability to integrate via options such as a Command Line interface Utility or some sort of Connectors. The APIs that are available should be simple and easily access the IDs and passwords from the server. This is important also in case of programmatic checkout actions. Additionally one should also look for integration with LDAP and ActivDirectory. It is also important to have the right integration with auditing systems to allow the audit logs to be available.

SOAP Interface & SSH remote execution capabilities

This is something that one should consider if you are using the programmatic retrieval. Most of the platforms supporting support SOAP – Java, TCP/IP and HTTP can now make use of this interface to retrieve the privileged account passwords. This significantly increases you platform coverage. The use of SSH to retrieve passwords is a key feature you should consider in your Privileged Account Management solution. The key advantages of SSH in terms of encrypting data from client to destination can be leveraged. SSH is also easily available for setup.

Auto Discovery

In a distributed and large enterprise there will be several services and machines that reference the administrator and domain accounts. One feature that should be a key to your privileged account management solution should be an ability to auto discovers the systems which do this and allows updating of the credentials simultaneously.

Broad Platform support for Password Reset

As in any enterprise deployment there will be large number of systems that require support in terms of password reset and allow privilege account management. You should consider products that allow a broad range such as UNIX, Windows, Linux, AS400, MS access/SQL, databases such as Sybase, Oracle, Firewalls such as Juniper, Cisco, Routers and also directory integrations such as LDAP and ActivDirectory. In addition the software itself based on whether you pick the appliance or non appliance based solution show allow installation on choice of windows or Linux.

Delegation

This is a feature you should consider in your privileged account management solution to allow a subset of commands to be provided to different administrators. This could be done by using a wrapper execution command which when run with a required administrative command allows its execution based on the privilege associated.

AES 256 encryption and Secure browser based remote access

In order to allow administrators to check out privileged passwords or use features such as dual control or auditing it is important to provide a secure browser to access the credential vault or store. AES256 is a well known standard to provide 256 bit encryption to the browser and this or other strong encryption should be considered for browser access to any Privileged Account management solution.

Usage controls by various factors

Using a variety of factors such as a time period for access and revoking it after that time or only allowing a certain maximum logins or for shift users to a specific shift period is a feature one should look. This is especially required because of the distributed need for these passwords.

Login confirmation post password reset

With the change of password being such a key action one feature you could consider is to verify that the password change was successful by logging in to the target platform with the new password prior to writing the new password to the repository. Also it would be good to consider methods of alerts such as email or networking options such as SNMP

Random Administrator password

To increase the strength of the admin password and ensure uniqueness one feature that could be considered is to generate a random password for the local administrator for every system. This can be accessed through manual or programmatic checkout through the web interfaces. The randomness of the password further increases the strength of the privileged account management system.

Multiple options in terms of type of product & Support

One feature that would help your deployments and possibly costs is if you can consider a product which could provide your options in terms of a smaller “minimal” set and you can get additional “on demand” features or a different installable upgrade. For example a basic set could have a repository for passwords and sharing it securely while a more advanced need could be to have more advanced features such as password sync, more auditing, otps, and different modes of check outs.
     
With such a high impact system such as privileged administration access to the right type of support is going to be a key. It is recommended to have multi tier support for your solution. In addition if you choose the appliance based solution it is recommended to have a replacement guarantee turnaround quickly.

Pricing options

Having flexibility in pricing options can be a key factor in your decision to buy a privileged management solution. The factors that can be considered can be based on users, number of passwords, based on appliances or consoles or systems or accounts.

Temporary pool of generic accounts

One option of increasing security is to allow creation of a generic account set. These generic accounts are given to system administrators who must access privileged accounts. This helps in terms of linking these credentials to the standard strategy of single user application passwords. This could be an option such that it would not need the vault options

Conclusion

Privileged User Management and Shared Account management is and continues to be one of the key areas of data security that will continue to grow. Using the methods of delegation and vault based privileged user management based on time, resource and appropriate traceability and auditing will prevent data loss and internal and external security threats and allow only required access. In order to achieve these goals, the above list of important features emphasizes some of the key aspects one should keep in mind while designing or buying any privileged account management solution. The combination of these features allows the privileged data to be better protected and solving the constant 6 Ws problem of “Who”, “What”, “When”, “Why”, “Which” and “Where” successfully and move yourself and your enterprise towards success.

Related Reading and References

• [Ref 1] “Keep Out, This means you – Admin” – Network World – April 28th 2008; Volume 25, Number 17

• [Ref 2] Privileged Account Management: Addressing the Seedy Underbelly of Identity – Mark Diodati – Burton Group – Sep 27, 2007

• [Ref 3] The Previlaged Account Management Debate – Keith Franz – 2008

• [Ref 4] Resolving the Privilege Management Paradox: Quest Solutions for Strong Access Control – EMA white paper – June 2008

• [Ref 5] Privileged Account Management. Learn How to Secure Your Assets and Control Your Costs – David Miles – Quest Software

• [Ref 6] Market Overview: Shared-Account/Software-Account Password Management Tools – Gartner – 9th April 2008

• [Ref 7] SC Magazine reviews on Shared Account Management products

—By: Debashis Banerjee, Security Software Development Manager, Novell Software Development.