Privileged Access Management FAQs

Find answers to the most frequently asked questions on Privileged Access Management grouped by categories:

General overview

Q: What are the compelling business cases that customers are making for adopting automated password solutions?

A: One of the key decisions to pursue an automated password solution is being driven by compliance concerns and their auditors’ interpretation of those requirements. So the decision is really being made for them. We do see business cases that define the scope of the project, how extensively are we going to deploy this technology; who is it going to touch; is it going into our end user community, is it more focusing on the privileged access management space? Where the business justification comes in is: How broadly or how extensively are we going to be deploying this type of technology?

Q: Privilege password management won't prevent a programmer from adding a logic bomb into code to which they may have access. How do you get around that?

A: Beyond Administrator privilege password management, Password Authority includes "application-to-application" (A2A) security techniques to prevent this problem. Password Authority delivers strong authentication of an unattended application at run-time with integrity checks to ensure against tampering attacks.

The authentication of the application/program/script includes extensive validation against registration information including;

file storage location
file execution location
executing user id
machine fingerprint
file integrity checks

Once authorized the returned ID/password is payload encrypted and session encrypted. Given that a policy mapping must exist to allow an application to gain access to a target system password it is very easy to prevent a logic bomb attack. With password automation it is possible to maintain unique passwords for every server, application and device with frequent/regular password changes. This also helps to prevent developers or administrators from having unmonitored access to production systems.

Q. What can an enterprise do to monitor and prevent insider attacks?

A. This requires both technology and policy. The technology can be leveraged to implement lowest level of privilege, delegated access, strong authentication, rights management, security event management monitoring, reporting, and more. Policies need to be in place to control the behavior of the organization, perform the hiring diligence, to enforce the recertification of permissions, to process the exits, to respond to incidents.

Q. Why do former company employees still have access to proprietary data and organizational information after they’ve left the job?

A. There can be many reasons for this; It may be that the employee actually took the data with them before leaving the organization, perhaps on disc or USB token. Many other studies have reported that employees do not necessarily understand that just because they have access to the data that they don't actually have the rights to copy it.

It may be that an employee, especially administrative employees, have remote/VPN access to their employers networks in order to perform administrative tasks after hours from home and that these mechanisms were not disabled synchronously with their departure from the organization.

It may be that a former employee is leveraging the sympathies of a remaining employee, as a social engineering attack, to gain access to the data.

Or it may be that the employee maliciously created new, unauthorized entry points to their networks, see the Terry Childs case in the City of San Francisco.

Q: What are the biggest business benefits that your customers are achieving through automating password management?

A: Security is an enabler for automation. Our customers attest that automation introduces an additional element to security -- in that if you can start to effectively and frequently change passwords and only release them to humans or applications on demand or at run time, you’re increasing your security measures.

By doing this, you’ve removed knowledge of these critical passwords in your environment, which is a significant component of security in your overall environment. In addition, the cost benefits associated with automation is compelling. Consider the number of these types of accounts that are on a network - privileged accounts either embedded inside of applications and scripts or those used by human administrators, our customers are learning that they have exponentially more of these types of accounts on a network than there are end user passwords.

So if an organization is using manual practices to change these passwords on a frequent or regular basis as demanded by their auditors, there are significant costs associated with doing so, and there’s potentially outages that may occur on particular systems or applications which are simply not acceptable from the business perspective.

Automation is quick, ensures business continuity and doesn’t interfere with the day-to-day running of a business.

Q. Why should data center/IT managers be concerned about access management in light of the current rate of layoffs/job cuts, etc?

A: Access Management controls are akin to the lock on the front door of the house. Most former employees are "good" by nature but it has been proven that with minimal controls and a sense of impunity even good employees will do bad things. Access management is far easier to implement and maintain than complex encryption and key management systems or rights management systems.

Q. What can data center/IT managers do to make sure they have access management under control in their enterprises?

A. Access management is not a one-time task, it is an ongoing management effort that can be aided by many automation tools/utilities to simplify efforts, enhance efficiency, improve coverage and enable least level of privilege while allowing administrators/users to perform their tasks. Recertification is a relatively new initiative to review on a regular basis the rights/permissions assigned to a user or role. It is recommended that organizations of all sizes begin to recertify the permissions assigned to their users and administrators.

Q: In light of the global economic turmoil, what are the top threats facing enterprises?

A: The current economic turmoil is already showing us what can happen to an organizations’ data when proper security measures are not in place LINK TO BREACHES PAGE. Open any newspaper on any given day, and you’ll see articles reporting datacenters being compromised around the globe. Downsizing, restructuring, mergers & acquisitions can all leave security gaps in which disgruntled employees, contractors or creative hackers can steal information or compromise systems. Now more than ever it’s important that companies have a strong, effective password management system in place to block the insider threat.

Healthcare focused

Q. In your estimation, how will Electronic Health Records (EHR)s affect data centers in terms of compliance and regulations?

A. In the past the regulations have been very much about the "what and why" not the "how". We are seeing the NIST specifications becoming far more prescriptive on the topic of "how" to address the security issue. I suspect that much of the input for the "how" is coming from organizations that are concerned with storing critical information like health records, or financial records. Datacenters will be held to the higher standard for security and privacy as published by HIPAA as they choose to move to EHR systems.

Q. What kind of cost considerations will data centers face as EHRs grow increasingly popular? What investments will they need to make to ensure compatibility with EHR-related efforts?

A. Datacenters that store EHR information will also be responsible for the costs of the regular HIPAA audits and the costs of any found exceptions needing remediation. These organizations should be looking to the EHR vendor solutions to provide as much of their HIPAA needs as possible as it relates to protecting the data.

Cloud/virtualization focused

Q. Enterprises have already invested in virtualization and consolidation efforts; how does password management work with that? What about security?

A: The cloud as we know it today is, in its simplest description, a hosted service offering of low-cost, virtual instances of common platforms and applications to be leveraged by a broad range of organizations seeking to achieve economies of scale, reliable continuity of operations, access to environments without the capital costs, reductions in operational costs of maintaining large datacenters and staffing, and more. Many organizations have started their virtualization efforts and this work will tie in nicely to the packaging and deployment needs for operating in the cloud.

What is different though is that while most virtualization planning has been done around owned equipment. The cloud now removes the physical security of the organization and places the applications and data into the "public" cloudspace. Applications will face an entirely new set of security challenges while operating in the cloud. The cloud will need to offer tools to help applications ensure the integrity of the operating environment as well as for the applications themselves. As the deploying organization may or may not know where one of their applications is running today how can they be assured of the logical partitioning of their application logic and data from the applications and data of others?

How quickly can an organization re-deploy an application in the event that they detect malicious behavior. What tools will exist to monitor the runtime characteristics of their application in order to detect timing-based debugging attacks. These and many more issues have likely not been well thought through by any Enterprise looking to leverage the cloud.

Q. What kinds of opportunities exist for an enterprise to share applications and data in the cloud?

A. The same that exist today. The cloud is a deployment and operating environment that may simplify some of the technical effort of sharing, but the real challenge remains the business and legal efforts and arrangements for the sharing of these applications and data. The cloud may afford organizations to break out of their current IT paradigm enough to recognize that there is, in fact, an opportunity to share much more so than they can today.

Q. Are virtual servers more secure, less secure? Are there compatibility problems?

A. Originally driven by the potential cost reductions to be gained through server consolidation virtual computing has come to realize additional benefits over the past few years of proven deployments.

The ability to improve the continuity and rapid resumption of operations Improve local availability of services
Realize cost savings through the reduction in the number of physical devices
Reduced power consumption in the datacenter
Minimize the skill-set needed to support diverse hardware and operating systems
Rapidly support the deployment of thousands of virtual machines with the same (or reduced) administrative staffing, and more.

Operating in a virtual environment raises many new security and management challenges. Security affords the opportunity to automate many of the mundane tasks and activities associated with deploying a virtual infrastructure and the applications that operate within it. Implementing the appropriate controls for access in a virtual environment can become complex very quickly and these controls must now also consider the start/stop or snapshot nature of virtual machines and the potential impacts on the currency of access credentials when under management.

Organizations have to be aware of the challenges of machine, device, operating system and application authentication and authorization especially when under audit or regulatory pressure to maintain the correct level of access, manage change effectively by provisioning and deprovision users and log and report all activity in a virtual environment.

Federal focused

Q. Do you think government agencies do a good job of preventing insider threat?

A. The low number of reported incidents of this nature suggests that government agencies are doing a good job of preventing insider threat. What we don't know is how many of these events remain undetected or are not reported. Part of the challenge of preventing insider threat is in not restricting access to information to such an extent that people are not able to do their jobs.

Q. Is the insider threat a real problem to worry about or does the government have more pressing issues to worry about with respect to cybercrime?

A. The insider threat is a big problem and the facts are that it is not going away, it is getting larger, and it is becoming far more visible. This does not however diminish the need to continue the focus on cybercrime from the external threat.

Q. What can agencies do to monitor and prevent these insider attacks?

A. This requires both technology and policy. The technology can be leveraged to implement lowest level of privilege, delegated access, strong authentication, rights management, security event management monitoring, reporting, and more. The policies need to be in place to control the behavior of the organization, perform the hiring diligence, to enforce the recertification of permissions, to process the exits, to respond to incidents.

Q. What can be done to prevent insider threats?

A. Intensively monitor and manage access to critical information assets in all facets of the organization with proactive warning systems, to circumvent critical incidents and limit exposure to agency credentials and vital information. In addition, keep policy-driven, easily implemented solutions in place to protect the data from those few malicious insiders. Another good policy is to adopt best security practices, following national security guidelines that pay specific attention to trusted insiders

Q. The push for advances in health information technology has increased significantly as of late. However, the EHR trend continues to be scrutinized as a huge security and privacy threat. And for those data centers that are (or will be) handling EHRs, what should they be keeping in mind in terms of preventing potential security and/or privacy problems?

A: As with any system that collects data it must be properly planned, designed, deployed, managed and maintained. With this in mind an EHR system should be no less secure than any other system. What makes an EHR different is that it is collecting very personal information so the scrutiny over the security of the system is just that much more interesting to everyone. Privacy is a significant issue because it relates to the policies and behaviors for the handling of the data and so is subject to the threats of social engineering. Organizations will have to complete their threat/risk analysis and weigh the results against the potential efficiency gains and cost reductions. Datacenters hosting EHR data must continue to pursue best practice efforts as they understand them today, but must also look inside their own organizations for potential threats. The "Trusted Insider" can no longer be an accepted role within an organization concerned with protecting PHI. Over 50% of the tried cases on the DOJ fraud site involve insiders.