Privileged Credentials – The Human Factor

Pete Greenwood, Senior IAM Consultant, SecureITsource, Inc.

In today’s IT security threat landscape, it would appear that no human, business, or public entity is truly safe from a potential breach. Data breaches have become such a commonplace event in today’s world that every organization is susceptible to being the next casualty. While there are many ways that an organization’s sensitive data can end up getting exfiltrated, the latest Verizon Data Breach Investigation Report (Verizon DBIR) confirmed that 63% of data breaches studied involved weak, default, or stolen passwords. Furthermore, access and authentication technologies continue to top IT security spending (SANS: IT Security Spending Trends) which is projected to top $81 billion in 2016, an increase of 7.9 percent over 2015 according to the latest forecast from Gartner research (Gartner). While we in the IT security field continue to wait for an authentication method impervious to threat vectors, the ever-present human variable built into the username and password authentication model remains an exploitable facet of an organization’s security posture.

Single sign-on (SSO) and federated identity management (FIM) technologies allow most business end-users to utilize one set of credentials to log into multiple systems and services. However, the same isn’t always true for SysAdmins and IT personnel. They often hold the keys to an enterprise’s critical systems and valuable assets in the form of shared administrative accounts. When the management of these crucial accounts are left to humans, there is an inherent risk that would otherwise be mitigated if the credential passage happened transparently without the operator ever knowing the password. The crown jewel for any credential thief is a privileged account, and securing those accounts without adversely effecting productivity, can be a delicate balance.

Eliminating the human element from privileged account management can immediately make an organization more secure. The CyberArk Privileged Account Security (PAS) suite of products are built on the Enterprise Password Vault (EPV) secure storage solution, and then expanded with additional modules that provide more functionality. One of the most compelling modules is the Privileged Session Manager or PSM. The PSM solution covers one of the most widely adopted use cases in enterprise IT; remote server administration.

CyberArk states that PSM will “Isolate, monitor and control privileged sessions to reduce the threat surface, rapidly detect and respond to suspicious activity, and demonstrate compliance.” The PSM solution accomplishes this in a variety of different ways, but from a high-level, a typical scenario would be a SysAdmin logging into CyberArk with their userID (usually a Windows Active Directory credential) to perform administration on a server which requires a shared administrative account. These shared administrative accounts have long created audit nightmares, due to their inherent inability to show who is behind the keyboard during the session. However, when a user launches a PSM session, a tamper-proof audit trail is created that is tied directly to the user that started the session, even though they are using a shared credential. The session is recorded in a DVR fashion and securely stored in the vault. The session can be monitored live by an analyst, and if suspicious activity is observed, the session can be immediately terminated.

While the value-add to an enterprise security tower is evident, the operational overhead is something that can easily be overlooked. CyberArk is beautifully complex and an extremely powerful tool, but can also create a single point of failure if not configured with automatic failover or HA clustering. Having deployed and managed this product in large production environments I can attest to the importance of sound policy, strategic design, strong documentation, and an operations plan with leadership buy-in. Adopting CyberArk PAS is a “land and expand” proposition, and mistakes made in the early stages of deployment can hinder future expansions if an SME is not engaged.

Ultimately, taking the human element out of PAM is one of the single most impactful decisions an enterprise can make, and when done right, can greatly secure an organization’s most valuable assets.

SecureITsource is an authorized reseller and professional services partner with CyberArk. Our team of experienced CyberArk engineers help our clients to achieve their privilege account security goals by providing strategy, design, and engineering expertise.