• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
Download
 
IT Management Research, Industry Analysis, and Consulting 
From Trust to Process: Closing theRisk Gap in Privileged Access Control
 An ENTERPRISE MANAGEMENT ASSOCIATES
®
(EMA™) White PaperPrepared for SymarkNovember 2008
 
From Trust to Process:Closing the Risk Gap in Privileged Access Control
©2008 Enterprise Management Associates, Inc. All Rights Reserved.
Executive Summary 
High-privilege administrative accounts hold the keys to the most sensitive IT functionality and information resources—yet paradoxically, this level of access is far too often basedon little more than trust alone. Membership in a root or administrative user group is oftenthe sole basis for access to the heart of IT itself—but these accounts are typically shared
and may afford little visibility into the specic actions of any one privileged user. Despite
these risks, high-privilege access has been implicated in episodes such as the subversion of 
large numbers of business systems and manipulated trading information at major nancial
services and health care enterprises. Abuse of access privileges has also factored into thecorporate governance scandals of recent years, suggesting the role it may yet play in theoutcomes of the present worldwide economic crisis.In the view of Enterprise Management Associates (EMA), solv-ing the paradox of high-privilege access based on blind trustrequires processes that afford control over who can access whatresources under which conditions, with visibility into activity that demonstrates the integrity of dedicated professionals whileprotecting the enterprise. A disciplined, process approach to ITmanagement has been demonstrated in EMA research to yield
benets in controlling a wide range of risks. In EMA analysts’
 view, it is high time this same level of maturity was brought tobear on the most sensitive processes of all: those that governIT itself, and the business-critical information on which theenterprise lives.In this paper, EMA examines these issues in light of the Symark approach to helping busi-nesses move from weak, trust-based privileged access, to stronger, more mature processes
for managing privilege risks. Symark PowerKeeper offers workow for integrating more ef 
-fective control over high-privilege access. Symark PowerBroker applies this discipline with
nely grained policy control over root-level access for UNIX and Linux platforms, while
Symark PowerADvantage helps integrate these privilege process controls across multiple
environments in today’s heterogeneous enterprise. Executives, security managers and ITadministrators alike will gain a greater appreciation for how these products return con
-dence in privilege risk management to the business, helping it move from trust to a secure,auditable process in implementing a higher standard of control.
The Risky Proposition of Trust-basedPrivileged Access
Historically, the foundation of IT systems management has been built on the concept of 
the administrator. Whether root on a UNIX or Linux system, a Windows administrator,or a DBA, the administrative role wields the power to congure virtually every aspect of 
system functionality. When the resource in question has a bearing on the business itself,
this calls for a high degree of condence in those given administrative privilege. Typically,this condence is justied in diligent, technically capable professionals who exhibit high
integrity in their work. Regardless, however, the fact that the enterprise places so muchcapability in the hands of a few highly skilled individuals must be examined in light of whatthat means to the business.
 A disciplined, process approachto I management has beendemonstrated in EMA researchto yield benets in controlling a wide range o risks.
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...