Professional Documents
Culture Documents
managing privileged
accounts
Securing, managing and governing superusers
1
For a deeper discussion of privileged account management, read the
e-book Identity and Access Management for the Real World: Privileged
AccountManagement.
2
What goes into PAM?
PAM goes by a variety of names, including privileged elevated access is technically a PAM issue, the risk
identity management (PIM) and privileged identity and of regular users exploiting the temporarily elevated
access management (PIAM). By whichever name, here status to cause a breach is low compared to that of
are several of the most common ways of managing granting them widespread network and system access.
privileged accounts: Active Directory Administrator delegation Similar
Unix root delegation This widely used approach to delegating the Unix/Linux root account, this
overcomes the all-ornothing nature of the Unix/Linux approach delegates the AD Administrator account on
root account by allowing an administrator to delegate WindowsServer.
to certain users the right to run certain commands. Session monitoring In this approach, the business
Credential vault or safe This newer approach is able to monitor activities performed by users while
eliminates the sharing of privileged passwords they have elevated access.
by storing them in a virtual vault, complete with PAM covers all of those approaches, but the problem is
workflows and automation, to control their issuance, that many PAM programs address only one or two of the
return and modification. underlying issues, which is why many of them under-
Windows delegation This approach temporarily deliver, fail to achieve desired objectives or fail outright.
elevates a regular users permissions to those of a As in other areas of IAM, addressing PAM in silos and
Windows administrator on their workstation. While that without a comprehensive view is bound to disappoint.
The problem is that many PAM programs address only one or two of the underlying issues
3
Is your PAM program on the right path?
Based on our experience with hundreds of insider espionage targeting internal data and trade
customers over many years, if people in your secrets, and a broader range of tactics compared
organization are saying (or thinking) any of a few, to previous years, with privilege abuse accounting
choice sentences, then chances are your PAM for 88 percent of instances of insider and privilege
program is in trouble: misuse. Most regulations demand controls on
2
IAG ensures that the proper protections and controls are in place to remove as much
riskaspossible.
2
2014 Data Breach Investigations Report, Verizon, April 2014, www.verizonenterprise.com/DBIR/2014/
4
the most mundane of IT tasks, those that fill the
majority of your staffs day?
5
Getting privileged account management right
The good news is that many organizations get PAM and make sure you audit only once with a single
right by following a few guidelines, without a wholesale toolset across all Unix-based PAM systems.
rip-and-replace. While the following list is not
comprehensive, it contains the ingredients most common 2. AD is important. While Microsoft solved many
to successful PAM programs: of the Unix-like security problems of Windows NT
with Active Directory in Windows XP, the native
1. Unix has special needs. The Unix/Linux root management and security tools in AD lack support
account is unique in that it is all-powerful, it is for PAM. Every AD management or PAM program
independent from every other root account and it is a should allow for delegating precisely the activities
point of vulnerability for the entire system, including that AD administrators may perform and providing
Unix data. Observance of a few simple rules helps the permissions they need to do their jobs. Look for
to improve security, efficiency and compliance for an AD delegation tool (preferably one that integrates
the Unix/Linux root account and the administrators fully with your AD bridge) to eliminate this often-
whouse it: overlooked weakness in most PAM programs.
When using sudo, manage it as efficiently 3. Dont just vault. Anonymous administrative access
and consistently as possible. Look for ways to is a big obstacle to successful privileged account
centralize policy across all sudo instances. management. A credential vault is a good way to deal
with this problem, if you follow these rules:
When sudo doesnt meet your needs, choose a
sudo replacement that can draw from the same Combine vaulting with delegation to provide
policy set, management capabilities and account convenient and secure access for the day-to-day
administration as those systems that use sudo. activities of your administrators (particularly for
Unix/Linux and Active Directory). Also, provide
Unifying Unix/Linux access through an Active the extra-elevated access required for the
Directory bridge can go a long way toward getting occasional firecall, to grant emergency access
PAM right on Unix machines. If the AD bridge also toadministrators.
influences sudo and any sudo replacements, then
the traditional difficulties in PAM on Unix/Linux Choose a vault that covers the widest range of
systems evaporate. accounts. Just as risky, and often much less
efficiently managed, are the service accounts
Dont forget keystroke logging. Ensure that you associated with infrastructure such as routers
can adequately monitor what your Unix/Linux and firewalls, and the hardcoded passwords that
admins are doing, whether they use sudo or not,
6
your applications pass to other applications and
datasources.
4
For a detailed explanation of the hierarchy of IAM needs, read the e-book
IAM for the Real World: The Fundamentals.
7
One Identity for Privileged Account Management
One Identity includes a complete set of privileged Active Directory One Identity optimizes privileged
account management solutions designed to give you the account management with management and security
best chance at IAM success. One Identity includes: tools for AD, including a least-privileged model for the
AD Administrator account.
Credential vault technology In an ultra-secure
appliance, the One Identity privilege safe offers the Privileged account governance Integrated with the
complete set of capabilities required to eliminate privilege safe is governance for privileged accounts
superuser password sharing across the enterprise, as well as for application access and unstructured
including application-toapplication (A2A) and dataaccess.
application-to-database (A2DB) scenarios.
8
Conclusion
Privileged account management (PAM) ensures that One Identity for privileged account management offers
administrators and superusers with privileged accounts a credential vault, audit capabilities and a suite of
have the access they need to do their jobs. Organizations solutions for control of administrator access across the
that rely excessively on sudo, credential vaults and the enterprise, helping organizations manage their privileged
best intentions of administrators have difficulty complying accountssuccessfully.
with governance requirements, but they can get PAM right
by following a few simple guidelines and rules.
9
To learn more
For an in-depth look at IAM, read the e-book Identity and Access
Management for the Real World: The Fundamentals. And stay
tuned for more e-books in this series. Ill cover the entire range of
IAM projects:
Identity governance
Access management
Privileged management
Quest Software Inc. The information in this document is provided in connection with
Quest Software products. No license, express or implied, by
Attn: LEGAL Dept
estoppel or otherwise, to any intellectual property right is granted
4 Polaris Way by this document or in connection with the sale of Quest Software
Aliso Viejo, CA 92656 products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS
AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,
Refer to our Web site (www.quest.com) for regional QUEST SOFTWARE ASSUMES NO LIABILITY WHATSOEVER AND
DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY
and international officeinformation. RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO
EVENT SHALL QUEST SOFTWARE BE LIABLE FOR ANY DIRECT,
INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL
DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR
LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF
INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE
THIS DOCUMENT, EVEN IF QUEST SOFTWARE HAS BEEN ADVISED
OF THE POSSIBILITY OF SUCH DAMAGES. Quest Software makes
no representations or warranties with respect to the accuracy or
completeness of the contents of this document and reserves the
right to make changes to specifications and product descriptions
at any time without notice. Quest Software does not make any
commitment to update the information contained in this document.
Ebook-StrategiesForYourPrivilegedAccounts-Part3-US-KJ-25990
11