A Leader in the 2016 Forrester PIM Wave: What It Means for IT Security Teams

Little has changed in 30 years of massive data breaches

From the earliest computer hackers to today’s sophisticated cyber-criminals, little has changed in the modus operandi used to access and monetize financial data. In the TRW 1984 incident, thieves stole access codes to a credit rating database from a TRW subscriber, a Sears and Roebuck’s store in Sacramento. They proceeded to paste them to an online noticeboard, so that others with personal computers could use the stolen credit history information of 90 million Americans to commit credit card fraud.

Today, privileged user’s credentials are still the preferred target for cyber attackers as they enable greater scope for accessing and exfiltration of entire databases of monetizable data, when compared with end user’s accounts.

Despite 30 years of increasing hacker sophistication and more frequent and catastrophic data breach events, information security can still be an afterthought in the design of modern software and network infrastructure. The resulting defense-in-depth security framework is a vendor-driven patchwork quilt of incompatible, incomplete and in many cases, dead-end software and appliance products.

Vendors have created the costly mess that security and risk professionals deal with on a daily basis and it’s up to vendors to provide viable long-term solutions to help reduce the risk of data breach and the cost of providing protection.

The inclusion of Centrify as a leader in The Forrester Wave™: Privileged Identity Management, Q3 2016 is, in our opinion, the result of 12 years of continued evolution of technology based on customer feedback and our fundamental beliefs around the management of privileged identity.

Untangling your defenses

Other than in banking and financial services markets, where IT security budgets are less financially constrained, IT security execs struggle to provide protection against a rising tide of professional, organized and sophisticated attackers.

Forrester estimates that 80% of security breaches involve the use of privileged credentials. Solving the data breach problem requires a holistic and integrated solution to resolve the causes of the problem; the proliferation of identities requiring privilege and the privileged access granted to business partners, contractors and third party IT suppliers.

According to Forrester, beyond MFA and SAML, PIM Solutions must do four things:

  1. Provide its own Web based channel for access.
  2. Provide its own tamper-proof password safe (credential storage).
  3. Spawn, monitor and intercept privileged Windows and Linux sessions, (privileged session monitoring, or PSM).
  4. Control privilege escalation on the end-point (such as sudo replacement and revoking administrative rights on Windows from end users).

We feel that Forrester’s assertion that “security teams increasingly find they cannot maintain homegrown and/or point solutions for managing privileged access without expending prohibitive amounts of effort” is echoed in Vormetric’s 2016 Data Threat Report. In the Vormetric survey, “57% of executives surveyed, stated that complexity is the principal barrier to adoption of better security and 35% assert the problem is lack of staff.”

In addition, the Vormetric report concludes, “If data security hopes to emerge from the shadow of its network and endpoint security peers, the implicit message for data security vendors is to make products that are simpler to use and require less manpower to implement and maintain. This could point the way to greater acceptance of platform approaches as an alternative to point products, more automation and potentially more services-based delivery options for various forms of data security, such as encryption, key management and data loss prevention (DLP), to name a few obvious candidates.”

Even with the best perimeter defenses, persistent attackers will gain network access at some point. The most likely access point through landing a phish on a business partner or trusted IT services supplier’s laptop. The question is, when hackers enter the organization, how can we protect privileged identities, prevent catastrophic data loss and detect and block inappropriate behavior?

Good security policy eats security products for breakfast

According to Forrester, in an ideal world, there are no shared passwords or recycled/shared functional accounts.

However, in the world you and I inhabit, there are too many administrator accounts, too many shared passwords and too much privilege. In this world, policies that define specifically what privileged users can and cannot do are ill defined and there is a lack of visibility across the privileged activities of administrators using their individual accounts and shared-accounts. For example, do you know if your privileged users are bypassing the password vault to access and administer sensitive systems directly?

I like to refer to this state as the privileged identity management danger zone. Transitioning from this zone through the good zone (single-function, point products implementations) to the optimal zone, means enabling organizations to consolidate identities, enforcing MFA, delivering cross-platform least privilege access and controlling shared accounts, while securing remote access and auditing all privileged sessions.

Risk meter

This reduces an organization’s attack surface by eliminating identity silos and provides better visibility into privileged account activity, enabling customers to reduce the risk of data breach.

Q3 2016 Forrester Wave and Conclusion

The Forrester Wave: Privileged Identity Management, Q3. 2016 gives Centrify the highest score for strategy. It concludes that Centrify offers the first SaaS PIM password safe in the industry and that it is likely others will follow suit. It recognizes Centrify for outstanding support for SaaS apps and IaaS platforms and cites customizable and flexible reporting features.

Centrify helps customers to protect against advanced persistent threats and other identity-related risk, with privilege identity management best practices.

  • Identity Consolidation — centrally managing identities, roles, privileges and local accounts across heterogeneous resources.
  • Privileged Access Request – employing a workflow-based request and approval mechanism for privileged access.
  • SuperUser Privilege Management (SUPM) — the privilege elevation tools that enable granular administrative tasks for authorized users.
  • Shared Account Password Management (SAPM) — for legacy and emergency “break glass” scenarios where you can’t elevate privilege and have to permit direct login as (e.g.) root.
  • Privileged Session Management (PSM) — the service that manages the privilege session and the video recorder keeping watch over it.
  • Secure VPN-Less Remote Access — cloud-based remote access to resources on-premises and in cloud IaaS without a VPN.
  • Application to Application Password Management (AAPM) — replacing plain text passwords embedded in scripts with an API call to a secure password store.
  • MFA Everywhere — enforcing the use of a 2nd factor for user login and for other actions such as privilege elevation.

Finally, in addition to the above PIM best practices and protections provided by the Centrify PIM solution, the Centrify integrated platform approach to protecting identity of all users also addresses concerns around securing access to apps, reducing the complexity and overhead in managing multiple point solutions for single-sign-on, multi-factor authentication, provisioning and de-provisioning of applications and enterprise mobile management.

Read a complimentary copy of the report here.