The recent revelation that Barracuda Networks had numerous privileged “backdoor” user accounts with weak passwords once again draws attention to not only the need to have strong passwords but also the need for privileged identity management.
We are all familiar with the concept of weak passwords, but what is privileged identity management? It has to do with the fact that most mission-critical systems, applications, databases and network gear (such as Barracuda’s appliances) have an administrative username and password (i.e. a privileged account) to enable installation, configuration, administration and management of those platforms. And it turns out that most large IT organizations have hundreds of people that need to administer Windows or UNIX systems (“the sys admins”), their databases (“the DBAs”), their networks (“the network admins”) as well as multiple personnel who either develop applications (“the developers”) and/or administer applications (“the app admins”).
These are in effect the “superusers” in one’s IT organization. And it means that the more privileged users an organization has, the more people that have “keys” (i.e. administrative access) to these “kingdoms” (i.e. systems and applications) and the valuable information that reside behind the kingdom doors. The point is that it is not the average end user who can cause a major insider breach, as their accounts tend to have limited access to critical data; it is the “superuser” who has the keys to the proverbial kingdom who can potentially do the real damage.
Given that many security breaches are emanating from compromised superuser accounts or from the malicious use of these accounts by insiders, an increasing security concern that IT organizations are now focusing include figuring who within the organization (or in the case of Barracuda, outside the organization, as these were accounts used by Barracuda technical support) actually has administrative access. Other questions in this area include are IT staff sharing these privilege accounts and how can we better control and audit what those accounts can do.
So where is an IT organization to start? From my perspective the first step is to avoid handing out shared privileged accounts and instead get IT staff to use personal accounts, i.e. have IT users always login as themselves vs. share the “root” account. This can lead to better accountability and traceability of actions. And the more an IT organization can consolidate identities into an authoritative identity store the better, making it even easier to de-provision the accounts of a terminated employee or contractor.
The next step is to implement the concept of “least privilege,” i.e. put into place the ability to limit what privileged users can access (i.e. reduce the number of keys) and once they have been securely given a key (i.e. access to a system), grant in a granular manner the privileges required for them to perform their duties.
Finally, IT organizations need to consider adding software that can monitor all activity taken by privileged users.
This is a big security problem — various surveys have shown nearly half of attacks have come from “insiders” but yet it is something that is often overlooked vis a vis other security solutions such as firewalls, anti-virus, etc. Hopefully this blog post and the Barrcuda backdoor account revelation will raise awareness for the need for such solutions in this area.
This whole area of privileged identity management is something Centrify has focused on for a number of years now. Our DirectControl solution provides authentication by controlling who can log into which systems and applications, and does so by leveraging an existing identity infrastructure you already own — Microsoft Active Directory. From there DirectAuthorize provides the authorization piece and lets you control how and when users can access a system. Finally DirectAudit lets you audit all actions taken by any individual including those with root or administrative privileges. Together they form the Centrify Suite to provide robust privileged identity management that is all built on a single platform, leverages a single directory infrastructure, and works across hundreds of different versions of operating systems.
And our investment in this space continues with today’s announcement of Centrify Suite 2013, a major upgrade to our software solution for UNIX, Linux and Windows servers. Centrify Suite 2013 features new advanced privileged user management and auditing for Windows systems (aka DirectAuthorize for Windows), a new “sudo” migration tools for Linux systems, additional platforms and a whole host of additional new features. Check out this datasheet for more information. In upcoming blogs I will be drilling down in more detail on some of these new products (e.g. DirectAuthorize for Windows) and new features (e.g. sudo migration).