The Problems with Privilege *and* Legacy Privileged Identity Management

I think we can all easily agree that security breaches caused by hacks/viruses/Advanced Persistent Threats (APTs)/etc. are just getting worse. But what is the biggest source of data breaches? Verizon’s recently published 2015 Data Breach Investigations Report has the answer, and it is our old friend the password. But not any ol’ password. The report found that the passwords that had the proverbial “keys to the kingdoms” — passwords associated with credentials that had “root” and/or “admin” privileges on critical infrastructure, apps and data — were the culprit. And this leads to today’s blog on the problems with privilege, and the corresponding problems that arise with legacy solutions that were built to manage privilege.

As Re/Code reported, the Verizon report analyzed all of last year’s major hacks and found that the most popular method was attacks on Web applications. In those hacks, “attackers used stolen credentials, like user names and passwords, 95 percent of the time, and simply logged in as if they were a legitimate user.” This is probably not as massive of a problem if it was “Bob the sales rep” whose password was stolen, as Bob may have access only to his email account and a subset of the corporate Salesforce data. It turns out that the hackers are not only going after Bob, but also big, if not bigger fish to fry — people in the organization who have elevated privilege on the key intellectual property of the firm. In other words they want Bob’s password, but they also want the passwords for the sys admin, the network admin, the DBA, the email admin, etc.

So how are these privileged users’ password stolen? As Re/Code notes: “Credentials are often stolen as the result of another kind of popular attack: Phishing, in which a target is tricked into opening malware that looks like a legitimate document. The study found that when attackers launch phishing campaigns, sending large masses of email in hopes that someone will click on them, 23 percent of the recipients will read the email and 11 percent will open the trouble-making attachment. While that may not seem high, it’s one of those situations where it takes only one careless person to cause a lot of headaches.”

So it is not surprising that when you look at the nature of most of the hacks, they are in fact going after either end and/or privileged users’ identities (as shown by these “ripped from the headlines” examples below) by stealing passwords for privileged accounts — which are often generic accounts that are shared by IT personnel— having deadlier consequences.

Identity at Center of Cyber Attacks

So we must lock down / better secure / audit all of these privileged accounts, so even if a hacker were to steal one of them, one could detect someone doing some funky stuff with the account — got it. But there is one complication. The world of IT is becoming more “de-perimeterized” because of cloud and mobile, which facilitates “shadow IT,” so it is actually getting harder to figure out where you have privileged accounts, and the number of privileged accounts is growing with each new cloud-based app and server. So privilege identity management is actually getting harder, not easier.

and harder to manage as infrastructure evolves

As I look at traditional privileged identity management solutions, I see solutions that address the needs of privilege management, but do so from a vantage point and architecture of where IT was 10-15 years ago — not where IT is going with cloud and mobile. Many vendors in this space were formed in the 1990s — such as CyberArk, that had a recent IPO — that was well before mobile and cloud revolutions. Unsurprisingly, many of these types of product’s architectures reflect that. These types of solutions typically are also focused on vaulting the passwords of shared accounts, not realizing that in today’s world, the VP of Sales’ Salesforce account is an equally privileged account as that of the UNIX root account, and you can’t check in/check out your VP of Sales account out of a safe or vault. They also don’t typically factor in that it is probably best to get people away from using shared accounts to the extent possible, and get users to log in as themselves and implement least privilege for those users.

What we have also seen is that the delivery mechanism of these type of legacy solutions is very expensive software and/or an appliance, and you have to pay a large up-front perpetual license. These solutions go in the face of the shift to modern solutions that are delivered as a service, and are paid for on a subscription/pay as you go, which deliver significantly quicker ROI and lower licensing implementation costs. Mobile capabilities of these legacy solutions are minimal, and because they are often delivered as an on-premise solution, they can’t fully address the privilege management needs for Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS), etc.

The bottom line is that we know privilege management is a huge issue given all the hacks etc., and while legacy solutions exist that were built to address the world of IT circa 1990s, the reality is that a modern solution is required to address privilege in today’s modern IT infrastructure of cloud, mobile and on-premises data centers.

change how we manage privileged accounts

Centrify has historically addressed privileged identity management from a perspective of facilitating IT users to login in as themselves (e.g. their Active Directory accounts), and implementing least privilege access via roles and rights, and provide robust host-based user level auditing. We built the largest install base in the Privileged Identity Management doing that. But we also realize there are shared accounts that can’t be mapped to a specific user for accountability reasons and also need to be managed. I think we also are ahead of the curve in this market with the understanding that the world of IT has moved beyond the data center to that of an increasingly hybrid version of cloud, mobile and on-premises, and that the best way to deliver this is as a service. And finally, we realize that not just IT people are privileged users, but business unit managers and app owners for the growing number of SaaS apps also have keys to very important kingdoms as well.

With that in mind, tomorrow we are announcing a major new product that will disrupt the privileged identity management space. Stay tuned to this blog to learn more!