Privileged Identity Guide - Four Key Steps to Secure Your ......reuse. Exa e listed in Ta endor‐supp om applica me active…" ess rights to stem comp ke access fo inactive use used

Privileged Identity Guide

Four Key Steps to Secure Your Infrastructure

Executive Summary Because privileged identities hold elevated permissions to access data, run programs and change the configuration settings on virtually every hardware and software component of IT, control over their use is essential to maintain information security and operational efficiency. Regardless of past audit successes, organizations that fail to adequately control the use of privileged identities have experienced data loss, downtime, and damage to reputation.

This guide examines four key steps necessary to secure an organization's privileged identities. It describes basic, manual and ad‐hoc processes that can improve control over privileged access along with automated alternatives to further reduce the risks of data breaches and operational disruptions while improving staff efficiency and management oversight.

Page 2

Conten

Executive

Introduct

About

How A

Privile

Privile

Privile

Taking

Step 1 –

Manua

Autom

Step 2 –

Manua

Autom

Step 3 –

Manua

Autom

Step 4 – A

Manua

Autom

Summary

About Lie

nts

e Summary .

tion ............

Privileged Id

Access to Priv

ged Identitie

ged Identitie

ged Identitie

g Control .....

Identify ......

al and Ad‐Ho

mated Altern

Delegate ....

al and Ad‐Ho

mated Altern

Enforce ......

al and Ad‐Ho

mated Altern

Audit ..........

al and Ad‐Ho

mated Altern

y .................

eberman Sof

...................

...................

dentities ....

vileged Iden

es – The Risk

es and Comp

es and IT Ser

...................

...................

oc Processes

atives to Ide

...................

oc Processes

atives for De

...................

oc Processes

atives to En

...................

oc Auditing P

atives for Au

...................

ftware ........

© 2009 by Lieb

....................

....................

....................

tities Spread

ks .................

pliance ........

rvice Manag

....................

....................

s to Identify

entify Accou

....................

s To Delegat

elegation an

....................

s to Enforce

force and Pr

....................

Processes ....

uditing and A

....................

....................

Four Key

berman Software

....................

....................

....................

ds ................

....................

....................

gement ........

....................

....................

Privileged A

nts and Inte

....................

te and Contr

nd Secure Ac

....................

Password R

ropagate Pas

....................

....................

Alerting .......

....................

....................

Priviley Steps to Se

Corporation. All ri

....................

....................

....................

....................

....................

....................

....................

....................

....................

Accounts ......

erdependenc

....................

ol Access ....

ccess ............

....................

ules .............

ssword Rule

....................

....................

....................

....................

....................

eged Idenecure Your I

ights reserved. R

....................

....................

....................

....................

....................

....................

....................

....................

....................

....................

cies ..............

....................

....................

....................

....................

....................

es .................

....................

....................

....................

....................

....................

ntity GuidInfrastructu

Rev. 20090625a

....................

....................

....................

....................

....................

....................

....................

....................

....................

....................

....................

....................

....................

....................

....................

....................

....................

....................

....................

....................

....................

....................

de re

...... 1

...... 3

...... 3

...... 3

...... 3

...... 5

...... 6

...... 7

...... 7

...... 8

...... 8

...... 9

...... 9

.... 10

.... 11

.... 11

.... 12

.... 13

.... 14

.... 14

.... 15

.... 15

Page 3

Introd

About P

Privilegedand chanfound onand secuapplicatio

How Ac

Absent sboth plan

Cdas

Na

Cth

Ojo

Pm

Because access tedisruptio

Privileg

Recent eexposure

Ap

1 Immediately

duction

Privileged

d identities nge configurn server andurity applianons, Web se

ccess to Pr

ufficient connned and un

ompanies focumented s servers, ne

New applicatnd undocum

ompanies dhe roles of a

Organizationsob role chan

assword semeans.

privileged ends to expaons in busine

ged Ident

events deme of sensitive

A US financublished on

y after the inciden

d Identitie

are accountation setting desktop opnces, and inervices, back

rivileged

ntrols, accesnintended w

fail to chanor undocumetworking ap

ions are instmented back

elegate admdministrativ

s fail to revges or his em

curity is br

identities arand over timess‐critical se

tities – Th

monstrate hoe data and fa

cial institutithe Interne

nt the organization

© 2009 by Lieb

es

ts that holdgs. Privilegeperating systn programs kup software

Identities

ss to an orgaays. This hap

ge the pre‐mented) thatppliances, ba

talled that ckdoors.

ministrative ve personne

oke all privimployment e

reached by

re found virme, they canervices.

e Risks

ow failure ailures in bu

on discovert by a fired I

n purchased Liebe

Four Key

berman Software

elevated peed identities tems, on netand service

e, scheduled

s Spreads

anization's pppens as:

‐configured t are introduackup system

ontain both

duties acrosl, and contra

ileged accouends.

social engi

rtually evern pose signif

to safeguarsiness‐critic

red that itsT administra

rman Software pro


Corporation. All ri

ermission toexist virtualtwork devicees including tasks, and o

s

privileged ac

logins and uced as theyms and mon

documente

ss overlappiact these du

unts accesse

neering, dic

ywhere in ticant risks o

rd privilegedal services:

s domain lator.1

oducts to secure it


ights reserved. R

o access filelly everywhees such as r databases,others.

ccounts spre

service accy deploy newitoring appli

ed login and

ng functionaties to outsi

ed by an em

ctionary att

the infrastruof unwanted

d access ca

ogin creden

ts privileged ident


Rev. 20090625a

es, run progrere in IT; theouters, swit line‐of‐bus

eads over tim

counts (whew hardwareiances.

service acco

al teams, chde personne

mployee afte

tacks, and o

ucture and data access

an result in

ntials had

tities.

de re

rams, ey are ches, siness

me in

ether such

ounts

hange el.

er his

other

their s and

n the

been

Page 4

Afo

Adw

Aw

Ap

Fi

Beyond dlack of adunable to

Rp

Pth

Saa

Mco

2 Paul Venezia

3 Frank Wash

4 Asa Aarons,

5 Jaikumar Vij

6 Linda McGla

7 Stefanie Hof

A large US collowing an a

A pharmaceuisgruntled a

wipe out the

A credit repowhen its data

A PCI DSS‐ceotential to e

igure 1 – Or

direct financdequate polo:

ealistically qrivileged acc

rotect the ohose who ar

afeguard opre granted a

Maintain stafomply with c

a, "Sorting Facts frkuch Jr., "Former " Company reporjayan, "Database aasson, "Heartland ffman, "Heartland

ity was lockaltercation o

utical suppldministratocompany's c

orting agencabase admin

ertified credexpose more

ganizations

cial losses aicies and pra

quantify andcount vulner

organizationre intended t

perational staaccess to sen

ff efficiency corporate se

rom Fiction in the New Jersey systemrts huge breach in admin steals 2.3MData Breach: Visad Data Breach Cou

© 2009 by Lieb

ked out of ion the job.2

ier discoverr with unmoclinical trial

cy exposed nistrator sold

it card proce than 100 m

That Becom

nd negativeactices to m

d address itrabilities res

n's assets byto see it

ability and snsitive data o

by ensuringecurity polic

Terry Childs Case,ms administrator gpersonal data," N

M consumer record Questions Procesld Leave 100 Millio

Four Key

berman Software

ts network

red the preonitored accdata.3

more than d the data fo

cessor suffemillion credit

me Victims o

e media expanage privile

s security rside

y verifying t

ecurity by por to make c

g that IT peries

," PC World, 30 Jugets 30 months in ew York Daily Newds at Fidelity Natiossor's PCI Compliaon Accounts Expo


Corporation. All ri

by an adm

esence of acess; the ma

eight millioor personal g

red a data t card accou

of Security B

posure expreeged accoun

isks by dete

hat sensitiv

roviding an changes to b

rsonnel have

ly 2008. prison for 'logic bws, 7 September 2onal subsidiary," Conce," Bank Info Sesed" ChannelWeb


ights reserved. R

inistrator w

a logic bomlicious code

n consumergain4,5.

breach thatnts. 6,7

Breaches in t

essed in Figunts can make

ermining wh

e data is ac

audit trail obusiness‐crit

e the resour

omb'," SC Magazi2007 omputerworld Sececurity 24 March 2b, 21 January 2009


Rev. 20090625a

who was arre

b inserted was design

rs' personal

t it said had

the Headline

ure 1 abovee an organiz

here all pote

ccessible on

f individualsical IT proce

rces necessa

ne, 9 January 2008

curity, 3 July 20072009

de re

ested

by a ed to

data

d the

es

e, the ation

ential

ly by

s who esses

ary to

8

Page 5

Ea

Cp

Ep

Neglectinnumberspenalize

Privileg

Failure towith a rorganizatData Sec

Standardhardwareauditing,by privile

2

6

7

7

8

8

8

8

8

1

Table 1 –

8 Jaikumar Vij

9 PCI Security

liminate ineddress signif

ontrol the rivileged acc

liminate therivileged acc

ng to contros of IT auditoorganization

ged Ident

o effectivelyrange of intions procesurity Standa

ds such as PCe and softw password seged identity

.1 "Alwanetwo

.3.6 "Remoapplic

.7.1 "Restr

.2.1 "Cove

.5.4 "Imme

.5.5 "Remo

.5.6 "Enabtime p

.5.8 "Do no

.5.9 "Chan

0.2 "Imple

– PCI DSS Re

jayan, " Visa Warn

y Standards Counc

efficient, incoficant vulner

potential focount crede

e potential counts are u

ol privileged ors look for ns that fail to

tities and

y manage prnitiatives anssing credit ards (PCI DSS

CI DSS set mware assets strength andy controls ar

ys change vork…“

oval of custcations beco

riction of acc

rage of all sy

ediately revo

ove/disable

ble accountsperiods need

ot use group

nge user pass

ement autom

equirements

ns Merchants of De

cil LLC, "PCI DSS Re

© 2009 by Lieb

omplete marabilities

or extendedntials that a

for undesirused for task

account acsound manao effectively

Complian

rivileged accd may leadcard paymeS) pay increa

inimum requalong with

d reuse. Exare listed in Ta

vendor‐supp

tom applicame active…"

cess rights to

ystem comp

oke access fo

inactive use

used by veded."

p, shared, or

swords at le

mated audit

s Addressed

eadline for PCI Co

equirements and S

Four Key

berman Software

anual proces

d damage are re‐used a

red system ks that don't

cess can alsagement pray address the

nce

count accessd to higherents that failased commis

uirements foh restrictionmples of PCable 1 below

plied passwo

ation accoun"

o privileged

onents."

or all termin

er accounts a

endors for r

r generic acc

ast every 90

trails for all

By Privilege

mpliance," Compu

Security Assessme


Corporation. All ri

sses that can

after a singcross indepe

changes anrequire the

so lead to coactices and me risks.

s has the por, direct bul to comply ssions and fi

or discoveryns on user CI DSS requirw.

ords before

nts, user ID

user IDs to l

nated users."

at least every

remote mai

counts or pas

0 days."

system com

ed Identity M

uterworld, 20 Aug

nt Procedures v1.


ights reserved. R

n waste tim

gle security endent IT as

nd service dm

ompoundedmore compl

otential to business costwith Paymenes.8

of privilegeaccess, accorements9 tha

installing a

Ds, and pass

east privileg

"

y 90 days."

ntenance on

sswords."

mponents…"

Managemen

ust 2007

2," October 2008


Rev. 20090625a

e while faili

breach expssets

disruptions w

costs as griance autho

block complts. For exament Card Ind

d accounts oount separaat are addre

system on t

swords befo

ges…"

nly during t

nt

de re

ng to

poses

when

eater orities

iance mple, ustry

on all ation, essed

the

ore

the

Page 6

It can beplace canand autoprocessocustomeface signappliance

"Our adeployprivileincludprivilecausin

The failuappears tLieberma

"As laprivilecustomregain

Privileg

Apart froBreach Inregulatioof their Iapproach

"We mrouterto aut

A commothat havonly at d

10 APM Grou

11 Kevin Behr

e argued thannot be reao‐remediateors who hars, companinificant vulne vendor pu

appliances myment, custeged serviceding supposeeged service ng service ou

re of seeminto be raisingan Software,

ate as 2007eged identitmers are enn control of p

ged Ident

om complianformation Aons, organizaIT service mh to IT servic

must be awrs, network dthorized wor

on principle e the potendesignated t

p Ltd., "Official ITI

r, Gene Kim, and G

at the PCI Dalistically mees privilegedave enduredes that fail erabilities ret it,

monitor the tomers havee account paedly PCI DSSaccounts onutages."

ngly compliag alarm with, notes,

7 we rarelyty managemnterprises thprivileged id

tities and

nce with SaActs, NASD 3ations' failuranagement ce managem

ware of chadevices, datrk, or it must

of IT servicential to impatimes and o

IL® Website"; http

George Spafford, T

© 2009 by Lieb

SS requiremet without td account cd highly‐puto continuoegardless of

core switchee told us thaasswords onS compliant n the applian

ant organizah greater num

y heard aboment stratehat face expdentities, imp

IT Service

arbanes‐Oxle3010, SEC 17re to take coprocesses.

ment10 puts it

nges on alltabases, andt be flagged

e managemeact businessonly for doc

p://www.itil‐officia

The Visible Ops Ha

Four Key

berman Software

ment that allthe use of scredentials.blicized secously detect f past certif

es at the maat they havn these devones – eithnces or are u

tions to discmbers of au

out audit fagy. Today pensive comprove securit

e Manage

ey, HIPAA, 7a‐4, 21 CFRontrol of privAs one autht,

l infrastructud so forth. Eafor investiga

ent is to cons‐critical sercumented p

alsite.com/home/h

ndbook (IT Proces


Corporation. All ri

l IT componoftware thaLike the PCcurity breacand controication. As a

ajority of theven’t changevices. Many er don't knounwilling to

cover and coditors. As Ph

ailures resula sizeable mpliance faity, and pass

ement

Gramm‐Lea Part 11, Dovileged identhority on ITI

ure that weach detectedation."11

ntrol which prvices, ensururposes. In

home.asp; accesse

ss Institute, 2005)


ights reserved. R

ents have aat continuouCI DSS – ceches impacol all privilegan engineer

e Fortune 50ed the defauof those orow how to fmake chang

ontrol all privhilip Lieberm

lting from tpercentageilures and afuture audit

ch‐Bliley, CaD 5015.2 antities can imL, the most

e are manad change mu

personnel caring that chparticular,

ed 24 June 2004

, p. 28


Rev. 20090625a

ccess contrously auto‐deertified paycting millionged accountr at one net

00. Years aftult logins anrganizationsfind all of thges for fear

vileged idenman, preside

the lack of e of our neare looking ts."

alifornia Secnd a host of ompact the suwidely acce

aging: serverust either ma

an make chahanges are mthe existen

de re

ols in etects ment ns of s can twork

ter nd – he of

ntities ent of

a ew to

curity other ccess epted

rs, ap

anges made ce of

Page 7

super‐usoverreac

"Whaperson

As with oaccess ca

Taking

While thefficiencymanner.

Ident

Delegwith

Enforchang

Auditreque

The follo

Step 1The first reside onaccountson domapools, COaccountesignifican

A secondprivilegeaccount database

12 ibid.

er identitieching threat

t is often ovn can probab

other initiatan put IT ser

g Control

he spread oy, processesThe process

tify and docu

gate access documented

rce rules foges across a

t and alert est is docum

wing section

1 – Identstep to taken server ans, and elsewain and locaOM+, and ed for on ent gaps.

d, critical asd accounts ois accessede credentials

es that allto successfu

erlooked is tbly single‐ha

ives, failure vice manage

f uncontrolls exist that cses can be d

ument all cr

to credentiad purpose, c

or passwordll dependen

so that themented and m

ns describe a

ify e control of pnd desktop where. A singal logins, inDCOM objeevery device

spect of thison every ded by four des alone will lo

© 2009 by Lieb

ow unrestrul IT service m

that if one pandedly sink

to invest inement proce

led privilegecan reliably escribed as f

itical IT asse

als so that acan login to I

d complexitcies to prev

e requester,managemen

a number of

privileged idoperating sygle server, fnstalled appects. Withoue, any initi

s step is to vice. Failureependent seock out the

Four Key

berman Software

ricted, undmanagemen

erson can sik the ship, to

n sufficient sesses at risk.

ed access thhelp organizfour key ste

ts, their priv

ppropriate pIT assets in a

y, diversity ent service d

, purpose, ant is made aw

f alternative

dentities is toystems, netfor example,lications, scut the assuative to tak

thoroughly e to take intervices on dependent s


Corporation. All ri

ocumented nt:

ingle‐handedo." 12

safeguards t.

hreatens dazations regaps that are a

vileged acco

personnel, ua timely man

and changdisruptions.

and duratioware of unus

s to achieve

o identify wtwork applia, may have cheduled tasrance that ke control

map the ino account, fother compservices and


ights reserved. R

access is

dly save the

to control p

ata security in control inabbreviated

unts and int

using least prnner at desig

ge frequenc

n of each psual events.

these four s

here the accances, softwprivileged idsks, servicesall privilegeof privilege

nterdependefor example,puters meand create busi


Rev. 20090625a

viewed a

ship, that on

rivileged ide

and operatn a cost‐effeas I.D.E.A.:

terdependen

rivilege requgnated times

cy, synchron

privileged a

steps.

count credenware and sedentities pres, IIS appliced identitiesed access le

encies amon, that a datans that channess disrupt

de re

s an

ne

entity

tional ective

ncies.

uired, s.

nizing

ccess

ntials ervice esent ation s are eaves

ng all abase nging tion.

Page 8

Because requires automateffort req

Manua

To enumstaff typiare thenpresenceand servit carriesto‐date ctime and

Automa

Privilegedprivilegeand up‐texhaustivbelow, Eand catasystems, applicatio

Figure 2

manually a great deed softwarequired.

al and AdH

merate an orically start bn establishede of system aices. Becaus the risk thacatalog of idd with each s

ated Alter

d identity md accounts to‐date. Theve lists of prnterprise Raalogs privileg

network ons, and oth

– ERPM Ide

identifying eal of proce can improv

Hoc Proce

ganization'sby exportingd to each saccounts, anse this proceat personnelentities andsignificant ch

rnatives t

managemenand interdee best of trivileged ideandom Passwged accountand backu

her IT resour

ntifies a Wid

© 2009 by Lieb

substantialless disciplinve the reliab

esses to Id

privileged ig lists of IT asystem thrond by manuaess is time‐co will fail to cd interdepenhange in infr

to Identify

nt software ependencies these solutientities presword Managts present oup applianrces.

de Range of

Four Key

berman Software

y all privilene and a sbility of the

dentify Pr

identities wiassets from eough a comal inspectiononsuming anconsistently ndencies reqrastructure.

y Accounts

automatesand helps tons can drent in the eger (ERPM) fon a wide rces, datab

f Privileged A


Corporation. All ri

eged accousignificant rprocess whi

rivileged A

ithout the uexisting direbination of n for the prend varies wicomplete it

quires that th

s and Inte

the task tto assure thaw from nenvironmentfrom Liebermrange of seases, Web

Accounts an


ights reserved. R

nts and inecurring effle substanti

Accounts

use of dedicaectory servicscripts tha

esence of tadely from sy. Further, tohe process b

erdepende

o catalog ahat the resuumerous sot. As represeman Softwarrver and de services,

nd Interdepe


Rev. 20090625a

terdependefort, the usally reducin

ated softwaces. Connecat documentrget applicaystem to syso maintain abe repeated

encies

an organizatults are comources to cented in Figure auto‐discoesktop operline‐of‐bus

endencies

de re

ncies se of g the

re, IT ctions t the ations stem, n up‐ over

tion's plete reate ure 2 overs rating siness

Page 9

Figure 3 Active Di

Figure 3

Among pleverage HP, Novebrowser and autdisruptio

Step 2A secondrequestolength of

Manual alimitation

Manua

The cornand physpasswordcredentiathem ina

below showrectory, one

– Configurin

privileged ida wide rangell, Oracle, lists, IP rangto‐propagateons.

2 – Delegd key goal oors, in a timf time and a

and ad‐hoc ns, as will be

al and AdH

nerstone of msical securitd delegatioals that are accessible t

ws how ERPe of many co

ng Dynamic

dentity mange of discoveSAP, Sun, Sge scans, ande the nece

gate of privileged mely mannerdocumente

methods to e examined i

Hoc Proce

manual procy. When man should bkept on spo all but a

© 2009 by Lieb

PM is configonfigurable d

Discovery th

nagement sery sources –iemens, Redd others – anessary chan

identity mar, over a sed purpose, u

achieve thiin the next s

esses To D

cesses for granual procee thoroughpreadsheets uthorized in

Four Key

berman Software

gured to syndiscovery so

hrough Activ

solutions, E– including td Hat and ond for its ponges, there

anagement icure commusing the lea

s step face section.

Delegate a

ranting priviesses are imly vetted aand hard‐condividuals. R


Corporation. All ri

nchronize itsurces, to ma

ve Directory

RPM is distthe directorother open ower to deteeby preven

is to grant aunication chast privilege

a number o

and Contr

leged accessmplemented and limited opy lists muRegardless o


ights reserved. R

s discovery aintain its in

y in ERPM

tinguished y services ofsource alterct interdepeting lockou

access only thannel for arequired.

f security an

rol Access

s is carefullythe individuin number

ust be safegof the hum


Rev. 20090625a

mechanism ventory lists

by its abilitf Microsoft, rnatives, doendent proceuts and se

to authentica predeterm

nd accounta

s

y‐planned huuals who cor, and passguarded to mman and phy

de re

with s.

ty to IBM,

omain esses ervice

cated mined

ability

uman ontrol word make ysical

Page 10

security mmitigate:

Bo

Mm

Teare

Treco

Tlo

Automa

Automat

Pcose

Pthm

Fi

measures th:

ecause theyrganization

Manual procminimum a g

hey increasnterprises blways have equestor.

hey make it ely on indivommunicate

hey can redogin credent

ated Alter

ted privilege

romote greommunicatiecrets to any

rovide 24‐hohe world, amethods (Fig

igure 4 –Tw

hat may be in

y lack automto thorough

esses make rantor and r

se the potbecause theyaccess to t

more difficuidual superve this data to

duce overall tials after a s

rnatives f

d identity m

eater accouon channel y other indiv

our access tuthenticatinure 4 below

o‐Factor Req

© 2009 by Lie

n place, man

mated audithly screen th

it more difrequestor bo

tential for y require atthe credenti

ult to complvisors to doo those resp

security byspecified tim

for Delega

management

ntability byonly to thevidual.

to privilegedng through w), regardless

questor Aut

Four Key

eberman Software

nual process

ing and cone individuals

fficult to tieoth have acc

service dist least one iials and a s

ly with servicument theponsible for s

y relying on me following

ation and

software of

y delivering e authorized

d credentialsa configuras of the avai

thentication


e Corporation. All

ses introduce

ntrol, they ps who contro

e access to scess to passw

sruptions inndividual wsecure comm

ce managem reason for supervising t

administrateach reques

Secure Ac

ffers improv

privileged requestor,

s (including ble choice lability of su

n in ERPM Us


rights reserved.

e risks that c

place a higheol access.

single indiviwords during

n distributewho controls munication

ment initiativeach accessthe process.

tors to manst.

ccess

ed security,

credentialswithout ex

fire call acceof directoryupervisory pe

sing an RSA


Rev. 20090625a

can be diffic

er burden o

duals, sinceg each reque

ed and 24‐the accounchannel to

ves becauses request an.

ually change

since it can

s over a seposing pass

ess) anywhey and two‐fersonnel.

SecurID® To

de re

ult to

on an

e at a est.

‐hour nts to each

e they nd to

e the

:

ecure word

ere in factor

oken

Page 11

Emsure

Eex

Fi

ERPM allsupportsreason foleast req

Step 3Reliably‐duplicateaccess. Aprivilegestability.

Manua

Organizachange fvulneraboverly stwrite dow

13 Ant Allan, "

liminate sermechanism fupervisory pequired priv

liminate misxpiration of

igure 5 – Sec

ows passwo full auditingor each pasuired privile

3 – Enforenforced rue logins) anAs will be dd account c

al and AdH

tions that frequency fable to automtringent canwn passwor

"Blindly Increasing

rvice disruptfor requestopersonnel a ilege.

suse of creda pre‐deter

cure Web In

ord self‐recog and reporssword checeges were gr

rce ules for pand change fiscussed becredentials f

Hoc Proce

rely on maace a balancmated explon make passds and store

g Password Strengt

© 2009 by Lie

tions and facors to docuway to conf

entials by cmined check

nterface for

overy througting, and cackout. This pranted in eac

ssword comfrequency alow, manuaface limitatio

esses to E

anual procescing act, sincoits while coswords impre them in oth

th Is Futile," Gartn

Four Key

eberman Software

cilitate serviment the pfirm that ea

hanging thek‐out time.

Password R

gh an encrypn be configuprovides a mch event.

mplexity, dire critical tal processes ons that can

Enforce Pa

sses to enfce requiremomplexity aractical to rher insecure

ner 19 August 2008


e Corporation. All

ce managempurpose of ch access w

disclosed p

Recovery in E

pted Web intured to requmechanism

versity (thato prevent to enforce n impact bo

assword R

force passwments that and change emember ae ways13.

8


rights reserved.

ment controeach access

was necessar

password au

ERPM

terface (Figuuire the requfor manage

at is, avoidthe spread password roth security

Rules

word strengtre too simpfrequency

and so induc


Rev. 20090625a

ols by provids, thereby gry and used

tomatically

ure 5 above)uestor to eners to verify

ing unneceof uncontr

rules and upand operat

th, diversityle make syspolicies thace employe

de re

ding a giving least

upon

) that nter a y that

essary rolled pdate tional

y and stems t are es to

Page 12

The re‐usas this prThereforpasswordscripts thcomputeduring coprivilegeconfigurafeatures,processe

Automa

Privilegedand chanrequestobecause

Dto

C

C

The straichanges

Figure 6

se of login cractice expoe a commods among shat change er ID and daonfigurationd access) amation change, may fail tes that fail to

ated Alter

d identity mnge rules leors to accessthey:

Deploy diverso a schedule

an present u

an change p

ghtforward is shown in

– Configurin

credentials ases all asseton, ad‐hoc ystems in apasswords ate. Becaun, debuggingmong severae to any onto consisteno reliably syn

rnatives t

managementess burdensos privileged

se passworde

unique, privi

passwords im

interface inFigure 6 bel

ng Password

© 2009 by Lie

across indeps with commpractice th

a group (sayon each sy

use these scg and use, al employeee person. Sntly flag andnchronize ch

to Enforce

t software mome for adaccounts. T

ds of predete

ileged crede

mmediately a

ERPM to coow.

d Complexity

Four Key

eberman Software

endent assemon passwohat attempty, servers inystem basedcripts are tythe effect ies. This makcripted metd handle erhanges acros

e and Prop

makes compministratorsThese solutio

ermined com

entials for on

after each u

onfigure pas

y Settings in


e Corporation. All

ets is also knrds should ots to creatn a single dd on combinypically acces to share kes it imposthods may arror conditioss interdepen

pagate Pa

plying with ps while makons improve

mplexity on

ne‐time use

se

ssword com

n ERPM


rights reserved.

nown to carrone system be more vaatacenter) inations of vessed by sepassword sesible to tie also lack appons, and candent assets

assword R

password stking it easiee the securit

all target sy

over a secur

plexity and


Rev. 20090625a

ry significantbe compromried and ros to use stavariables suceveral indiviecrets (and data accesspropriate logan rely on ss.

Rules

trength, diveer for authoty of the pro

ystems acco

re interface

the frequen

de re

t risk, mised. obust artup ch as duals thus

s or a gging serial

ersity orized ocess

rding

ncy of

Page 13

Just as imaccountspotentiareceive uinterface

Figure 7

ERPM is passwordfor undofollowing

Step 4Beyond presencereinforcinstronger

Because ensure treportingautomatand repoinfrastruevents su

mportantly, ts and can rl for service updated cree to set prop

– Configurin

typically cod checkout, cumented pg section.

4 – Audittheir value e of reliableng service madherence t

manual anthat each ag and an auded auditing ort each accecture and ouch as fire ca

the best of treliably prodisruptions

edentials. Tagation rule

ng Automate

onfigured to thereby elimpurposes. Th

t in assuring

e auditing amanagementto managem

d ad‐hoc pccess is docdit trail that features fouess request, organizationaall access an

© 2009 by Lie

the automatopagate pasthat occur a

The most eaes, as with ER

ed Propagat

re‐randomiminating thehe result is im

g complianceand alertingt rules and sment directiv

rivileged idecumented iis of little usund in privilereport acceal problem nd process fa

Four Key

eberman Software

ted solutionssword chanas dependenasily configuRPM in Figur

tion Settings

ize each pase opportunitymproved aud

e with regug processes etting guidinves.

entity manan a consistse to enforceeged identitss activity aareas, andaults.


e Corporation. All

s detect the nges across nt services aured of thesre 7 below.

s in ERPM

ssword folloy for credenditing contro

ulatory and can improvng values am

agement proent way, the the organiy managemnd trends inalert superv


rights reserved.

presence ofthem. This

are locked ose solutions

owing a defintials to be sol, as will be

industry reve operationmong emplo

ocesses mahey can leazation's polient softwarn ways that cvisory perso


Rev. 20090625a

f interdepens eliminatesut after failis offers a si

ned period shared or re‐e discussed i

equirementsnal efficiencyees that le

ke it difficud to incomicies. Convee can reliabcan help pinonnel to un

de re

ndent s the ng to mple

after ‐used n the

s, the cy by ad to

ult to plete rsely, ly log point usual

Page 14

Manua

As notedof each party prithe indiv

Automa

Automatprivilegeindividuausers are

The in‐deissues thsuch que

Wg

Wo

W

W

ERPM ustime of eeach ope

Figure 8

al and AdH

d above, maaccess evenvy to passwviduals in cha

ated Alter

ted privileged accounts al, system ane configured

epth compliat can ariseestions as:

What individroup of asse

What resourcf time, and f

What privileg

What users a

ser activity reach access reration, and

– ERPM Com

Hoc Audit

nual processnt. Because ord secrets,arge, thus re

rnatives f

ed identity mpresent o

nd account, for privilege

ance reporte with system

uals have reets over a sp

ces has a pafor what pur

ged accounts

re configure

reports are drequest, thethe originat

mpliance Log

© 2009 by Lie

ting Proce

ses rely on smanual pro they depeneducing the r

for Auditin

managemenn a wide and show ded access to

s provided bms, policies,

equested acecified time

articular indrpose?

s are presen

ed to access

derived frome requestor ating IP addre

gs Show Act

Four Key

eberman Software

esses

supervisory ocesses mand on the trureliability of

ng and Al

t products srange of ddetailed diag each resou

by ERPM can and person

ccess to a paframe, and f

ividual attem

t on a partic

privileged a

m compreheand documeess of each re

tivity Details


e Corporation. All

personnel tke both theustworthineany audit tr

lerting

such as ERPevices, docgnostic inforrce.

n help supernnel to prov

articular accfor what sta

mpted to ac

cular IT asset

ccounts, and

ensive logs tented purposequest, as sh

s for a Selec


rights reserved.

to documente requestor ss and reporail.

PM can repocument accermation that

rvisory persoide authorit

count credented purpose

ccess over a

t or group o

d at what lev

that documese, the succehown in Figu

ted User


Rev. 20090625a

t relevant deand supervrting diligen

ort the detaess requestt indicates w

onnel investtative answe

ntial, IT assee?

specified p

f assets?

vel?

ent the dateess and failuure 8 below.

de re

etails vising nce of

ails of ts by which

tigate ers to

et, or

eriod

e and ure of .

Page 15

In additiocan be dand triggalerted eplatformas a failu

SummNews stoperatioWhile it'recurringmanual rthan a fe

AutomatManagerby discovof hardwdirectoryto intendreside antimeframnecessar

AboutLiebermaprofitablprivilege1999. Sinpasswordenterpris

Liebermasuch othcompanyproduct d

on to custoelivered by gers for framevents can i and type, sre to change

mary ories of sunal disruptios possible tg workload, remediationew personne

ted privileger from Liebevering the prware devicey services anded individund provides mes, and purry to ensure

t Lieberman Softwaree, managemd account pnce that timd solutions wses.

an Softwareer industry ly is headquadevelopmen

or call 800

mizable audemail or exmeworks likeinclude succuccess and fe passwords

pposedly coons offer poto take conpotential se impracticalel who may r

ed identity rman Softwaresence of pes, applicatind optional tuals. It hardea reliable arpose of eacthat the org

man Softe Corporatioment‐owned assword mame, the comwhile growin

is a Microsleaders as Cartered in Lont, testing, a

For mor

0‐829‐6263 (

© 2009 by Lie

diting and reported as SNe Microsoft cessful and failures of ps on systems

ompliant oroof of the rtrol of priviecurity gaps for organizarequire privi

managemenare Corporaprivileged accons and setwo‐factor aens and autaudit trail toch access reganization's s

tware on, establishorganizatioanagement smpany has cng its custom

soft Gold CeCisco, Novell,os Angeles, Tnd support o

re informati

USA and Ca

Four Key

eberman Software

eporting, ERNMP (SimpleSystems Cedenied passassword upds that are off

rganizations isks of ineffileged accesand lack of ations with leged access

nt solutions tion can impcounts and tervices. ERPuthenticatioto‐propagateo document quest. ERPMsecurity poli

ed in 1978 n since its insoftware, recontinuouslymer base to i

ertified Partn, Red Hat, HTX, and maioperations a

on, visit ww

nada) or 01‐


e Corporation. All

RPM providee Network Menter Operasword checkdate operatfline.

that sufferfective privilss using maan authoritasignificant ns.

such as Enprove securitheir interdeM leverageon to ensurees login crethe reques

M provides Iicies are effi

as a softwanception. Lieleasing its fiy updated ainclude man

ner and hasHewlett‐Packntains a regare based in

ww.liebsoft.c

‐310‐550‐85


rights reserved.

es configuraManagementions Managkout requesions, and pr

r costly datleged identianual and aative auditinnumbers of I

nterprise Raty and operaependencieses a configue that accessdentials whstors, systemT personnelciently put i

are consultaeberman Sofrst product and expandny of the wo

s technical pkard, IBM, RSgional office the United

com

75 (Internat


Rev. 20090625a

able alertingnt Protocol) ger. Examplsts configurerocess faults

ta breachesity managemd‐hoc stepsng trail can mT assets or

andom Passational effics on a wide rurable choics is providederever theyms and accol the automnto practice

ancy, has beftware pioneto this marked its privilrld's most se

partnerships SA and Intelin Austin, TStates.

tional).

de re

g that traps es of ed by such

s and ment. s, the make more

word iency range ce of d only y may ounts, ation e.

een a eered ket in leged ecure

with l. The TX. All

Documents

Privileged Identity Guide - Four Key Steps to Secure Your ......reuse. Exa e listed in Ta endor‐supp om applica me active…" ess rights to stem comp ke access fo inactive use used