Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Privileged Identity Guide
Four Key Steps to Secure Your Infrastructure
Executive Summary Because privileged identities hold elevated permissions to access data, run programs and change the configuration settings on virtually every hardware and software component of IT, control over their use is essential to maintain information security and operational efficiency. Regardless of past audit successes, organizations that fail to adequately control the use of privileged identities have experienced data loss, downtime, and damage to reputation.
This guide examines four key steps necessary to secure an organization's privileged identities. It describes basic, manual and ad‐hoc processes that can improve control over privileged access along with automated alternatives to further reduce the risks of data breaches and operational disruptions while improving staff efficiency and management oversight.
Page 2
Conten
Executive
Introduct
About
How A
Privile
Privile
Privile
Taking
Step 1 –
Manua
Autom
Step 2 –
Manua
Autom
Step 3 –
Manua
Autom
Step 4 – A
Manua
Autom
Summary
About Lie
nts
e Summary .
tion ............
Privileged Id
Access to Priv
ged Identitie
ged Identitie
ged Identitie
g Control .....
Identify ......
al and Ad‐Ho
mated Altern
Delegate ....
al and Ad‐Ho
mated Altern
Enforce ......
al and Ad‐Ho
mated Altern
Audit ..........
al and Ad‐Ho
mated Altern
y .................
eberman Sof
...................
...................
dentities ....
vileged Iden
es – The Risk
es and Comp
es and IT Ser
...................
...................
oc Processes
atives to Ide
...................
oc Processes
atives for De
...................
oc Processes
atives to En
...................
oc Auditing P
atives for Au
...................
ftware ........
© 2009 by Lieb
....................
....................
....................
tities Spread
ks .................
pliance ........
rvice Manag
....................
....................
s to Identify
entify Accou
....................
s To Delegat
elegation an
....................
s to Enforce
force and Pr
....................
Processes ....
uditing and A
....................
....................
Four Key
berman Software
....................
....................
....................
ds ................
....................
....................
gement ........
....................
....................
Privileged A
nts and Inte
....................
te and Contr
nd Secure Ac
....................
Password R
ropagate Pas
....................
....................
Alerting .......
....................
....................
Priviley Steps to Se
Corporation. All ri
....................
....................
....................
....................
....................
....................
....................
....................
....................
Accounts ......
erdependenc
....................
ol Access ....
ccess ............
....................
ules .............
ssword Rule
....................
....................
....................
....................
....................
eged Idenecure Your I
ights reserved. R
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
cies ..............
....................
....................
....................
....................
....................
es .................
....................
....................
....................
....................
....................
ntity GuidInfrastructu
Rev. 20090625a
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
....................
de re
...... 1
...... 3
...... 3
...... 3
...... 3
...... 5
...... 6
...... 7
...... 7
...... 8
...... 8
...... 9
...... 9
.... 10
.... 11
.... 11
.... 12
.... 13
.... 14
.... 14
.... 15
.... 15
Page 3
Introd
About P
Privilegedand chanfound onand secuapplicatio
How Ac
Absent sboth plan
Cdas
Na
Cth
Ojo
Pm
Because access tedisruptio
Privileg
Recent eexposure
Ap
1 Immediately
duction
Privileged
d identities nge configurn server andurity applianons, Web se
ccess to Pr
ufficient connned and un
ompanies focumented s servers, ne
New applicatnd undocum
ompanies dhe roles of a
Organizationsob role chan
assword semeans.
privileged ends to expaons in busine
ged Ident
events deme of sensitive
A US financublished on
y after the inciden
d Identitie
are accountation setting desktop opnces, and inervices, back
rivileged
ntrols, accesnintended w
fail to chanor undocumetworking ap
ions are instmented back
elegate admdministrativ
s fail to revges or his em
curity is br
identities arand over timess‐critical se
tities – Th
monstrate hoe data and fa
cial institutithe Interne
nt the organization
© 2009 by Lieb
es
ts that holdgs. Privilegeperating systn programs kup software
Identities
ss to an orgaays. This hap
ge the pre‐mented) thatppliances, ba
talled that ckdoors.
ministrative ve personne
oke all privimployment e
reached by
re found virme, they canervices.
e Risks
ow failure ailures in bu
on discovert by a fired I
n purchased Liebe
Four Key
berman Software
elevated peed identities tems, on netand service
e, scheduled
s Spreads
anization's pppens as:
‐configured t are introduackup system
ontain both
duties acrosl, and contra
ileged accouends.
social engi
rtually evern pose signif
to safeguarsiness‐critic
red that itsT administra
rman Software pro
Priviley Steps to Se
Corporation. All ri
ermission toexist virtualtwork devicees including tasks, and o
s
privileged ac
logins and uced as theyms and mon
documente
ss overlappiact these du
unts accesse
neering, dic
ywhere in ticant risks o
rd privilegedal services:
s domain lator.1
oducts to secure it
eged Idenecure Your I
ights reserved. R
o access filelly everywhees such as r databases,others.
ccounts spre
service accy deploy newitoring appli
ed login and
ng functionaties to outsi
ed by an em
ctionary att
the infrastruof unwanted
d access ca
ogin creden
ts privileged ident
ntity GuidInfrastructu
Rev. 20090625a
es, run progrere in IT; theouters, swit line‐of‐bus
eads over tim
counts (whew hardwareiances.
service acco
al teams, chde personne
mployee afte
tacks, and o
ucture and data access
an result in
ntials had
tities.
de re
rams, ey are ches, siness
me in
ether such
ounts
hange el.
er his
other
their s and
n the
been
Page 4
Afo
Adw
Aw
Ap
Fi
Beyond dlack of adunable to
Rp
Pth
Saa
Mco
2 Paul Venezia
3 Frank Wash
4 Asa Aarons,
5 Jaikumar Vij
6 Linda McGla
7 Stefanie Hof
A large US collowing an a
A pharmaceuisgruntled a
wipe out the
A credit repowhen its data
A PCI DSS‐ceotential to e
igure 1 – Or
direct financdequate polo:
ealistically qrivileged acc
rotect the ohose who ar
afeguard opre granted a
Maintain stafomply with c
a, "Sorting Facts frkuch Jr., "Former " Company reporjayan, "Database aasson, "Heartland ffman, "Heartland
ity was lockaltercation o
utical suppldministratocompany's c
orting agencabase admin
ertified credexpose more
ganizations
cial losses aicies and pra
quantify andcount vulner
organizationre intended t
perational staaccess to sen
ff efficiency corporate se
rom Fiction in the New Jersey systemrts huge breach in admin steals 2.3MData Breach: Visad Data Breach Cou
© 2009 by Lieb
ked out of ion the job.2
ier discoverr with unmoclinical trial
cy exposed nistrator sold
it card proce than 100 m
That Becom
nd negativeactices to m
d address itrabilities res
n's assets byto see it
ability and snsitive data o
by ensuringecurity polic
Terry Childs Case,ms administrator gpersonal data," N
M consumer record Questions Procesld Leave 100 Millio
Four Key
berman Software
ts network
red the preonitored accdata.3
more than d the data fo
cessor suffemillion credit
me Victims o
e media expanage privile
s security rside
y verifying t
ecurity by por to make c
g that IT peries
," PC World, 30 Jugets 30 months in ew York Daily Newds at Fidelity Natiossor's PCI Compliaon Accounts Expo
Priviley Steps to Se
Corporation. All ri
by an adm
esence of acess; the ma
eight millioor personal g
red a data t card accou
of Security B
posure expreeged accoun
isks by dete
hat sensitiv
roviding an changes to b
rsonnel have
ly 2008. prison for 'logic bws, 7 September 2onal subsidiary," Conce," Bank Info Sesed" ChannelWeb
eged Idenecure Your I
ights reserved. R
inistrator w
a logic bomlicious code
n consumergain4,5.
breach thatnts. 6,7
Breaches in t
essed in Figunts can make
ermining wh
e data is ac
audit trail obusiness‐crit
e the resour
omb'," SC Magazi2007 omputerworld Sececurity 24 March 2b, 21 January 2009
ntity GuidInfrastructu
Rev. 20090625a
who was arre
b inserted was design
rs' personal
t it said had
the Headline
ure 1 abovee an organiz
here all pote
ccessible on
f individualsical IT proce
rces necessa
ne, 9 January 2008
curity, 3 July 20072009
de re
ested
by a ed to
data
d the
es
e, the ation
ential
ly by
s who esses
ary to
8
Page 5
Ea
Cp
Ep
Neglectinnumberspenalize
Privileg
Failure towith a rorganizatData Sec
Standardhardwareauditing,by privile
2
6
7
7
8
8
8
8
8
1
Table 1 –
8 Jaikumar Vij
9 PCI Security
liminate ineddress signif
ontrol the rivileged acc
liminate therivileged acc
ng to contros of IT auditoorganization
ged Ident
o effectivelyrange of intions procesurity Standa
ds such as PCe and softw password seged identity
.1 "Alwanetwo
.3.6 "Remoapplic
.7.1 "Restr
.2.1 "Cove
.5.4 "Imme
.5.5 "Remo
.5.6 "Enabtime p
.5.8 "Do no
.5.9 "Chan
0.2 "Imple
– PCI DSS Re
jayan, " Visa Warn
y Standards Counc
efficient, incoficant vulner
potential focount crede
e potential counts are u
ol privileged ors look for ns that fail to
tities and
y manage prnitiatives anssing credit ards (PCI DSS
CI DSS set mware assets strength andy controls ar
ys change vork…“
oval of custcations beco
riction of acc
rage of all sy
ediately revo
ove/disable
ble accountsperiods need
ot use group
nge user pass
ement autom
equirements
ns Merchants of De
cil LLC, "PCI DSS Re
© 2009 by Lieb
omplete marabilities
or extendedntials that a
for undesirused for task
account acsound manao effectively
Complian
rivileged accd may leadcard paymeS) pay increa
inimum requalong with
d reuse. Exare listed in Ta
vendor‐supp
tom applicame active…"
cess rights to
ystem comp
oke access fo
inactive use
used by veded."
p, shared, or
swords at le
mated audit
s Addressed
eadline for PCI Co
equirements and S
Four Key
berman Software
anual proces
d damage are re‐used a
red system ks that don't
cess can alsagement pray address the
nce
count accessd to higherents that failased commis
uirements foh restrictionmples of PCable 1 below
plied passwo
ation accoun"
o privileged
onents."
or all termin
er accounts a
endors for r
r generic acc
ast every 90
trails for all
By Privilege
mpliance," Compu
Security Assessme
Priviley Steps to Se
Corporation. All ri
sses that can
after a singcross indepe
changes anrequire the
so lead to coactices and me risks.
s has the por, direct bul to comply ssions and fi
or discoveryns on user CI DSS requirw.
ords before
nts, user ID
user IDs to l
nated users."
at least every
remote mai
counts or pas
0 days."
system com
ed Identity M
uterworld, 20 Aug
nt Procedures v1.
eged Idenecure Your I
ights reserved. R
n waste tim
gle security endent IT as
nd service dm
ompoundedmore compl
otential to business costwith Paymenes.8
of privilegeaccess, accorements9 tha
installing a
Ds, and pass
east privileg
"
y 90 days."
ntenance on
sswords."
mponents…"
Managemen
ust 2007
2," October 2008
ntity GuidInfrastructu
Rev. 20090625a
e while faili
breach expssets
disruptions w
costs as griance autho
block complts. For exament Card Ind
d accounts oount separaat are addre
system on t
swords befo
ges…"
nly during t
nt
de re
ng to
poses
when
eater orities
iance mple, ustry
on all ation, essed
the
ore
the
Page 6
It can beplace canand autoprocessocustomeface signappliance
"Our adeployprivileincludprivilecausin
The failuappears tLieberma
"As laprivilecustomregain
Privileg
Apart froBreach Inregulatioof their Iapproach
"We mrouterto aut
A commothat havonly at d
10 APM Grou
11 Kevin Behr
e argued thannot be reao‐remediateors who hars, companinificant vulne vendor pu
appliances myment, custeged serviceding supposeeged service ng service ou
re of seeminto be raisingan Software,
ate as 2007eged identitmers are enn control of p
ged Ident
om complianformation Aons, organizaIT service mh to IT servic
must be awrs, network dthorized wor
on principle e the potendesignated t
p Ltd., "Official ITI
r, Gene Kim, and G
at the PCI Dalistically mees privilegedave enduredes that fail erabilities ret it,
monitor the tomers havee account paedly PCI DSSaccounts onutages."
ngly compliag alarm with, notes,
7 we rarelyty managemnterprises thprivileged id
tities and
nce with SaActs, NASD 3ations' failuranagement ce managem
ware of chadevices, datrk, or it must
of IT servicential to impatimes and o
IL® Website"; http
George Spafford, T
© 2009 by Lieb
SS requiremet without td account cd highly‐puto continuoegardless of
core switchee told us thaasswords onS compliant n the applian
ant organizah greater num
y heard aboment stratehat face expdentities, imp
IT Service
arbanes‐Oxle3010, SEC 17re to take coprocesses.
ment10 puts it
nges on alltabases, andt be flagged
e managemeact businessonly for doc
p://www.itil‐officia
The Visible Ops Ha
Four Key
berman Software
ment that allthe use of scredentials.blicized secously detect f past certif
es at the maat they havn these devones – eithnces or are u
tions to discmbers of au
out audit fagy. Today pensive comprove securit
e Manage
ey, HIPAA, 7a‐4, 21 CFRontrol of privAs one autht,
l infrastructud so forth. Eafor investiga
ent is to cons‐critical sercumented p
alsite.com/home/h
ndbook (IT Proces
Priviley Steps to Se
Corporation. All ri
l IT componoftware thaLike the PCcurity breacand controication. As a
ajority of theven’t changevices. Many er don't knounwilling to
cover and coditors. As Ph
ailures resula sizeable mpliance faity, and pass
ement
Gramm‐Lea Part 11, Dovileged identhority on ITI
ure that weach detectedation."11
ntrol which prvices, ensururposes. In
home.asp; accesse
ss Institute, 2005)
eged Idenecure Your I
ights reserved. R
ents have aat continuouCI DSS – ceches impacol all privilegan engineer
e Fortune 50ed the defauof those orow how to fmake chang
ontrol all privhilip Lieberm
lting from tpercentageilures and afuture audit
ch‐Bliley, CaD 5015.2 antities can imL, the most
e are manad change mu
personnel caring that chparticular,
ed 24 June 2004
, p. 28
ntity GuidInfrastructu
Rev. 20090625a
ccess contrously auto‐deertified paycting millionged accountr at one net
00. Years aftult logins anrganizationsfind all of thges for fear
vileged idenman, preside
the lack of e of our neare looking ts."
alifornia Secnd a host of ompact the suwidely acce
aging: serverust either ma
an make chahanges are mthe existen
de re
ols in etects ment ns of s can twork
ter nd – he of
ntities ent of
a ew to
curity other ccess epted
rs, ap
anges made ce of
Page 7
super‐usoverreac
"Whaperson
As with oaccess ca
Taking
While thefficiencymanner.
Ident
Delegwith
Enforchang
Auditreque
The follo
Step 1The first reside onaccountson domapools, COaccountesignifican
A secondprivilegeaccount database
12 ibid.
er identitieching threat
t is often ovn can probab
other initiatan put IT ser
g Control
he spread oy, processesThe process
tify and docu
gate access documented
rce rules foges across a
t and alert est is docum
wing section
1 – Identstep to taken server ans, and elsewain and locaOM+, and ed for on ent gaps.
d, critical asd accounts ois accessede credentials
es that allto successfu
erlooked is tbly single‐ha
ives, failure vice manage
f uncontrolls exist that cses can be d
ument all cr
to credentiad purpose, c
or passwordll dependen
so that themented and m
ns describe a
ify e control of pnd desktop where. A singal logins, inDCOM objeevery device
spect of thison every ded by four des alone will lo
© 2009 by Lieb
ow unrestrul IT service m
that if one pandedly sink
to invest inement proce
led privilegecan reliably escribed as f
itical IT asse
als so that acan login to I
d complexitcies to prev
e requester,managemen
a number of
privileged idoperating sygle server, fnstalled appects. Withoue, any initi
s step is to vice. Failureependent seock out the
Four Key
berman Software
ricted, undmanagemen
erson can sik the ship, to
n sufficient sesses at risk.
ed access thhelp organizfour key ste
ts, their priv
ppropriate pIT assets in a
y, diversity ent service d
, purpose, ant is made aw
f alternative
dentities is toystems, netfor example,lications, scut the assuative to tak
thoroughly e to take intervices on dependent s
Priviley Steps to Se
Corporation. All ri
ocumented nt:
ingle‐handedo." 12
safeguards t.
hreatens dazations regaps that are a
vileged acco
personnel, ua timely man
and changdisruptions.
and duratioware of unus
s to achieve
o identify wtwork applia, may have cheduled tasrance that ke control
map the ino account, fother compservices and
eged Idenecure Your I
ights reserved. R
access is
dly save the
to control p
ata security in control inabbreviated
unts and int
using least prnner at desig
ge frequenc
n of each psual events.
these four s
here the accances, softwprivileged idsks, servicesall privilegeof privilege
nterdependefor example,puters meand create busi
ntity GuidInfrastructu
Rev. 20090625a
viewed a
ship, that on
rivileged ide
and operatn a cost‐effeas I.D.E.A.:
terdependen
rivilege requgnated times
cy, synchron
privileged a
steps.
count credenware and sedentities pres, IIS appliced identitiesed access le
encies amon, that a datans that channess disrupt
de re
s an
ne
entity
tional ective
ncies.
uired, s.
nizing
ccess
ntials ervice esent ation s are eaves
ng all abase nging tion.
Page 8
Because requires automateffort req
Manua
To enumstaff typiare thenpresenceand servit carriesto‐date ctime and
Automa
Privilegedprivilegeand up‐texhaustivbelow, Eand catasystems, applicatio
Figure 2
manually a great deed softwarequired.
al and AdH
merate an orically start bn establishede of system aices. Becaus the risk thacatalog of idd with each s
ated Alter
d identity md accounts to‐date. Theve lists of prnterprise Raalogs privileg
network ons, and oth
– ERPM Ide
identifying eal of proce can improv
Hoc Proce
ganization'sby exportingd to each saccounts, anse this proceat personnelentities andsignificant ch
rnatives t
managemenand interdee best of trivileged ideandom Passwged accountand backu
her IT resour
ntifies a Wid
© 2009 by Lieb
substantialless disciplinve the reliab
esses to Id
privileged ig lists of IT asystem thrond by manuaess is time‐co will fail to cd interdepenhange in infr
to Identify
nt software ependencies these solutientities presword Managts present oup applianrces.
de Range of
Four Key
berman Software
y all privilene and a sbility of the
dentify Pr
identities wiassets from eough a comal inspectiononsuming anconsistently ndencies reqrastructure.
y Accounts
automatesand helps tons can drent in the eger (ERPM) fon a wide rces, datab
f Privileged A
Priviley Steps to Se
Corporation. All ri
eged accousignificant rprocess whi
rivileged A
ithout the uexisting direbination of n for the prend varies wicomplete it
quires that th
s and Inte
the task tto assure thaw from nenvironmentfrom Liebermrange of seases, Web
Accounts an
eged Idenecure Your I
ights reserved. R
nts and inecurring effle substanti
Accounts
use of dedicaectory servicscripts tha
esence of tadely from sy. Further, tohe process b
erdepende
o catalog ahat the resuumerous sot. As represeman Softwarrver and de services,
nd Interdepe
ntity GuidInfrastructu
Rev. 20090625a
terdependefort, the usally reducin
ated softwaces. Connecat documentrget applicaystem to syso maintain abe repeated
encies
an organizatults are comources to cented in Figure auto‐discoesktop operline‐of‐bus
endencies
de re
ncies se of g the
re, IT ctions t the ations stem, n up‐ over
tion's plete reate ure 2 overs rating siness
Page 9
Figure 3 Active Di
Figure 3
Among pleverage HP, Novebrowser and autdisruptio
Step 2A secondrequestolength of
Manual alimitation
Manua
The cornand physpasswordcredentiathem ina
below showrectory, one
– Configurin
privileged ida wide rangell, Oracle, lists, IP rangto‐propagateons.
2 – Delegd key goal oors, in a timf time and a
and ad‐hoc ns, as will be
al and AdH
nerstone of msical securitd delegatioals that are accessible t
ws how ERPe of many co
ng Dynamic
dentity mange of discoveSAP, Sun, Sge scans, ande the nece
gate of privileged mely mannerdocumente
methods to e examined i
Hoc Proce
manual procy. When man should bkept on spo all but a
© 2009 by Lieb
PM is configonfigurable d
Discovery th
nagement sery sources –iemens, Redd others – anessary chan
identity mar, over a sed purpose, u
achieve thiin the next s
esses To D
cesses for granual procee thoroughpreadsheets uthorized in
Four Key
berman Software
gured to syndiscovery so
hrough Activ
solutions, E– including td Hat and ond for its ponges, there
anagement icure commusing the lea
s step face section.
Delegate a
ranting priviesses are imly vetted aand hard‐condividuals. R
Priviley Steps to Se
Corporation. All ri
nchronize itsurces, to ma
ve Directory
RPM is distthe directorother open ower to deteeby preven
is to grant aunication chast privilege
a number o
and Contr
leged accessmplemented and limited opy lists muRegardless o
eged Idenecure Your I
ights reserved. R
s discovery aintain its in
y in ERPM
tinguished y services ofsource alterct interdepeting lockou
access only thannel for arequired.
f security an
rol Access
s is carefullythe individuin number
ust be safegof the hum
ntity GuidInfrastructu
Rev. 20090625a
mechanism ventory lists
by its abilitf Microsoft, rnatives, doendent proceuts and se
to authentica predeterm
nd accounta
s
y‐planned huuals who cor, and passguarded to mman and phy
de re
with s.
ty to IBM,
omain esses ervice
cated mined
ability
uman ontrol word make ysical
Page 10
security mmitigate:
Bo
Mm
Teare
Treco
Tlo
Automa
Automat
Pcose
Pthm
Fi
measures th:
ecause theyrganization
Manual procminimum a g
hey increasnterprises blways have equestor.
hey make it ely on indivommunicate
hey can redogin credent
ated Alter
ted privilege
romote greommunicatiecrets to any
rovide 24‐hohe world, amethods (Fig
igure 4 –Tw
hat may be in
y lack automto thorough
esses make rantor and r
se the potbecause theyaccess to t
more difficuidual superve this data to
duce overall tials after a s
rnatives f
d identity m
eater accouon channel y other indiv
our access tuthenticatinure 4 below
o‐Factor Req
© 2009 by Lie
n place, man
mated audithly screen th
it more difrequestor bo
tential for y require atthe credenti
ult to complvisors to doo those resp
security byspecified tim
for Delega
management
ntability byonly to thevidual.
to privilegedng through w), regardless
questor Aut
Four Key
eberman Software
nual process
ing and cone individuals
fficult to tieoth have acc
service dist least one iials and a s
ly with servicument theponsible for s
y relying on me following
ation and
software of
y delivering e authorized
d credentialsa configuras of the avai
thentication
Priviley Steps to Se
e Corporation. All
ses introduce
ntrol, they ps who contro
e access to scess to passw
sruptions inndividual wsecure comm
ce managem reason for supervising t
administrateach reques
Secure Ac
ffers improv
privileged requestor,
s (including ble choice lability of su
n in ERPM Us
eged Idenecure Your I
rights reserved.
e risks that c
place a higheol access.
single indiviwords during
n distributewho controls munication
ment initiativeach accessthe process.
tors to manst.
ccess
ed security,
credentialswithout ex
fire call acceof directoryupervisory pe
sing an RSA
ntity GuidInfrastructu
Rev. 20090625a
can be diffic
er burden o
duals, sinceg each reque
ed and 24‐the accounchannel to
ves becauses request an.
ually change
since it can
s over a seposing pass
ess) anywhey and two‐fersonnel.
SecurID® To
de re
ult to
on an
e at a est.
‐hour nts to each
e they nd to
e the
:
ecure word
ere in factor
oken
Page 11
Emsure
Eex
Fi
ERPM allsupportsreason foleast req
Step 3Reliably‐duplicateaccess. Aprivilegestability.
Manua
Organizachange fvulneraboverly stwrite dow
13 Ant Allan, "
liminate sermechanism fupervisory pequired priv
liminate misxpiration of
igure 5 – Sec
ows passwo full auditingor each pasuired privile
3 – Enforenforced rue logins) anAs will be dd account c
al and AdH
tions that frequency fable to automtringent canwn passwor
"Blindly Increasing
rvice disruptfor requestopersonnel a ilege.
suse of creda pre‐deter
cure Web In
ord self‐recog and reporssword checeges were gr
rce ules for pand change fiscussed becredentials f
Hoc Proce
rely on maace a balancmated explon make passds and store
g Password Strengt
© 2009 by Lie
tions and facors to docuway to conf
entials by cmined check
nterface for
overy througting, and cackout. This pranted in eac
ssword comfrequency alow, manuaface limitatio
esses to E
anual procescing act, sincoits while coswords impre them in oth
th Is Futile," Gartn
Four Key
eberman Software
cilitate serviment the pfirm that ea
hanging thek‐out time.
Password R
gh an encrypn be configuprovides a mch event.
mplexity, dire critical tal processes ons that can
Enforce Pa
sses to enfce requiremomplexity aractical to rher insecure
ner 19 August 2008
Priviley Steps to Se
e Corporation. All
ce managempurpose of ch access w
disclosed p
Recovery in E
pted Web intured to requmechanism
versity (thato prevent to enforce n impact bo
assword R
force passwments that and change emember ae ways13.
8
eged Idenecure Your I
rights reserved.
ment controeach access
was necessar
password au
ERPM
terface (Figuuire the requfor manage
at is, avoidthe spread password roth security
Rules
word strengtre too simpfrequency
and so induc
ntity GuidInfrastructu
Rev. 20090625a
ols by provids, thereby gry and used
tomatically
ure 5 above)uestor to eners to verify
ing unneceof uncontr
rules and upand operat
th, diversityle make syspolicies thace employe
de re
ding a giving least
upon
) that nter a y that
essary rolled pdate tional
y and stems t are es to
Page 12
The re‐usas this prThereforpasswordscripts thcomputeduring coprivilegeconfigurafeatures,processe
Automa
Privilegedand chanrequestobecause
Dto
C
C
The straichanges
Figure 6
se of login cractice expoe a commods among shat change er ID and daonfigurationd access) amation change, may fail tes that fail to
ated Alter
d identity mnge rules leors to accessthey:
Deploy diverso a schedule
an present u
an change p
ghtforward is shown in
– Configurin
credentials ases all asseton, ad‐hoc ystems in apasswords ate. Becaun, debuggingmong severae to any onto consisteno reliably syn
rnatives t
managementess burdensos privileged
se passworde
unique, privi
passwords im
interface inFigure 6 bel
ng Password
© 2009 by Lie
across indeps with commpractice th
a group (sayon each sy
use these scg and use, al employeee person. Sntly flag andnchronize ch
to Enforce
t software mome for adaccounts. T
ds of predete
ileged crede
mmediately a
ERPM to coow.
d Complexity
Four Key
eberman Software
endent assemon passwohat attempty, servers inystem basedcripts are tythe effect ies. This makcripted metd handle erhanges acros
e and Prop
makes compministratorsThese solutio
ermined com
entials for on
after each u
onfigure pas
y Settings in
Priviley Steps to Se
e Corporation. All
ets is also knrds should ots to creatn a single dd on combinypically acces to share kes it imposthods may arror conditioss interdepen
pagate Pa
plying with ps while makons improve
mplexity on
ne‐time use
se
ssword com
n ERPM
eged Idenecure Your I
rights reserved.
nown to carrone system be more vaatacenter) inations of vessed by sepassword sesible to tie also lack appons, and candent assets
assword R
password stking it easiee the securit
all target sy
over a secur
plexity and
ntity GuidInfrastructu
Rev. 20090625a
ry significantbe compromried and ros to use stavariables suceveral indiviecrets (and data accesspropriate logan rely on ss.
Rules
trength, diveer for authoty of the pro
ystems acco
re interface
the frequen
de re
t risk, mised. obust artup ch as duals thus
s or a gging serial
ersity orized ocess
rding
ncy of
Page 13
Just as imaccountspotentiareceive uinterface
Figure 7
ERPM is passwordfor undofollowing
Step 4Beyond presencereinforcinstronger
Because ensure treportingautomatand repoinfrastruevents su
mportantly, ts and can rl for service updated cree to set prop
– Configurin
typically cod checkout, cumented pg section.
4 – Audittheir value e of reliableng service madherence t
manual anthat each ag and an auded auditing ort each accecture and ouch as fire ca
the best of treliably prodisruptions
edentials. Tagation rule
ng Automate
onfigured to thereby elimpurposes. Th
t in assuring
e auditing amanagementto managem
d ad‐hoc pccess is docdit trail that features fouess request, organizationaall access an
© 2009 by Lie
the automatopagate pasthat occur a
The most eaes, as with ER
ed Propagat
re‐randomiminating thehe result is im
g complianceand alertingt rules and sment directiv
rivileged idecumented iis of little usund in privilereport acceal problem nd process fa
Four Key
eberman Software
ted solutionssword chanas dependenasily configuRPM in Figur
tion Settings
ize each pase opportunitymproved aud
e with regug processes etting guidinves.
entity manan a consistse to enforceeged identitss activity aareas, andaults.
Priviley Steps to Se
e Corporation. All
s detect the nges across nt services aured of thesre 7 below.
s in ERPM
ssword folloy for credenditing contro
ulatory and can improvng values am
agement proent way, the the organiy managemnd trends inalert superv
eged Idenecure Your I
rights reserved.
presence ofthem. This
are locked ose solutions
owing a defintials to be sol, as will be
industry reve operationmong emplo
ocesses mahey can leazation's polient softwarn ways that cvisory perso
ntity GuidInfrastructu
Rev. 20090625a
f interdepens eliminatesut after failis offers a si
ned period shared or re‐e discussed i
equirementsnal efficiencyees that le
ke it difficud to incomicies. Convee can reliabcan help pinonnel to un
de re
ndent s the ng to mple
after ‐used n the
s, the cy by ad to
ult to plete rsely, ly log point usual
Page 14
Manua
As notedof each party prithe indiv
Automa
Automatprivilegeindividuausers are
The in‐deissues thsuch que
Wg
Wo
W
W
ERPM ustime of eeach ope
Figure 8
al and AdH
d above, maaccess evenvy to passwviduals in cha
ated Alter
ted privileged accounts al, system ane configured
epth compliat can ariseestions as:
What individroup of asse
What resourcf time, and f
What privileg
What users a
ser activity reach access reration, and
– ERPM Com
Hoc Audit
nual processnt. Because ord secrets,arge, thus re
rnatives f
ed identity mpresent o
nd account, for privilege
ance reporte with system
uals have reets over a sp
ces has a pafor what pur
ged accounts
re configure
reports are drequest, thethe originat
mpliance Log
© 2009 by Lie
ting Proce
ses rely on smanual pro they depeneducing the r
for Auditin
managemenn a wide and show ded access to
s provided bms, policies,
equested acecified time
articular indrpose?
s are presen
ed to access
derived frome requestor ating IP addre
gs Show Act
Four Key
eberman Software
esses
supervisory ocesses mand on the trureliability of
ng and Al
t products srange of ddetailed diag each resou
by ERPM can and person
ccess to a paframe, and f
ividual attem
t on a partic
privileged a
m compreheand documeess of each re
tivity Details
Priviley Steps to Se
e Corporation. All
personnel tke both theustworthineany audit tr
lerting
such as ERPevices, docgnostic inforrce.
n help supernnel to prov
articular accfor what sta
mpted to ac
cular IT asset
ccounts, and
ensive logs tented purposequest, as sh
s for a Selec
eged Idenecure Your I
rights reserved.
to documente requestor ss and reporail.
PM can repocument accermation that
rvisory persoide authorit
count credented purpose
ccess over a
t or group o
d at what lev
that documese, the succehown in Figu
ted User
ntity GuidInfrastructu
Rev. 20090625a
t relevant deand supervrting diligen
ort the detaess requestt indicates w
onnel investtative answe
ntial, IT assee?
specified p
f assets?
vel?
ent the dateess and failuure 8 below.
de re
etails vising nce of
ails of ts by which
tigate ers to
et, or
eriod
e and ure of .
Page 15
In additiocan be dand triggalerted eplatformas a failu
SummNews stoperatioWhile it'recurringmanual rthan a fe
AutomatManagerby discovof hardwdirectoryto intendreside antimeframnecessar
AboutLiebermaprofitablprivilege1999. Sinpasswordenterpris
Liebermasuch othcompanyproduct d
on to custoelivered by gers for framevents can i and type, sre to change
mary ories of sunal disruptios possible tg workload, remediationew personne
ted privileger from Liebevering the prware devicey services anded individund provides mes, and purry to ensure
t Lieberman Softwaree, managemd account pnce that timd solutions wses.
an Softwareer industry ly is headquadevelopmen
or call 800
mizable audemail or exmeworks likeinclude succuccess and fe passwords
pposedly coons offer poto take conpotential se impracticalel who may r
ed identity rman Softwaresence of pes, applicatind optional tuals. It hardea reliable arpose of eacthat the org
man Softe Corporatioment‐owned assword mame, the comwhile growin
is a Microsleaders as Cartered in Lont, testing, a
For mor
0‐829‐6263 (
© 2009 by Lie
diting and reported as SNe Microsoft cessful and failures of ps on systems
ompliant oroof of the rtrol of priviecurity gaps for organizarequire privi
managemenare Corporaprivileged accons and setwo‐factor aens and autaudit trail toch access reganization's s
tware on, establishorganizatioanagement smpany has cng its custom
soft Gold CeCisco, Novell,os Angeles, Tnd support o
re informati
USA and Ca
Four Key
eberman Software
eporting, ERNMP (SimpleSystems Cedenied passassword upds that are off
rganizations isks of ineffileged accesand lack of ations with leged access
nt solutions tion can impcounts and tervices. ERPuthenticatioto‐propagateo document quest. ERPMsecurity poli
ed in 1978 n since its insoftware, recontinuouslymer base to i
ertified Partn, Red Hat, HTX, and maioperations a
on, visit ww
nada) or 01‐
Priviley Steps to Se
e Corporation. All
RPM providee Network Menter Operasword checkdate operatfline.
that sufferfective privilss using maan authoritasignificant ns.
such as Enprove securitheir interdeM leverageon to ensurees login crethe reques
M provides Iicies are effi
as a softwanception. Lieleasing its fiy updated ainclude man
ner and hasHewlett‐Packntains a regare based in
ww.liebsoft.c
‐310‐550‐85
eged Idenecure Your I
rights reserved.
es configuraManagementions Managkout requesions, and pr
r costly datleged identianual and aative auditinnumbers of I
nterprise Raty and operaependencieses a configue that accessdentials whstors, systemT personnelciently put i
are consultaeberman Sofrst product and expandny of the wo
s technical pkard, IBM, RSgional office the United
com
75 (Internat
ntity GuidInfrastructu
Rev. 20090625a
able alertingnt Protocol) ger. Examplsts configurerocess faults
ta breachesity managemd‐hoc stepsng trail can mT assets or
andom Passational effics on a wide rurable choics is providederever theyms and accol the automnto practice
ancy, has beftware pioneto this marked its privilrld's most se
partnerships SA and Intelin Austin, TStates.
tional).
de re
g that traps es of ed by such
s and ment. s, the make more
word iency range ce of d only y may ounts, ation e.
een a eered ket in leged ecure
with l. The TX. All