Companies have traditionally focused their privileged identity management efforts on assets like servers, routers and databases. However, that focus is expanding into other areas such as point-of-sale (POS) applications, remote sensing equipment and administration of business-level applications like SAP. Not only are the challenges of privileged identity management moving up and down the stack from the hardware layer up to the business application level, they are also moving outside those boundaries to the cloud and virtual computing environments. Regardless of the environment, there are administrators responsible for managing those environments, and privileged users with access to highly sensitive information that must be managed, monitored and controlled.

A Closer Look at the Privileged Identities Challenge

Today, organizations spend a lot of resources building an infrastructure for securing the enterprise and assuring their business continuity and compliance. Every typical IT environment comprises of hundreds or thousands of servers, databases, network devices and more, all controlled and managed by a variety of privileged and shared identities – also known as break-glass, emergency or fire IDs – which are the most powerful in any organization. This includes the Root account on UNIX/Linux, Administrator in Windows, Cisco Enable, Oracle system/sys, MSSQL SA and many more.

These identities are often neglected; it is difficult to monitor their session activities, and passwords are never changed. In some cases, these identities are required not only by the internal IT personnel, but also by external third-party vendors and, thus, require extra care, such as secure remote access and secure session initiation without exposing the credentials. Powerful passwords are also often found hard-coded inside applications, scripts and parameter files, leaving them unsecured and rarely changed.

Mismanagement of privileged identities imposes great risks to organizations. These include the following:

Insider Threat – One of the biggest concerns today is the risk of insider threat. In many organizations, the same Root or Administrator password is used across the organization, making it easier for a disgruntled insider to abruptly take down core systems.

Audit and Accountability – Compliance regulations (such as Sarbanes-Oxley, PCI and Basel II) require organizations to provide accountability about who accessed shared accounts, what was done, and whether passwords are protected and updated according to policy.

Loss of Sensitive Information – Privileged accounts usually have unlimited access to backend systems. Compromising such accounts may lead to uncontrolled access, bypassing the normal system operation. For instance, this can result in manipulating billing records and loss of money.

Administrative Overhead – With hundreds of network devices, privileged identities can be extremely time-consuming to manually update and report on, and more prone to human errors. Moreover, inaccessibility of such a password by an on-call administrator may cause hours of delay in recovering from system failure.

Solution: Centrally Store Sensitive Identities

To address these daunting challenges, one solution is to eliminate the need to store application passwords embedded in applications, scripts or configuration files, and instead allow these highly sensitive identities to be centrally located, logged and managed within a central server. Furthermore, this approach enables organizations to simplify audit and compliance requirements, in order to be able to answer questions associated with "who" has access and "what" is being accessed. As a result, companies can better control and monitor privileged accesses to sensitive systems and devices, through privileged session recording with DVR-like playback and secure remote access to sensitive systems using privileged single sign-on, without divulging the used credentials to the end users.

Businesses can also eliminate manual administration and overhead by providing instant and automatic changing of passwords for thousands of network devices and applications, including scripts and parameter files. This high level of automation ensures extremely reliable and uninterrupted service with minimal administrator overhead and increased productivity.

Overall, to better protect highly sensitive information against internal and external threats in any environment, organizations need to closely examine how powerful privileged accounts are being monitored and controlled. By implementing proven processes, procedures and technologies to automate adherence to the security policies they put in place, companies can better secure privileged accounts and identities that provide access to the most high-value targets and information. This is also in accordance with the consensus audit guidelines that suggest automated and continuous control of administrative privileges