Carl Weinschenk spoke with John Moyer, president and CEO, BeyondTrust.

Weinschenk: What’s wrong with passwords?
Moyer: Basically, what we see are weaknesses with systems that manage passwords and organizations that try to use passwords for access to databases or resources. They can say the password is only valid for a certain period of time, but it doesn’t take malware much to be able to exploit such a password. When they have a system that tracks what people do with passwords, by its very nature it is a game of catch up after the fact. You look at User Account Control from Microsoft and Vista. It is just adding another layer of complexity and another point of failure, really. There are so many users that have admin privileges. It’s a very big problem for organizations. With an admin password, you can turn off group policy, change security settings, turn off antivirus. Malicious users can change whatever they want in the registry. From our perspective, we want to limit what you can do with admin accounts and passwords.

Weinschenk: Is this a new problem?
Moyer: I think it has always been a problem, and I think from a malicious software perspective it is more and more of a problem. You always had a number of passwords out there, you always had the admin accounts. Eighty-plus percent of people are logging in as an admin. Microsoft in Vista Account Control is asking admin to manage another account. Microsoft is asking companies to take standard users and turn them around and give them an admin account and password. They are just asking for problems by introducing more passwords into the process.

Weinschenk: What does your company do?
Moyer: We provide a unique solution that enables organizations to eliminate admin rights. BeyondTrust sells the Privilege Manager, which manages privileges that users have in a Windows network. What the product does is enable admins to log in as standard users and than elevates specific processes on an as-needed basis. What our product does is look at what needs to be elevated to run correctly, what different groups need to do their jobs. It makes everyone a standard user and elevates specific processes as needed. Administration is centrally controlling through group infrastructure that is tied in with Active Directly. The user does not know what’s going on behind the scenes.

Weinschenk: Are admin-enabled passwords a bigger problem for large companies, or is it a problem for companies of all sizes?
Moyer: It is a huge problem that affects organizations of all sizes, especially with 500 or more seats, the larger enterprises. We sold our software to two of the largest financial services companies, very large federal agencies, very large pharmas and health care concerns. How big is this problem? This is something Microsoft identified as a huge problem. One of Vista’s most touted features is User Account Control. It is meant to deal with having too many privileges. Most malicious software won’t install without admin privileges. Microsoft has done a decent job of educating the marketplace about this problem.

Weinschenk: Do people get it?
Moyer: People largely do realize they have the problem. In most cases, they are in a Catch-22. They want to get rid of admin privileges and want people to log in as standard users, but have software that requires people to log in with admin privileges. They need to have people install the software to do their job.

Weinschenk: Do things like federated identity and single sign-on help?
Moyer: Single sign-on is a help in reducing the number of passwords that have to be remembered. It makes sure that the passwords are the required length, how many times they can be incorrectly entered until the person needs to create a new password … So clearly SSO certainly is helping if you are going to have people logging in as admin.

Weinschenk: How has the evolution of viruses from mass to targeted distribution impacted password-related privileges?
Moyer: If viruses had not evolved, if they weren’t coming out in zero-hour attacks aimed at specific organizations, the mass defenses of antivirus vendors would be somewhat adequate. They would identify malicious software, and get it out to the clients quickly. It really becomes a somewhat palatable solution. But that doesn’t address the malicious user. The more targeted malware approaches could not be detected as readily. We need another way to defend against them.