Privileged Identity Management – Part 1

Data, data everywhere but you have no time to think.  One of an enterprises most important assets is it’s data.  Financial, intellectual property and employee information are all types of information that competitors and hackers, alike,  clamor to get there hands on.  Making sure only those who need this information to do their jobs is known as Access Control.    Implementing access controls are critical to  safeguard your data.  But what about those ITs folks who show up to every employee gathering and eat all the pizza?  How they fit into this?

The enterprise environment is split into multiple layers — Network, Database, Application and Infrastructure.  At each one of these layers, IT associates manage and maintain performance to make sure business can be conducted, uniterrupted.  A byproduct of this responsibility is having access to all of businesses most sensitive data.   If you are a CEO or business owner, I can hear your collective, “Yikes!!!”  So what is a gal/guy to do?  Enter Privileged Identity Management.

Privileged Identity Management 

Privileged Accounts (PA) are non-user accounts that grant elevated access to systems, resources and data.  These are your Administrator, Root and Super User accounts.  They are typically shared among support personnel to perform administrative duties.  Our pizza eating friends just when from Petty Cash Piranhas to true Enterprise Risk.

Risks

As with all life’s activity, there is some level of risk involved.  This case is no different.  Having specialized labor perform a specific job or function is a huge benefit.  But be aware — you’re handing over the keys to the kingdom.  Understanding each risk / benefit proposition is the first step to proper mitigation.  I’ve highlighted some key risks to focus on:

  1. Lack of Audit Trail – PAs are essentially anonymous accounts.  They lack association to a “real” user.  This allows actions performed under this account, virtually, no accountability.   It’s like free calories while on a diet.
  2. Access Leakage – Since passwords for PAs are shared amoung several people, they tends to leak out of Administrative groups over time.  With management of hundreds or thousands of accounts, the password for one account may very well be the password for EVERY ACCOUNT.  If you know one, you have them all.  To top it all off, without good password management practices like changing them periodically, the situation snowballs out of control quickly.
  3. Segregation of Duties (SOD) – PAs have access to sensitive information in the enterprise.  In most cases, this data is Confidential or Classified.  PAs inherently lack SOD controls (they have access to EVERYTHING).  Misuse can go completely unchecked.  Insert a Purchase Order into a database for “Line My Pocket Co.”  AND then insert the approval for payment.  Easy money…check’s in the mail.
  4. Principle of Least Authority (POLA) – POLA asserts that granting only the access required to perform a task, one can’t overstep their bounds.  Some administrators use PAs to perform daily activities that do not require the the vast authority these accounts wield.  One small error in scripting could invoke monstrous unintended consequences.  Say the admin just forgot they were in same directory as your ERP database.  They then issue a delete command. POOF!  Bye-bye data.

I’ve just highlighted some of the inherent risks of utilizing PAs.  Not to worry thou, there are strategies for to minimize, mitigate and in some cases, eliminate these risks.  In my next article, I will explore practical solutions for you implement.  Eating too much will be the only reason to give IT the “hairy eye” at the next pizza party.

 

 


Google Two-Step Authenication

For those of you looking to add extra insurance on protecting yourself from hackers and other miscreants, Google has the answer: Two-Step Authentication and Application Specific Passwords.

Two-Step Authentication

To get started, you have to enable Two-Step Authentication Page in your Google Settings.  This can be done here:

image

You’ll be asked to send a verification code to your Mobile Phone via SMS (text) or Voice Call.  Once you enter the verification code from Google, Two-Step will be enabled.  Now when you need to log into your Google Account on a Web Browser, Google will ask you for the verification code sent to your Mobile Phone:

image

If you are on a trusted computer, like a home laptop, be sure to check of the “Remember this computer for 30 days.”  This will provide a balance on security and usability.

Application Specific Passwords

Sliced bread may have been the marvel of the 19th century, however, an application specific password is a very close rival.  Application Specific Passwords enable you to create unique passwords for different devices and programs that need your Google account to function.  For instance, if you have an Android-Based Phone, you’ll need a Google Account.  Instead of using your normal Google Account password, you can generate a unique password just for this device.

1. To enable, go to your Account Settings and go to Authorizing Applications and Sites”

image

2. Enter a Device Name and Click on Generate Password:

image

3. Take the password generate and put this in your Device.

image

You are now safe and secure!  You have now gained the benefit of a powerful control to protect yourself from stored browser sessions and stored passwords on multiple devices.

Please note: if you have Android Tablets/Phones, Google TV, Google Accounts on your iPhone or Picasa/Outlook on your Desktop, you will now need to configure Application Specific Passwords for these, as your “normal” account password will no longer work.

Revoking Access
If your phone is every lost or stolen, you can now revoke access by logging into you Google Account and clicking on Revoke.

image

Stay safe.  Stay Secure.  Stay in Control.  Enjoy!