By Donald Canning
Emerging Business Team, Microsoft

At RSA last month, user-centric identity was all the buzz when Microsoft announced the customers and partners who are already applying Windows CardSpace (now generally available in Windows Vista) to help realize a more confident online experience. Although this is certainly a noteworthy and exciting advancement, back-end legacy applications across the board contain vulnerabilities highlighted on security and privacy audit reports.

Looking back on 2006, a key development was that security vulnerability trends shifted from external (e.g. botnet) attacks to internal exposures resulting from stolen account information, missing laptops and information leakage. A key area of concern is “privileged accounts” that come with elevated or super-user capabilities and can therefore present more vulnerabilities. So what are these privileged accounts and how do they generate exposures for your company? A little known fact is that nearly all administrative or privileged accounts on desktops and servers are typically the same. Once you know one – or your desktop’s – you know everybody’s. Of course, IT pros know them all. Sure, passwords are changed across the board every ninety days or so, but is that good enough for today’s online collaborative environment?

They’re probably more widespread than you think: from the administrator account on a Windows server to the enable account on a Cisco router, privileged accounts are pervasive and provide the most powerful control of a target system, including full access to any data.

Recently a large global bank was told by US Office of the Comptroller of the Currency (OCC) bank examiners that access to privileged accounts was not being managed, monitored or captured in a satisfactory manner. The result was that this bank underwent a fast-paced, reactive process to identify, evaluate and ultimately implement a Privileged Password Management (PPM) solution prior to their next round of OCC examinations.

This privileged identity issue is now being raised more broadly and by a growing number of regulations (Sarbanes-Oxley (SOX), OCC, Payment Card Industry (PCI), et al.). As in any environment, the initial experts in a regulatory area learn the breadth and nuances of a new regulation in the first audit cycles with the largest targets. While the issue was first identified two years ago by a handful of SOX 404 auditors mostly at the largest of banks, today, SOX-driven inquiries on privileged accounts have expanded to financial services institutions of all sizes and types, international organizations and the Fortune 1000 in general.

As this occurs, all parties involved in audit within these organizations must be aware of the privileged account issues, audit concerns, and the totality of the issue. This provides them a roadmap on solving this issue before it becomes an audit concern and reactive process.  

Enough FUD (fear, uncertainty and doubt), so how do these powerful shared accounts become secured, managed and tracked effectively by Wall Street type firms?  Clearly, identity technology is an emerging hot-spot, with venture capitalists investing over $140 million in 18 new deals in the past six months (trending upward 20 percent from the prior two quarters).  Innovative solutions can be found. One such leader in the space is Cyber-Ark, a very cool company – based in Boston, it provides password vaulting, managing highly sensitive corporate ‘jewel’ information. Cyber-Ark creates a safe haven to manage and share information both over the Internet between discrete enterprises and within a single network to manage highly sensitive information. It nails three key areas surrounding privileged accounts:

• Securing access to only those personnel with the proper rights and credentials.
• “Personalizing” access so as to know “who” is using a privileged account.
• Adhering to internal policies on password change frequency, uniqueness and strength.

Databases are also exposed, as knowledge of the privileged database access account is revealed to all developers, especially those who manage quality assurance to production change control. Auditors are now looking into the powerful application identities that lie embedded in scripts, connectors and applications as possible vulnerability points for access into an organization’s most critical information. Cyber-Ark also provides a set of Application Program Interface (API) shims that replace hard code database access routines.

By being aware of the internal issue now, and fully understanding the growing awareness of the privileged account challenge, the growing in-depth knowledge of the audit community, and the expanding reach of these regulations, you can help move your organization to a proactive footing and avoid the reactive response process driven by unexpected audit results.