Académique Documents
Professionnel Documents
Culture Documents
SP i RE
security
Spire Security, LLC P.O. Box 152 Malvern, PA 19355 www.spiresecurity.com
Executive Summary
Enterprises continue to distribute computing architectures. For every new device, new operating system, new piece of middleware, and any other new component, there is a set of privileged accounts used by administrators and operators. Privileged accounts provide significant access into the computing environment. Admin accounts allow unfettered access to files, programs, and data. If they arent properly protected and managed, they represent a significant risk to any organization. But privileged accounts arent easy to manage. They are usually shared among many people, sometimes left with default passwords, and generally unkempt. Enterprises with strong control over privileged accounts often suffer from the high cost of management. Password retrieval may require the participation of multiple individuals and homegrown scripts must be managed, often creating a productivity challenge. This white paper discusses privileged passwords. It outlines the strengths and weaknesses of the high-risk approach to password management and the high-security approach. Finally, it provides a strategy for managing the characteristics of both in a real-world, shared password environment.
ii
Introduction
The password is ubiquitous in todays computing environment. What started as a way to allocate charges for time-sharing computer services has become the primary contributor to any enterprise security strategy. The password accompanies every user account and (in theory) gets strengthened with restrictions and factors in order to demonstrate an increased level of account validation during the authentication process. But not all passwords - and accounts - are created equal. While the objective of the password is to restrict access to an account, it doesnt always mean the accounts are uniquely assigned and properly managed. Enter the shared account the accounts that ultimately exist in every computing environment that are shared among multiple individuals or even groups for purposes other than typical user activity. Some shared accounts are shared with the world. These are the default accounts that ship standard with solutions. Default accounts take the form of everything from the highest level of administrator access to the lowest form of guest access. And default accounts usually ship with default passwords passwords also available to the world. Other shared accounts are created and managed by the enterprise. These accounts are generally used to perform some particular function within an enterprise. These functional accounts may be set up for backups, training, and development purposes. By far, the most significant type of shared account is the privileged account, in the form of administrator accounts and operator accounts. These accounts are a requirement for every system and application, and any large enterprise will have many administrators and operators using them. Additionally many manufacturers include default privileged accounts out of the box. These accounts are the proverbial keys to the kingdom and have a special place in the realm of account management.
System Administrator Accounts. One type of privileged account is the god account for any operating system or networking device (firewall, routers, etc.). Administrator accounts provide unrestricted full access to the platform and its configuration information, programs, and data files. If you consider all the servers, networking devices, and even workstations, any large enterprise will have thousands of these accounts. Operator Accounts. It is common to also have specific accounts so that certain technical support functions can be performed without the need for Administrator access. These accounts may be available to start and stop services, create and manage users, or perform backup operations. Application Administrator Accounts. Applications that are installed in a shared environment requires some level of access to the system often as an operator but sometimes as a system administrator. Whats more, these accounts have unique depth of access into specific applications. For example, the account sa ships without a default password and provides total access to Microsofts SQL Server application. Application Functional Accounts. Oftentimes, when implementing an application, the application requires a dedicated specific user account under which to run. These accounts are common for Internet-facing applications on the Web, Enterprise Resource Planning (ERP) and financial software from the likes of SAP and Peoplesoft, and custom applications created within the enterprise.
There is always a potpourri of other various shared accounts with specific privileges within an enterprise. They may run batch processes or automated scripts, archive and clean file systems, or provide some other specific service unique to the enterprise.
The Tradeoff
The tradeoff between high-risk vs. high-cost normally doesnt make anyone comfortable. It forces compromises based on a vague understanding of risk levels. Cost pressures are overwhelming to those selecting a high-risk option while regulatory requirements often drive the high-cost efforts.
Cost/Benefit Analysis
The optimal approach finds that point on the spectrum that provides the best mix of functionality with security. The way to evaluate the options is to break down the costs and risks into their atomic elements, measure the alternatives, and make a decision with complete information. These elements are: Number of Accounts/Passwords the discrete number of privileged user accounts that exist in an environment, along with their corresponding passwords. Number of Users the number and types of users who require access to shared passwords. Users are counted for each department, geographic location, or individual application. Password Information in order to gauge the risk, it is important to understand the password implications related to it. This means properly characterizing the password complexity, password change interval for every password applied to the number of users already collected. Number of Sessions a look at the logs can provide details on the usage volume of the target accounts themselves. This information can be used to quantify the amount and scope of the risk. Number of Activities within each session is (potentially) a number of activities that are performed. Though slightly harder to get, this type of information may be estimated to further narrow down the information about shared account risk. Number of Incidents in this case, an incident can be anything from a break/fix scenario requiring log review to an actual compromise of the privileged account. For cost purposes, an incident occurs for any reason that requires a log review to attempt to identify the person that was using some shared account at a particular time.
Quantifying Risk
The risk associated with shared passwords ends up falling into three categories: Manifest Risk the risk associated with the privileged account activities that are performed. This is the most prominent risk that inappropriate activities are occurring within the sessions. Inherent Risk the exposure that comes with configuration of assets, such as allowing many individuals access to an account/password pair, as well as weak password configurations that may expose the password to a brute force attack. Process Risk the possibility that an individual will usurp the password management process in order to quickly address a problem, or that a password that is supposed to be changed doesnt get changed.
Identifying Costs
For any security function, the total cost of that activity can be calculated by adding up the individual costs in two primary areas: salary and wages allocated to the time associated with performing the function; and the cost of software solutions that are used in support of those functions. So, for example, an environment with a single administrator making $100,000 a year and spending 25% of her time performing administrative tasks should allocate 500 hours worth of time (25% of a year) at $50 per hour for a total of $25,000 administrative costs. Where appropriate, the costs of a solution are added to that. These solutions may be associated with strong authentication or automated password management.
5
Password Vault addresses the high-risk scenario by providing a secure alternative to sharing passwords on excel spreadsheets. Risk is reduced through the extensive feature set associated with Password Vault. It ensures that passwords are tightly controlled and access is accountable without losing the level of productivity that is required.
Spire ViewPoint
Within the context of all user accounts, it is clear that privileged accounts can cause the most damage and are therefore purveyors of the highest risk. Adding to the risk is the idea that many individuals need access to the passwords, violating the key principle of secrecy.