Last December (“Quo Vadis?”) I advocated using Privilege Management solutions for all users. As Martin Kuppinger defined it in his advisory note last April:
“Privilege Management, which in the KuppingerCole nomenclature is called PxM, is the term used for technologies which help to audit and limit elevated rights and what can be done with shared accounts. The x in PxM is used due to the fact that there are many different terms in the market which aren’t used consistently:
- Privileged Access Management
- Privileged Account Management
- Privileged Identity Management
- Privileged User Management
- Root Account Management
- Application Identity Management
- and others…”
Cyber-Ark’s 6th Annual “Global Trust, Security and Passwords Survey” is compiled from interviews with 820 IT managers and C-level professionals across North America and EMEA, primarily from enterprise-class companies. You can read the survey results for yourselves, but these are the highlights.
Any breaches/data leakage that involves a privileged account can be considered an “insider” attack, either if the insider is a malicious employee, contractor or partner, or if the attack uses an insider’s account acquired through phishing - such as the breach of RSA’s servers (see “Preventing, or surviving, data leaks”). So it was gratifying to see that 71 percent of respondents to the Cyber-Ark survey consider insider threats to be the greatest security risk to their organization. Slightly less, 64 percent of respondents, believe that the majority of recent security attacks have involved the exploitation of privileged account access.
One of the odder questions asked was: “Do you believe that data breach notification laws are effective in curbing data loss?” As was noted, “In both Europe and the US, data breach notification laws have been enacted in varying degrees. 46 states in the US have enacted legislation requiring notification of security breaches involving personal information. Whereas in Europe, the EU’s new data protection laws, which include an obligation for organizations to reveal the detail of a security breach within 24 hours, will be rolled out to all member states by 2014. In Europe, additional legislation, such as Germany’s data breach notification laws, and the UK’s Information Commissioner’s Office (ICO), which has the power to fine organizations up to £500,000 for breaches of the current UK Data Protection Act, also play their part.”
I would have liked to see the question re-worded to “Do you believe that newer, stronger, data breach notification laws are an incentive to increase your data leakage protection efforts including Privilege Management and controls?” Unlike laws that criminalize behavior, and supposedly make people think twice before committing that behavior, notification laws do not penalize the criminal, but exact a punishment of one of the victims - the organization whose information has leaked is a victim of the data breach crime. Those whose personal information has been taken could then become the victims of identity fraud crimes, in which case the organization which was breached could have some culpability based on the amount of protection that was afforded the data. Notification laws are intended to allow those secondary victims a warning that their accounts might be in danger. They also have the additional effect of shining a bright light on the organization which sustained the breach, usually causing harm to their reputation (as it did to RSA) or even their very existence (such as the case with DigiNotar).
AS noted, 64% of the respondents believed that recent data breaches were directly related to the misuse of privileged accounts. Yet only 57 percent of respondents indicated they were currently monitoring the use of privileged accounts; the other 43 percent stated that either they did not monitor the accounts, or they were unaware if such monitoring occurred – and this was a group of high level CxOs, directors and managers!
A whopping 52 percent of respondents reported that they are able to get around controls put in place to monitor privileged access. If only 64% were aware that there were controls, but 54% report the ability to elude those controls, then over 80% of the controls in place could be considered ineffective! Responding to another question, nearly half of all respondents indicated that they’ve accessed information on a system that was not relevant to their role.
I may need to re-think what I said about organizations wishing to find a way to strengthen their password policy by using PxM for all users. I did that after taking a deep dive into Cyber-Ark’s Enterprise Password Vault (EPV). Noting that not only will EPV securely store passwords, but it will also generate strong passwords and change them regularly – up to doing so after every use! EPV will also audit and report on the use of those passwords. You don’t even need a single username/password for accessing EVP – RSA SecurID, Web SSO, RADIUS, PKI and smartcards are all configurable methods for connecting to the vault.
Martin Kuppinger’s recent post (“The sad world of passwords – and why IdPs don’t solve the problem”) points out the reasons why a change away from username/password might not happen in the short term:
“ We know that it is pretty complex and costly rolling out hardware-based two- or more-factor authentication – and pure software-based approaches have a tendency to be more limited regarding security. Approaches which require specialized hardware are unlikely to succeed, so until NFC (near field communication, with its own security issues) or security technology built into chipsets becomes standard, we will struggle with this.
We also know that user acceptance is key to success – and many of the strong authentication approaches just fail here, like virtually all types of biometrics.”
I agree. But using a fortress-like Simplified Single Signon (SSO) with a non-password strong authentication method to access it (such as a hardware token or a proximity device) could go a long way towards mitigating the risk of data breaches. Yes, it will be an expense both in terms of hardware/software purchases as well as setup time and user education. But the immediate payoff is protection of the organization’s reputation while the long term benefit is keeping the organization solvent and its officers out of jail.
Solvency? Jail time? Businesses breaching European Union privacy rules will soon face fines of up to 5 per cent of their global turnover, which could extend to billions of euros for large multinationals. Expect that other western democracies in North America and the Asia-Pacific region will soon follow suit. From there, it’s a small step to criminalizing the behavior of corporate officers who ignore the potential for data breaches. Already (as in the recent Facebook breach) we’re seeing class-action civil lawsuits in the US against the company alleging they failed to protect the interests of their users.
A question has arisen about traditional ESSO solutions, which are generally less expensive than PxM solutions, being used for this. But traditional ESSO has some fundamental differences, the major one being that most do not generate passwords nor even calculate their strength. They tend to be passive bystanders, watching the user authenticate and then mimicking that ceremony when the user returns to the site/app/service. The PxM solutions will generate strong passwords for the sites/apps/services and will do so every time they are visited, if you so desire. If we’re going to continue to use passwords then we should use password services that re as robust, strong and protected as possible, shouldn’t we?
In talking about this with some of my colleagues, we’ve reached the conclusion that today’s PxM solutions, geared as they are to a minimal number of privileged accounts, would need some modification to be generally acceptable to the majority of end users. ESSO solutions, on the other hand, would need to be beefed up, strengthened and made more manageable. The ideal solution is a cross-breeding of the two (someone get to work on that, please!).
Until that day, though, I still suggest PxM solutions, but in light of the Cyber-Ark survey there’s much due diligence you need to do about the effectiveness of whichever solution you might want to go with. KuppingerCole’s Advisory Note on Privilege Management is an excellent place to start.