Organizations are careful when granting privileged access to critical systems. But they struggle to govern these privileged identities. Merritt Maxim of CA Technologies shares new strategies.
By taking extra care in privileged identity governance, organizations can improve their entire security posture, says Maxim, director of identity management product marketing at CA Technologies.
A fundamental challenge for many organizations: just knowing who their privileged users are. "In any large, distributed organization, you've got lots of employees," Maxim says. "They are changing roles and responsibilities. They may get added on to certain projects for certain business initiatives. Even just understanding at any given moment in time who your privileged users are - just the discovery of those [users] is a very important step and one that can be challenge."
In an interview about privileged identity governance, Maxim discusses:
- Why privileged identities are often managed badly;
- How leading organizations are addressing privileged identity governance;
- Business benefits of improving identity management.
Maxim has 15 years of product management and product marketing experience in the information security industry, including stints at RSA Security, Netegrity and CA Technologies. In his current role at CA Technologies, Merritt handles product marketing for CA's identity management and cloud security initiatives. The co-author of "Wireless Security" Merritt blogs on a variety of IT security topics, and can be followed at www.twitter.com/merrittmaxim.
Managing Privileged Identity Access
TOM FIELD: Why is privileged identity management still managed badly in organizations?
MERRITT MAXIM: When you say privileged identities, those are the users who have access to your most critical data and systems. Therefore, those systems are at the highest risk for hackers and also potential disclosure of data information. I wouldn't necessarily say that it is consistently managed badly, but it's not just the managing of the privileged users and understanding their access. [It's] being able to do that on a holistic basis, in an ongoing manner, [to] verify at any moment what your privileged users have access to and how they use that. When the auditors come knocking, you've got to have answers for them [about how you can] better control and manage your risk.
Commonly Overlooked Risks
FIELD: What do you see as some of the most commonly overlooked risks when it comes to privileged identity management?
MAXIM: Just knowing who all of your privileged users are. With any large, distributed organization, you've got lots of employees that are changing roles and responsibilities. They may get added on to projects for certain business initiatives, and just understanding at any moment who your privileged users are can be a challenge. So organizations may think that they can define and know who all of those privileged users are, but chances are they may be missing a handful here or there who, over time, have accumulated privileges for new systems. That's an area that is often overlooked, and certainly is an important place to start. By discovering those, you can then implement the appropriate controls to manage and control them going forward.
FIELD: You grant privileges, but they never get revoked, do they?
MAXIM: That's exactly what happens, and it's not just for privileged users, it's for all types of users. Certainly the longer you've been with an organization, the greater likelihood that you've accumulated privileges over time that are no longer necessary or relevant to your job, and that becomes a potential compliance and audit risk. It's not that you're using those entitlements; just the fact that you have those means that account is potentially susceptible to hacking or other issues. Trying to reduce that privilege creep over time is definitely a goal that organizations should be assuming, obviously for privileged users, but for all users as well.
Identity and Access Governance
FIELD: What do you see organizations addressing when it comes to identity and access governance?
MAXIM: With governance, the identity access management market is a mature market. It's been around for over a decade, and listeners will have a general understanding of what's involved. The governance angle is certainly a level beyond just the management. It is one thing to manage the users, but it's really, when we talk about governance, about managing users throughout their entire lifecycle in the organization, from the day they're hired to when they're transferred or promoted. Have a holistic process in place so that their entitlements are managed and secured throughout their lifecycle, and are in fact governed so that when they do leave the organization, you can immediately revoke those privileges to prevent any future gaps of what we call orphan accounts. [Those] are scenarios where users who have left the organization, or may have left a role in their organization, but they still have valid credentials on a system. That is another variance of privilege creep, and is a definite red flag for auditors. Having that holistic governance process in place can hopefully help minimize the risk of orphan accounts and better improve your compliance posture.
Privileged Identity Management
FIELD: How do we distinguish identity and access governance from privileged identity management?
MAXIM: It gets more [into] semantics of what's involved with the different terms, management versus governance. A lot of organizations have already implemented some form of privilege identity management today. But those deployments often lack automated processes to verify that the administrator access rights are valid on an ongoing basis. Having the governance feature enables us to have those automated processes in place to help verify the access rights on an ongoing basis. Privilege identity management is an important first step, and something an organization should be considering if they haven't already. It's really being able to put that governance in place to do the automated verification of rights on an ongoing basis, where you start to see additional value and savings in the form of not having to do verifications on a manual basis, which can consume a lot of time and resources.
FIELD: How does CA Technologies address the area of privileged identity governance?
MAXIM: CA Technologies has been an active participant in the identity access management market for over a decade. In response to the growing need for more complete solutions around privileged identity management, we have a solution that can address delivering governance using two solutions from our portfolio. One is called CA Control Binder, which provides some shared account management capabilities for secure storage and access of privileged user passwords. Then we have an additional product called CA Governance Binder that does ongoing certification campaigns on privileged users using automated work flow and approval processes to help stream on that. It's the integration of those two products that gives organizations the ability to implement privileged identity governance today.
FIELD: In addition to identifying the privilege orders in an organization, what are the business benefits customers are seeing with your solutions?
MAXIM: Certainly the risk angle is being able to mitigate the risk of privileged users. [That is] a big benefit, one that customers see a lot of value in, given that privileged users do have access inside the system. Having the automated process in place and visibility into administrative access rights is very important, because hopefully it will allow you to remove or make adjustments to those access rights in real time. That can better control your risk. The ongoing operational efficiency that can be gained by automating some of these processes around how you regulate and verify administrative actions, there's definite value in doing that. A lot of companies today may rely on spreadsheets or other kind of manual-based processes that, while they do the job, can be cumbersome and require a lot of extra manpower to administer. Streamlining those processes to have more automation, users will be directed to a portal, they'd see a list of all the users, and have easily approved or rejected access rights makes. [It] also gives you some accountability that you can then, when the auditors request, verify that these are users that are on regular intervals and that any outstanding issues have been remediated appropriately.
FIELD: So they're going to save time and resources that then can be spent elsewhere?
MAXIM: Correct, on potentially more higher-value-added items of the business. So instead of pouring through spreadsheets, the users can now be more involved with configuring new systems or doing other types of things that are going to better actually help grow the business.
Where to Start?
FIELD: Where do customers start to assess and mitigate their risk when it comes to privileged identity management?
MAXIM: First thing, obviously, is really looking at your environment and understanding where your privileged users sit. Once you have a handle on who those privileged users are, then engage in cross functionally with your audit team and others to understand what the underlying risks are associated with target systems. Then, prioritize the highest system as the one that you want to implement around this first. The good news, when you're talking privileged users, is in most cases it's a much smaller subset of the employee population. So getting that prioritization of what your highest systems are is a good first step. Next step will be discovering who has access to those systems, and then once you've got that knowledge in place, you can begin to put in place some basic processes to verify their access rights and implement privilege of any governance.