If you look at recent breaches, you see a common thread: If privileged identities were better managed, breach impacts would greatly lessen. Bill Mann, Chief Products Officer of Centrify, discusses the essentials of privileged ID management.
To truly protect their data, organizations need to look beyond the threats and see how technology has fundamentally changed how we approach privileged identity in the enterprise. The advent of mobility, cloud and outsourced IT services has sparked this transformation, Mann says.
"These three things are leading to the de-perimeterization of the datacenter, which is what I call the modern enterprise," Mann says. "These changes - the enterprise moving toward this modern environment - means that the challenges around data protection, privacy and obviously privileged users become very different as well."In an interview about privileged identity management, Mann discusses:
- How the modern enterprise has changed how we approach privileged identity;
- Privileged identity management best-practices;
- Tools and skills necessary to improve identity management.
Mann is an enterprise software security executive with both large company and startup experience. Prior to Centrify, Mann held various general management and product management leadership positions at CA Technologies (formerly Computer Associates International, Inc.), including SVP of Cloud Strategy, covering the whole software security sector, as well as the Cloud, SaaS and IT Management segments. At CA Technologies he was instrumental in its leadership in security, including in the cloud and SaaS areas, spearheading multiple acquisitions and product introductions. His most recent position was focused on fraud detection for eCommerce transactions and innovations in the mobile payment security space. Prior to CA Technologies, Mann held senior executive positions at Volera, Novell, Juston and Worldtalk.
Link Between Breached, Privileged ID
TOM FIELD: Bill, to start with, talk to me a little bit about the key link between some of the recent high profile breaches that we've all heard about and privileged identities.
MANN: So that's a good question, because if you examine maybe the recent Verizon data breach report or the Mandiant report that recently came out, there's something common across these two independent reports, and the commonality is the fact that they both highlight that if privileged users were better managed, then the risk would have been less so for the organizations that were afflicted with the breaches. Now that's kind of the link, and it could be the users who have access to the data that's inside the data center. So if you think of a healthcare organization or a financial services organization, that's going to say credit card information or Social Security information and so forth. The bad guys are really trying to steal large quantities of data. That's what we're reading in the press. And the advanced persistent threats, they somehow get into the organization and they target the servers that have got this data, and they actually target the accounts that give them access to that data, and those accounts are called privileged users or privileged accounts or privileged identities. But either way those accounts give access to what we kind of call the keys to the kingdom, and once those accounts are jeopardized and have been compromised in some way, that's how the bad guys end up stealing a lot of information. So that's the big link between these high profile breaches and the identity management space.
New Approach to Privileged Identities
FIELD: So, Bill, as a follow up to that, how has the modern enterprise changed the way that we approach privileged identity?
MANN: That's a big one, because the way I kind of described it almost kind of made it seem like the data is sitting inside the data center, and if you're able to protect that data, then the world's going to be a better place for the enterprise. But that's just not the case anymore. What's happening now is all enterprises are becoming fragmented. There's a de-perimeterization happening across all organizations, and it's happening because of three things.
One is there's mobile users - all of us are mobile users. We want to be able to access our information from wherever we are, and we don't want to actually go into the office anymore to do the job that we previously were doing a couple years ago. So that means the data has to be delivered to us and in a form factor that's obviously readily available on our handsets and our mobile tablets and so forth. So that means the data is no longer inside the enterprise anymore; it's sitting inside the enterprise, but it's traversing the whole Internet before it gets to the target user of that data.
The second is infrastructure as a service, or cloud infrastructure. So most enterprises now, even though they may not want to admit to this, are either using cloud data centers to complement their on-premise data centers, or they're contemplating moving in that direction. Nobody is really building out large data centers anymore. I mean, the enterprises that have data centers already are obviously maintaining them. They've already invested in those data centers, so it doesn't make sense for them to kind of downsize those data centers. But in terms of increasing capacity and so forth, they're not looking to add more data centers. Instead they're using the cloud, so that means now that the cloud has got servers, and those servers have obviously got information that is critical for the enterprise.
The third is what I call outsourced IT, the very fact that in the previous world employees and consultants used to work for the enterprise, and they used to go into the data center, access the data and so forth, but now we're in again a very fragmented world where we've got outsource IT organizations who are helping us maintain the data centers that we've got, but now they've got access to the data as well.
These three things - mobile, infrastructure as a service and outsourced IT- are really leading to this de-perimetertization of the data center, which is what I call the modern enterprise. Because the enterprise is moving in that direction purely because it wants to be competitive, it wants to innovate, it wants to do more with less, it wants to build new applications and so forth, right? It doesn't want to stand still and play with a set of tools that no longer enable it to be competitive anymore. So that's really what's happening, and these changes in enterprise moving towards this kind of modern enterprise environment means that the challenges around data protection and privacy and obviously privileged users become very different as well.
Breaking from Tradition
FIELD: Well, that's exactly where I wanted to take you next. Given what you've just painted for us, this picture of the modern enterprise, what's wrong with how enterprises traditionally approach identity management?
MANN: The traditional way of managing identity has been one based upon an on-premises kind of deployment of products, so the products themselves have to be deployed on premise inside the data center. They have to be set up, you have to buy servers, hardware, databases. You have to worry about backup and restore and so forth. You need to train your people to run an identity management software, so that's one part of it. And as we know with applications moving to the cloud, let's say Salesforce.com and so forth, they've taught us that that's not just the only way to deliver software anymore; that we can deliver software from the cloud. So an organization that is buying Salesforce no longer has to worry about managing Salesforce applications, but can focus instead on sales, targets and so forth.
So that's one thing that's true for the identity management phase as well, the very fact that organizations in the past had to be knowledgeable about identity management and running these systems, but they don't really need to be if it was delivered as a service. That's really the form factor, the delivery form factor, and with that delivery form factor comes things such as purchasing on a subscription basis versus buying perpetual, which obviously makes it easier for the organization to acquire these products and implement these solutions.
The third is really the use cases, the very fact that I said earlier on about the use case now is a combination of unpremised plus these modern enterprises cases of mobile and outsourced IT and infrastructure as a service means that running things on premise can make sense, but it doesn't have to make sense anymore. The very fact that over a period of time there's probably, if you take a normal organization today, a lot of the data is unpremised, but that equilibrium will start to tip towards the cloud at some point. And in a couple of year's time it's not going to be very clear to us anymore where more of our confidential data is. Is it on premise or is it in the cloud? And certainly as organizations already use Salesforce.com and other cloud-based applications, Box and Dropbox and so forth, there's a blurring line between where your data is. So that's really the problem with the existing systems out there -- the ones that are on premise and by virtue of them being on premise, it's more complex for the organization to actually purchase them, build them, deploy them. And then the next one is the use cases themselves, and the use cases themselves kind of demand the deployment of the identity management solution to be very different as well.
FIELD: Well, Bill, with that as context, what are some of the privileged identity management practices that you recommend, and what's it take in terms of tools and skills to be able to adopt these practices and really make them work?
MANN: The first thing is what we call identity consolidation. This is all around making sure that if there's a privileged user within the organization, that privileged user is authenticating themselves with a single identity. The last thing you want in an organization is for an IT user to have one way of authenticating themselves, let's say, to a UNIX machine and a different way to authenticate themselves to a Windows machine and an even different way to authenticate themselves to a network device. I mean, that's just leading to the problems that malicious attackers take advantage of, you know, with different users and different identities. The first thing we recommend is consolidating on a single directory. So whenever let's say Bill, the IT administrator, logs onto any system, he's logging in with exactly the same credentials every single time, and this means basically removing the multitude of directories that you might have within an environment and consolidating onto one directory. And what we actually find within a lot of enterprises is they use Active Directory already. Ii's becoming and has become kind of the de facto directory for the environment, and we basically rationalize on Active Directory, so obviously for Windows machines you authenticate via Active Directory. But also UNIX machines and your network devices and everything else you basically authenticate through Active Directory.
The next [step] is managing privileged accounts and privileged users. So for privileged users themselves, these are individuals within the enterprise who have got access to perform IT tasks. So let's say you're an Oracle DBA, and you need to have access to be able to restart the Oracle database. What we recommend is that user should log in as themselves and then elevate their privileges to conduct the specific task that they're being requested to run. So in this case, Bill would log in onto the UNIX machine and would elevate his access so he can restart the Oracle database, and what we recommend for organizations is to set it up in that configuration, so you absolutely know that Bill logged onto that machine, and you absolutely know that Bill was then given privileged access to perform the relevant functions.
The other aspect of managing privileges is actually managing privileged accounts as well. Privileged accounts are the accounts that are sometimes referred to as system accounts. So for instance whenever you install an Oracle database on a UNIX machine, there's an account called Oracle DBA that's been created. Again, on the UNIX machine there's an account called root, so these are what I define as privileged accounts. They're also known as service accounts, and these are accounts that should not be used a lot of times at all. They should be used only if there's a situation that requires them to be used. So, for instance, the root account should only be used let's say if the server has actually gone down, and you need to literally walk into the data center and log onto that UNIX machine and restart it without obviously having root access. Or the Oracle DBA account is used in a situation where all the other privileges may not give people enough access, and you need to kind of have the global privileges for the Oracle DBA account to perform those tasks. In that case what we recommend is those accounts are vaulted within a password vault, and there's a procedure for checking in and checking out those accounts, and only people who have got access to check those accounts out can check those accounts out. And every time those accounts are checked out, they are checked out for a certain period of time - let's say for an hour - for that person to conduct the task, and then there's a check-in process as well.
So this area about managing privilege is broken out into privileged identities for the individual users and privileged accounts for these service accounts. The third recommendation is for both of those privileged accounts and privileged identities, we recommend session monitoring. In other words, recording exactly what these individuals actually performed while they were logged onto those target machines so that for future forensics or for investigation purposes the organization can actually scan the logs to find exactly what these individuals actually did.
Now, let's go back to the question you asked right at the beginning, which is around the breaches and so forth. If a malicious piece of code was deployed on a UNIX machine and somehow got hold of an individual's account or a shared account, they would actually log in as those shared accounts, perform some function such as copying data out of an article database. So all of those sessions would be recorded such that an organization can actually look at those logs and find out exactly the time, the data that's being removed out of the organization, and so forth. So that's our recommendation. It's identity consolidation, managing the privileged users, both privileged users and accounts, and then thirdly, doing session monitoring. And this recommendation is all based on the fact that organizations should fundamentally be securing the individual users and requesting that those users log in as themselves versus using shared accounts. That's a big difference between the way we think about this versus the way other vendors think about this problem. They think about the problem mainly from a service account basis, but we think it's very important for organizations to really reduce the risk for themselves and implement what's generally known in this industry as least privileged access. So giving Bill the authority to only conduct a task that he needs to conduct to do his particular task.
FIELD: So, Bill, let's bring this back to Centrify. In a nutshell, what are some of the solutions that you're offering your customers to enhance their level of privileged identity management?
MANN: We provide two solutions, and they both work together. One of the solutions is called Centrify Server Suite. This is the solution that implements identity consolidation. It also implements identity privileged users for the end users, and it also implements session monitoring. Then there's a second solution called Privileged Service. This is a solution that works alongside the Centrify Server Suite, and this provides the vaulting capability, and that particular solution is delivered from the cloud, and also allows your organization to implement some of those modern use cases that I spoke about earlier on for the mobile user, for the outsourced IT, and so forth. In combination, these two solutions provide the most comprehensive solutions in the market for managing privileged users.
FIELD: And, of course, the most important question, Bill: What are the results that your customers are reporting to you on how they've enhanced their level of privileged identity management? What's the feedback?
MANN: Well, the feedback is fundamentally around reducing risk. That's why customers are buying these solutions. It's all about reducing risk. It's not about eliminating risk. Customers buy the solutions for eliminating risk, for passing compliance mandates, because if they are in any of the healthcare or the financial worlds, they actually have to put controls in place, and solutions like ours are controls. Lastly, it's around gaining visibility into the organization, into the risks associated within the organization around attacks as well, so the information that we gather about people accessing servers and so forth is fed into other log management systems, which are used to correlate information from ourselves and network devices and other things happening within the enterprise. So the enterprise has gotten more visibility around all threats and vectors around threats within the organization.