We interviewed Jackson Shaw; Senior Director, Product Management, Identity & Access Management at Dell and delved further into the topic of Privileged Access Management.
Why is it important to secure privileged accounts?
Well, privileged accounts are the most valuable accounts within an organisation. They provide unfettered access to typically the most sensitive systems, databases and servers within an organisation. Most people think of it as local accounts and other different accounts in the systems, but we have seen through a lot of the recent attacks that what happens is that the attacker looks for just the standard local accounts and once they get into an organisation, they start hopping from system to system until they can actually access a privileged account. Once they’ve got access to that privileged account, the door is open to almost anything. So, that’s the main reason why we want to protect privileged accounts; to be able to lock it down and keep all the systems safe.
Where do privileged accounts reside?
Privileged accounts reside all over an organisation. Most people typically think of them as things like the Windows administrator's account or UNIX route account, but it's also things like the database password in Oracle or in a Microsoft SQL server that are typically shared amongst the whole set of developers. Also, it’s becoming much more commonplace now for customers to consider their Twitter accounts and their Facebook accounts to be very privileged because if one of those accounts is hacked, it can lead to great damage to a company’s reputation. So, these accounts literally can be found almost anywhere across an organisation.
What needs to be considered when starting a PAM project?
Typically there are three things we need to consider to start a PAM project. What’s the reason for actually starting the project? Is it for audit finding? Is it a compliance issue? Was there a breach? That helps to basically set the scope for what needs to happen. The second thing is having all the appropriate people in the organisation involved in the project. So, you may need your UNIX administrator, you may even need the people who manage your printers. As I said earlier, the accounts are spread all over the organisation. The third thing, which is defined by the first two, is the scope and size of the deployment. Are you just looking at securing certain servers or are you looking at trying to secure the whole estate? It’s these three things that will help you decide how far you have to take the project.
What is the hardest part of PAM?
I think the hardest part of any privileged account management project is the process around all the business with respect to privileged accounts. Finding those accounts, working with all the stakeholders and then determining things like who is allowed to check out all passwords? Who has to be audited? What is the overall process around all these different accounts? That’s typically the biggest thing, getting all those stakeholders together and then cascading that type of a new process for managing those accounts throughout the organisation.
With cloud and social media starting to be considered, where is PAM going in the future?
Privileged account management is growing by leaps and bounds. A lot of the industry data that you read is talking about 40, 50 and 60% growth rates, and I think a lot of that is attributed to the direction of computing in general; so, for example, things like social media, your Twitter account, your LinkedIn account, your Facebook account. From an organisational perspective, there’s a tremendous amount of reputation around those accounts; having one of those hacked, having one of those accounts stolen, even though it’s not a privileged account, can be very serious for an organisation so, you want to protect those accounts. I think the other thing that is causing a lot of growth and fuelling a lot of the forward thinking around privileged account management is all the different cloud platforms that people are gravitating towards. You've got to protect the accounts there; if it’s your Office 365 account, if it’s your Salesforce account, if it’s your work day account; whatever it is, those accounts need to be protected also, especially in the cloud because you don’t have the same type of security controls around what you have inside of your organisation. So, I really think that there is nowhere but up for privileged account management and a lot of those things that I just mentioned are fuelling its growth.
Can you give us a case study to demonstrate a PAM situation?
Well, I think one of the most interesting cases recently regarding privileged account management is what happened at Target. If you read any of the news stories of the reports about what happened; basically a contractor in the group that managed their heating systems had an account stolen and this account allowed the hacker to get into the Target's systems. Now, that account itself was not privileged but what the hacker managed to do was to use that account to jump around within the organisation until they found a system that had a privileged account on it that wasn’t protected, and that basically gave them access to all the 'goodies' inside Target. That was the main cause and certainly one of the best things that Target, or any other company, can do in this particular case is manage those privileged accounts and session management; it's becoming increasingly important at companies to be able to watch what people are doing, especially contractors or third parties that you have given access to your computer systems. So, we see privileged account management crossing so many different areas; it’s not just your internal employees, but also your contractors.
Any additional thoughts for a successful PAM project?
A successful PAM project typically starts with privileged password management; obviously we want to control the privileges around all these different systems. Once that’s typically got under control, a company will look at session management; and session management is all about recording what someone is actually doing while they are on that privileged system, seeing what they're up to,being able to go back and search for certain commands, and having a real, great order trail around what people are doing with those privileged accounts. Once you’ve sort of accomplished these two things, a lot of companies start looking at how to integrate UNIX and Linux systems into the project they've done, and any other privileged accounts that might be up there. Finally, what most companies should be considering is can they find a vendor that has the breadth and depth of experience around privileged accounts, and integrating all these different systems together with a robust solution that you are basically setting yourself up for success.