|A Story About Passwords… And Claims of a
Sole Sourced Solution
Lieberman, President & CEO
Our primary competitor in privileged identity management recently
claimed (to a customer and major analyst firm) that they are the only
vendor on the planet that can manage application passwords; therefore,
no other solutions should be considered.
Unfortunately for the competitor, the analyst decided to check the
facts, and what do you know? Lieberman Software has been providing
enterprise level privileged application credential management for
years. So much for sole-sourced purchasing.
Background: What is
Application Password Management?
Just as you might log on to a system with user credentials,
applications also must log on or be verified to gain access to critical
resources using operating system, database, and locally stored
credentials. How does an application know which credentials to use?
Applications typically store the credentials in a variety of formats:
sometimes the credentials are encrypted (good), stored in plain text
files (not good), and even compiled into the applications themselves
Given that credentials used by applications can change behind the back
of the application (due to password change mandates), the application
must be updated to use the new credentials – immediately.
[Tip from the trenches: The
updates of application passwords on multiple systems concurrently can
be a time critical operation with many dependencies that does require a
human be actively involved monitoring as well as controlling the change
process. Because not all changes can be accomplished at exactly the
same time, and some resources may be off-line or non-responsive, the
change process should rarely be completely automated and done in an
unattended mode. A high quality password management solution can make
the process go quickly and reliably due to automation, but human
judgment is essential in anything other than simple lab test cases.]
Easy Ways to Manage
If an application is implemented as a combination of Microsoft Windows
Services, COM+, DCOM, MTS, IIS, ASP.NET and other standard Microsoft
Windows platform component types, our products can automatically detect
and change credentials and their usage using our
For non-Windows platforms, password updates are accomplished by a
combination of remote command line commands (secure CLI changes) as
well as by file pattern matching and updating (also secure). There is
also the ability to support the remote update of a JAVA based secure
storage mechanism where the application can consume it.
Some applications store their credentials in files (binary, text and
encrypted), so we also support secure automated file patching.
Applications That Use Clear Text Passwords
When an organization needs to upgrade the password security (i.e. uses
clear text passwords in a file) of an existing application where it has
the source code and expertise, we support the industry standard
solution of using a platform’s secure credential storage mechanism that
is part of the operating system or language run time (i.e. JAVA).
As part of our product’s design, we can update not only the credentials
in the operating system or database, but we can also update the secure
credentials store automatically as part of the password change process.
The Real World Intrudes:
Upgrading Legacy Applications is Never Easy
Switching old legacy code bases to secure credential storage is rarely
implemented in the real world since it assumes that the original
application developers or their successors have the ability to rewrite
their applications in a more secure manner. Typically, there is no
in-house talent to accomplish the program rewrite and the knowledge as
well as the source code for the application is typically unavailable.
To “get the deal” other vendors claim that they can deliver magical
professional services to accomplish the change. Or, the client is under
the naive impression that such a security upgrade is a trivial effort
for their staff given the claimed capabilities of a vendor’s product.
In the real world the vendor does not have this capability and the
organization with the legacy code generally underestimates the “issues”
involved in the update. We write code every day and there are always
“issues” in even the simplest project.
Most organizations are better off accepting the reality that it is
better to keep legacy applications working as-is (with insecure storage
of credentials), but instead think about improving the better access
control methods on the files as well as adding auditing. Obviously
updating insecure code to a secure credential storage mechanism is
ideal, but rarely succeeds due to the realities of time, employee
turnover, and lost expertise.
We fully support the management of application credentials in both
application-to-application (A2A) and application-to-database (A2DB)
modes, and we provide you with the ability to do it yourself by filling
out a few dialogs.
If you ever talk to “this” other vendor about their “unique”
sole-source A2A and A2DB solution, ask them to actually
you can do it yourself on all of your platforms. If you must go to
class or employ their professional services, I think you will figure
out the truth of their solution for yourself.
We do A2A and A2DB and so can you in just a few minutes right from the
instructions in our manual.
Questions or comments, or want to discuss how you tried or failed at
A2A or A2DB? Email me at: email@example.com
Tip of the Month
What's Being Shared on Your Network
What are your
users sharing? Music? Sensitive documents? Customer data? Customer
purchasing history? R&D?
How can you get a list of machines that
are sharing content? If you’re running Windows 7, you need to
know what’s being shared...
With User Manager Pro
Suite you can run a report and stop the unwarranted sharing
immediately. You simply highlight all the shares that aren't supposed
to be out there, right click and delete. And they're – poof – gone. How
long does that take? You’re already done! The data is still there, it's
just not being shared anymore.
for more information.
Avenue of the Stars,
Angeles, CA 90067
Major Television Network
The organization’s IT
infrastructure supports television stations in all major U.S. markets
and operates out of multiple datacenters and server rooms. Hundreds of
servers and thousands of client systems make up their environment with
a mix of Windows, UNIX and Linux operating systems. To protect the
organization’s data assets, the CIO required a solution that could
manage any of these components, reliably and affordably, while helping
to meet their company’s regulatory compliance and security initiatives.
Situation: Needed to protect
sensitive data – without adding unnecessary staff or system overhead.
Motivated by Sarbanes-Oxley compliance goals.
The Solution: Enterprise Random Password Manager was
deployed to control access to privileged accounts and to report who had
access, at what time, and for what purpose.
Result: The television
network eliminated anonymous access to sensitive data and improved its
compliance with Sarbanes-Oxley and other.
to read the detailed case study.
- Raytheon SureView Integration - Insider
Threat Detection Combines with Privileged Identity Management:
Lieberman Software has partnered with Raytheon to combine Raytheon’s
military-grade, DVR-type incident recording, replay and advanced
insider-threat detection and monitoring capabilities with Lieberman
Software’s privileged identity management solution set. The combination
of Raytheon SureView and Lieberman Software’s Enterprise Random
Password Manager (ERPM) offers unparalleled protection against insider
threats, providing control over administrative access to sensitive data
throughout corporate and government networks.
- Sybase iAnywhere Integration:
ERPM manages the accounts used by Afaria Services. ERPM also manages
privileged accounts within the Sybase Adaptive Server Enterprise (ASE)
Launches / Podcasts
Credential Management: Enterprise
Random Password Manager (ERPM) discovers and continuously secures the
privileged account credentials present in ASP.NET web applications. In
doing so, ERPM improves security and regulatory compliance for
organizations whose ASP.NET credentials control access to corporate
databases and back-end application tiers.
Events / Press /
Issues Security Guidelines for Windows Azure. Redmond Magazine. Security
is the number one inhibitor to cloud adoption and Microsoft has
addressed many key issues, according to experts. "By Microsoft providing extensive training
and guidance on how to properly and securely use its cloud platform, it
can overcome customer resistance at all levels and achieve revenue
growth as well as dominance in this new area," said Phil
Lieberman, president of Lieberman Software Corp., a Microsoft Gold
Certified Partner that specializes in enterprise security.
Smartphone Strategy Needs a Genius Plan. Redmond Channel Partner. Phil
Lieberman of Lieberman Software believes that the recent turnover of
the SmartPhone management team at Microsoft was well overdue. "Everyone in Microsoft management needs to
ask the question: ‘what about Windows Mobile 7 is going to wow me, make
this a different platform and a must buy for everyone?' The world does
not need another unreliable phone that runs like a Zune and can kind of
play some XBox games."
Three Biggest Risks You Face. CFO Zone. "The rough economy is also posing a
greater internal threat to companies' information systems, says Philip
Lieberman, CEO of Lieberman Software. High turnover naturally increases
the risk that employees on their way out the door will download
sensitive information with the intention of offering it to a new
employer, Lieberman warns."
Key Questions When Considering Working with a Cloud Service Provider.
IT Business Edge. "There are
certainly a lot of points to take into consideration with cloud
computing, particularly security within the cloud. I had the
opportunity to speak with Phil Lieberman, president and CEO of
Lieberman Software, who presented a list of security-related questions
a company should ask before doing business with a cloud service
provider and his advice on what should be looked for in the answers."