Privileged Identity Management News Line November 2012

Top of Mind

Going Beyond Local Account Management: Service Account Discovery, Correlation and Propagation

Philip Lieberman, President & CEO
Lieberman Software

Continuing from last month...

The Good News and Bad News

The developers of Microsoft Windows created a well-organized framework for the storage and retrieval of service accounts that is consistent from Windows NT to Windows 2012. This means that applications written for this platform pretty much use the same methodologies for the management of credentials. The Microsoft platform also provides remote management APIs (interfaces) that allow credentials and their references to be managed in a consistent manner.

Having stated that the Microsoft platform has a consistent structure does not mean it is simple to manage; I am only stating that it is consistent. The platform itself has an enormous number of services to manage and with each new version of the operating system we have had to develop ever more sophisticated discovery, correlation and propagation engines.

The story on managing correlation and propagation on non-Windows systems such as Linux is a whole different kettle of fish. First, there is no ubiquitous remote management API, no (consistent) framework for the storage of credential usage, and applications are free to install and put their configuration files wherever they wish. There is also no consistent central repository to review that tells you what is on that machine and where it is installed. It is for this and many other reasons that companies choose Windows rather than Linux simply because of standardization and remote management. By the way, this is not a Linux only problem since many cross platform products such as Oracle 11g and many other Oracle and IBM products have a completely arbitrary and frankly bizarre way of installing themselves and maintaining their credentials.

All is Not Lost

But, all is not lost and we have developed connectors for these non-Windows based services. These connectors do provide the full discovery, correlation and propagation features, but because there is no remote management API, we provide remote management connectors for these platforms such as IBM WebSphere and Oracle WebLogic. Similarly, we also provide these same types of remote management connectors for JAVA and other middleware repositories.

We also have a remote CLI capabilities, files search and replace (great for CONF files), and SSH/Telnet command files.

In Practice: Windows… A Dream to Manage

Because we have a rich and mature set of engines for Windows, the discovery, correlation and propagation process is a breeze. Almost everything is fully automated; credentials and their use are displayed as trees. Changing passwords and where they are being used is also simple and takes less than a minute to configure once and for all. Since everything is in the box, there is no need for professional services to customize our software.

In Practice: Linux and Others… Easy, But Secret Sauce Must Be Known

Managing credentials and their use on non-Windows machines does not require professional services or customization of ERPM; however, it does require some knowledge of the platform, and where and how credentials are stored. You also need to know the method used by the services to change credentials for services/daemons.

Because all of the propagation settings are user configurable, you simply enter the configuration settings for your platform(s) and you are done once and for all.

Embedded Credentials

Both Windows and non-Windows platforms sometimes have applications that store their service credentials in plain text files. This practice makes auditors and regulators go insane with panic when/if they discover this practice.

We have implemented the following solutions to address this issue:

1) Push credential change whereby our product finds and changes the clear text credentials automatically and periodically in the background for these clear text files, or patches binary files containing clear text passwords.

2) Pull credentials where you update your code that uses the clear text files and have it pull credentials directly and in real time from our application. This method uses our SDK (free) that provides APIs for pretty much every platform out there.

3) In cases where the password storage mechanism uses encryption, we have already incorporated decryption, scanning, change, and re-crypt for many technologies such as .NET. For other technologies you can use CLI.

Summary

If you have been tasked with changing credentials on a regular basis, but have given up because these changes have caused outages due to the complexity and scope of not only changing credentials, but also where they are being used; there is an automated solution that does the job quickly and at scale with minimal to no human interaction: Enterprise Random Password Manager (ERPM).

By the way, deployment of this product and the ability to do propagation to service accounts at scale - reliably - is generally a one to two week process initially. Why? Extensive automation and deep domain specific knowledge embedded within the ERPM product make this seemingly impossible task for humans, an easy task for our product.

What do you think? Email me at: Phil@liebsoft.com. You can also follow me on Twitter: @liebsoft or connect with me via LinkedIn.

Events / Press / Analysts

Gartner Identity and Access Management Summit. December 3-5, 2012 in Las Vegas, NV. We are a Premier Sponsor at this year's event! Definitely visit us in booth PR3.

Webinar: Cyber Security Briefing on Privileged Identity Management For Ohio Colleges and Universities. December 12 at 11am ET. Ensure that your information security requirements, including the necessary privileged account security controls, get implemented quickly and comprehensively. Attend our webinar to learn how we can help you mitigate security risks associated with leaving your "Keys to the Kingdom" unmanaged.

Service Account Manager wins Silver Award for Best System Utility! 2012 Windows IT Pro Editors' Best and Community Choice Awards.

How to get promoted in IT security. Help Net Security. Not only has landing a job become more difficult; it's also getting harder to get promoted once you have the job. Here are some tips to getting ahead in today's competitive, cutting-edge world of IT security.

Running Lights Out Management Without Putting Your Organization's Lights Out Permanently. Continuity Central. Intelligent Platform Management Interface (IPMI) technology underpins lights out management (LOM) in IT departments around the world. LOM allows an IT administrator or IT security manager to manipulate and manage servers using remote control - even switching on the machines when they are ‘off’. LOM is a potent technology which has its uses; however it also poses some potential risks which every enterprise must be aware of.

Enterprise Random Password Manager Solution Delivers Privileged Identity Management to Customers Through Interoperability With SAP NetWeaver Gateway. Sarbanes-Oxley Compliance Journal. The SAP Integration and Certification Center (SAP ICC) has certified that ERPM integrates with SAP NetWeaver Gateway 2.0 technology. The ERPM solution has also demonstrated capabilities for accessing lists of users that can be retrieved under the current login credentials by changing user passwords of the SAP solutions on the back-end.

Lieberman updates identity management software. Finextra. Lieberman Software has launched new functionality that allows ERPM to provide secure check-in/check-out of privileged credentials directly through the McAfee ePolicy Orchestrator (McAfee ePO) web-based interface, and provides identity and configuration data enrichment for ePO.

BYOD: Where the costs are. How to make sure that your BYOD rollout doesn't break the bank. Network World. In a survey by Lieberman Software, most respondents (67%) said BYOD would increase IT and security costs.

Tech Tip of the Month

Remotely Create, Update and Remove Services

Has a vendor sent you an updated Services executable that needs to be installed across a large group of machines?

Do you have an internally developed application that requires installed services, but doesn’t have an install package?

Do you have obsolete services defined on Windows hosts in your environment, but no time to go clean them up?

In addition to modifying Windows Services, Service Account Manager can create or remove services. Here's how.