Privileged Identity Management News Line October 2012

Top of Mind

Going Beyond Local Account Management: Service Account Discovery, Correlation and Propagation

Philip Lieberman
President & CEO
Lieberman Software

In the previous month we discussed the management of local accounts and Superuser accounts.

As described, changing hundreds of thousands of local accounts and providing delegated access to them was a quick and easy process no matter whether they were on Windows, Linux or other platforms.

After securing your local accounts (which can be done with our Random Password Manager (RPM)) product alone, the next stage in privileged identity management is the randomization of so-called service or application accounts.

Our product Enterprise Random Password Manager (ERPM) was designed to take you to the next level of identity management by not only managing accounts, but also where they are being used. This means finding all accounts, figuring out where and how they are used, and then changing them everywhere without causing an outage.

Defining Service Accounts

Local accounts like administrator on Windows and root on Linux are generally used to log onto systems and the power of the identity can be used for performing management tasks. However, the account names and their passwords are rarely used for anything other than local or remote logon (at least on workstations).

Many servers use accounts like root and administrator to run persistent applications that run whether or not someone is logged into the machine. For example, a web site would be an example of such a persistent application as would a database or other line of business application.

The service account is needed for these persistent applications or processes so that they have the ability to perform powerful actions on behalf of the users of application. In effect, these accounts are proxies used to perform limited actions on behalf of users that have no access to sensitive data and systems.

In many cases, the mechanics of service accounts means that an account must be used that is known and verifiable to not only the application, but to everything that the application interacts with. Consequently the service account is generally a powerful Windows domain account, Kerberos, LDAP or database access credential.

The Challenge: Service Accounts Must be Changed Regularly

Service account based applications must keep a copy of the powerful credentials needed to perform their actions. The service credentials are generally encrypted or obfuscated, but must be available on demand by the application or service.

The consequence of the service account structure means that any password change of a Superuser credential must be done not only in the authentication system (i.e. Active Directory), but also in every service/application that stores the password for that same credential. We can say that not only must the authenticator be updated, but also all references. Updating all of the places where a service account is stored is known as propagation.

Where IT Gets Into Trouble With Service Accounts

To successfully change the password of an account, you must not only change it where it is being stored, you must also change every place that references that account. If you miss any of the places that have a stored password, the wrong password will be used and that service will fail to work properly. In some cases, the use of an incorrect password by a service can cause the operating system to think that the account is under attack and lock out the account. This last scenario means that every service that uses that locked out account will now fail too.

The challenge to IT is first to understand what credentials are in their systems as well as where they are being used. The second challenge is to understand how to change the references to those credentials and not miss any. The first step is known as discovery and correlation. The second step is known as propagation.

=> More on this subject in NEXT MONTH'S Newsletter.

What do you think? Email me at: Phil@liebsoft.com. You can also follow me on Twitter: @liebsoft or connect with me via LinkedIn.

Events / Press / Analysts

McAfee FOCUS 2012 Security Conference. October 22-24 in Las Vegas, NV. Visit Lieberman Software in the Sponsor Expo to see how our integration with McAfee ePO will make your security controls easier to manage and implement.

2012 Texas Cyber Security Tour On Privileged Identity Management. Join us for an informative, 90 minute luncheon in one of the following cities:

Austin, TX – October 24
Round Rock, TX – October 25
San Antonio, TX – November 7
Houston, TX – November 8
Dallas, TX – November 13
Fort Worth , TX – November 14
Plano, TX – November 15

Cloud Security Alliance Congress 2012. November 7-8, 2012 in Orlando, FL. This is the industry's premier gathering for IT security professionals and executives who must further educate themselves on the rapidly evolving subject of cloud security. We are a Bronze Sponsor so stop by and visit us in our booth.

Gartner Identity and Access Management Summit. December 3-5, 2012 in Las Vegas, NV. We are a Premier Sponsor at this year's event! Definitely visit us in booth PR3.

Lieberman Software’s Enterprise Random Password Manager™ Achieves SAP Certification as Powered by SAP NetWeaver®. Bloomberg.com. The SAP Integration and Certification Center (SAP ICC) has certified that ERPM integrates with SAP NetWeaver Gateway 2.0 technology. The ERPM solution has also demonstrated capabilities for accessing lists of users that can be retrieved under the current login credentials by changing user passwords of the SAP solutions on the back-end.

In security response, practice makes perfect. Network World. We've heard it many times in many forms -- expect to be breached, expect that you've been breached, expect that you are being breached.

Let's talk about the privileged. IDC Insight, ComputerWorld-UK. With all the packaged privileged identity management solutions available today, there is no excuse not to act.

University Medical Center Hamburg-Eppendorf Secures Administrator Passwords with Lieberman Software. SecurityPark.net. Random Password Manager helps the University Hospital protect access to sensitive data by securing powerful administrator accounts on all managed systems.

Why are companies so bad at responding to data breaches? The Next Web. Lieberman says that the C-suite views the implementation of stringent methodology to combat potential hacking threats a lot like the way many regular people treat car insurance: why spend the money to adopt a comprehensive plan hinged upon a mere threat that isn’t guaranteed? From a cost-risk analysis perspective, a procedural defense against cyberthreats doesn’t seem worth it.