RESEARCH NOTE CYBER-ARK FOR PRIVILEGED ACCOUNT MANAGEMENT

Transcription

1 Document K23 RESEARCH NOTE CYBER-ARK FOR PRIVILEGED ACCOUNT MANAGEMENT THE BOTTOM LINE Managing privileged accounts requires balancing accessibility and control while ensuring audit capabilities. Cyber-Ark enables organizations to increase administrator productivity while reducing risk. Deployed properly, Cyber-Ark s Privileged Identity Management Suite can deliver payback in fewer than six months, and be extended over time to support other applications without additional licensing costs. The Cyber-Ark Privileged Identity Management Suite secures, manages, and monitors privileged accounts and activities associated with data center management. Cyber-Ark provides policy-based account management for onpremise, off-site, hosted, and cloud environments. Key components include: Enterprise Password Vault to securely store privileged accounts and enforce credential management policies Application Identity Manager to securely manage credentials in application scripts and services Privileged Session Manager to monitor and record account activities during access by privileged accounts On-Demand Privileges Manager enables users to manage superuser account access in the cloud. Because the four components share a common server platform, companies can deploy any individual solution at any time and expand as needed in the future to address new audit or security challenges. Privileged accounts include the root account on UNIX/Linux servers; Microsoft Windows, Microsoft SQL Server, and Oracle systems administrator accounts; Cisco Enable accounts; SAP Application Server administrator accounts; and others such as emergency or help desk administrator accounts. Cyber-Ark supports Windows, Linux, Solaris, and AIX platforms; WebLogic, WebSphere, and Jboss application servers; and various programming languages including Java, C and C++, VB, and.net. The unified product eliminates the need to manage privileged accounts and privileged users on different systems and applications separately. Cyber-Ark enables organizations to leverage the same vault infrastructure, policy engine, and monitoring and reporting tools to manage privileged and shared accounts from one central location. Corporate Headquarters Nucleus Research Inc. 100 State Street Boston, MA Phone: Nucleus Research Inc.

2 THE CHALLENGE Privileged accounts and passwords, such as those of administrators, allow users to log on and control systems and applications and view, alter, or extract data and information on those systems. Most organizations have multiple workstations, servers, routers, databases, scripts, and applications that require administrator accounts and passwords, and many passwords are shared by different administrators. Multiple workstations, servers, routers, databases, scripts, and applications mean most large organizations can have hundreds of thousands of privileged accounts and passwords. Unlike unique passwords that link one user to one or many accounts, administrative and application passwords cannot link a specific person to a specific application or system action. Because privileged accounts are difficult to disable, most organizations rely on spreadsheets, home-built applications, or paper files to track and manage privileged account users and passwords. This creates a number of challenges, including: Limited visibility and audit capabilities. Because individual administrators use the same password, it is difficult if not impossible to track who made what changes. Risk of rogue administrators or unauthorized access. Because administrator passwords are difficult to disable, users that gain access can often continue to access or alter data and not be detected. Compliance vulnerability. Regulations such as Sarbanes-Oxley, PCI, NERC/FERC, and Basel II require organizations to clearly document and track changes to systems, including changes made by administrators. Without effective identification, authorization, and logging of privileged access, companies cannot ensure they are in compliance. Negative impact on end users. Without effective and efficient application administration, provisioning users, applying critical patches and fixes, and solving application or access problems is delayed, impacting the satisfaction and productivity of internal or external clients. Because of these challenges, many organizations have looked to automated solutions such as Cyber-Ark to secure and log privileged accounts. This research explores the strategies of companies deploying Cyber-Ark and its impact on their ability to control, monitor, and manage privileged accounts and passwords, and is based on in-depth interviews with a number of Cyber-Ark clients. WHY CYBER-ARK Most Cyber-Ark customers find either an audit, a change in operations that requires more streamline privileged account management, or management concern about security and risk drives exploration of a solution for privileged account management: We had an audit in the end of 2007 and one of the findings was that a lot of administrator accounts were not being controlled properly. We were moving to a follow-the-sun model and that made it hard to get the right password our Lotus-Notes based tool was all manual on the back end, and had three instances based on region. 2

3 Direction was looking for a way to control privileged access. There were no procedures or actual way of keeping track of where administrator passwords were installed or keeping track of the administrators themselves. Many explored multiple identity management solutions as well as more specialized privileged identity management applications and chose Cyber-Ark because it was both focused enough to require minimal customization and extensible enough to support complex global needs. Compared to smaller point applications, users said: We brought in four solutions and ran case studies and did a bakeoff. We chose Cyber-Ark because the other user interfaces were more cumbersome and we didn t like how the transactions were handled in the back end. Others had more than one vault; with Cyber-Ark if I need more passwords I can just add another server. Cyber-Ark stood out for ease of use, and they sat with us for two days to go over things and answer any questions we had. It was a good relationship and their prices were very reasonable. Cyber-Ark had file capabilities you can put anything on a box, not just store a password, but the certificate file as well. Customers found Cyber-Ark enabled them to quickly deploy one vault and bring additional systems, accounts, applications, and privileged users under management as needed without additional application investment. Compared to larger traditional identity and systems management tools, users appreciated Cyber-Ark s focus on privileged identity: We did look at some of the big players but we were really looking for more differentiated technology for administrator password management than the traditional ID management space. It s a very focused solution and it needed to be. You could do it with other tools but you have to put a lot more effort into it. You could look at traditional identity management, like Oracle, CA, IBM, Tivoli, but they re not set up to do it and it would cost a thousand times more by the time I bought all the connectors. KEY BENEFIT AREAS Companies deploying Cyber-Ark can integrate it with enterprise applications to standardize and streamline control of privileged accounts. Key benefits achieved from Cyber-Ark include increased administrator productivity, reduced audit time, improved client service, reduced risk, and improved compliance. Increased administrator productivity Automating manual processes such as user creation, provisioning, and password resetting, and reducing the overall time needed to manage privileged identities, policies, and credentials can increase overall administrator productivity and free up time for more critical tasks. Users found: We used to have to take a security request, find the ID, reset the password, log it, reset it manually, and then synch it up. We couldn t stay on top of it. Now, we just approve administrator passwords and run reports on it once a month. Before, we were spending up to 25 hours a month. 3

4 We don t have to search when we find a breach of an account. To build and manage such [visibility] in house we would need 10 to 15 people. Our security team is about 15 people Before we had about 50 to 100 but we weren t managing. One large financial services firm adopted Cyber-Ark to support PCI and SOX compliance. Moving from a Lotus Notes-based application enabled it to redeploy two full-time developers, save 20 minutes on average for management of each privileged account, and automate password resets and provisioning based on Cyber-Ark s role-based capabilities. Users also found there were advantages to having one centralized application to manage all accounts and passwords, and to managing a relationship with one vendor instead of several different ones. As one user said, They know all our products, so it makes support and troubleshooting easier for both Cyber-Ark and us. It also helps with annual maintenance and service contracts, and not having to juggle different coverage terms and payment schedules. For organizations deploying Cyber-Ark, the potential administrator productivity savings will depend on the number of privileged identities and the frequency of changes. Large organizations that are manually managing privileged identities today can save at least half an administrator s time by deploying Cyber-Ark while improving compliance efforts and response times. At an average annual fully loaded cost of $60,000 per year, Cyber-Ark would save them $30,000 per year in administrator costs alone. Reduced audit time Cyber-Ark provides both a centralized system for logging and recording all activities of privileged identities and standard reporting tools and the ability to export log data into other data analysis tools to drive custom reports and dashboards. This enables organizations using Cyber-Ark to reduce the time needed to prepare for and complete audits: Before, there was no way to audit. Now Cyber-Ark can give it to us fast and easy. Now administrators can access reports and see who s been on their machine and why. Our organization has grown very quickly and so has the whole auditing and compliance issue. We don t know if we had minor bad incidents before; now it s here to mitigate any possible headaches. Unlike individual tools or manual reports, Cyber-Ark automates the monitoring and tracking of changes to systems by administrators, superusers, and other applications all in one place. This enables organizations to provide auditors with a clear trail to support Sarbanes-Oxley, Basel II, and other regulations and requirements, and shorten the time needed to effectively prepare for an audit. Improved client service Integration with enterprise applications and support for multi-site, multi-network environments enables administrators to more rapidly support users while 4

5 maintaining a secure audit log. Cyber-Ark users found that enabled them to support both internal clients (end users) and external clients, such as customers, more efficiently and cost-effectively: Clients appreciate it. There s a lot more comfort to them knowing that there s secure encryption above and beyond FTP. They really like the fact that they see everything and there is a full audit trail so they know whom the last person was to save it, touch it, or see old versions. If something changes or something is missing, they know exactly who did it. Our fear was, what happens if something gets screwed up and all our administrator passwords don t work Monday morning? Some of our owners have thousands of accounts. Today we can verify [all requests] upfront. Automation and the ability to rapidly identify changes and provide privileged IDs and passwords when needed enable administrators to more quickly respond to access problems and help desk ticket requests. Reduced risk The most significant benefit Cyber-Ark users cited was reduced risk. Privileged identities and passwords can be audited and managed to avert unauthorized internal and external access, changes, and data loss. When privileged identities and their management are automated, companies also reduce the common practice of embedded passwords in scripts and applications. The most significant benefit Cyber-Ark users cited was reduced risk. Most Cyber-Ark users were unable to quantify the benefit of reduced risk; however, organizations evaluating the potential risk-associated savings from privileged identity management should quantify the probability of a privileged identity management-related loss multiplied by the minimal cost of an expected loss. Example: potential risk savings The probability of a security breach occurring in a given year 20 percent The estimated minimal cost to manage a security breach $50,000 The expected annual benefit based on the probability of a breach $10,000 Improved compliance Using Cyber-Ark, superusers, administrators, and managers can securely manage and deliver reports to support audit requirements. Nucleus found most organizations start with a specific goal such as securing a certain percentage or area of accounts and can then use the common platform to support further security and implement privileged account control for new applications and systems: With government and state contracts and nuclear data, it s very critical that we are sensitive with how we store data. Nobody else supports that. This addressed a huge SOX vulnerability. It could have been a severe audit deficiency. If we can avoid that, it s a huge relief and probably kept somebody s job. Our compliance people say you need to rotate passwords on a scheduled basis and outside of manually doing that, we didn t have a good tool to do it. 5

6 Cyber-Ark automates password resets, system change monitoring, and data access to provide a secure and reliable audit trail for compliance purposes. CONCLUSION Given the number of workstations, servers, routers, databases, scripts, and applications enterprises have to manage, most have thousands of privileged identities, accounts, and passwords. Traditionally, this has been managed manually with in-house developed applications, spreadsheets, and paper files none of which effectively protect against data and application risk. Cyber-Ark automates and provides a central log of privileged administrative tasks, freeing up time for administrators for more critical tasks and reducing risk exposure. Given the relatively low cost, focus on the privileged identity problem, and ability to support a global, multiapplication environment, Cyber-Ark, when deployed properly, presents a cost-effective solution to data and application control and audit challenges. 6