Managing the Risk of Privileged Accounts and Privileged Passwords in Civilian Agencies



Similar documents
Managing the Risk of Privileged Accounts and Privileged Passwords in Defense Organizations

Solving the Security Puzzle

Top 10 Most Popular Reports in Enterprise Reporter

Navigating the NIST Cybersecurity Framework

Identity and Access Management for the Cloud

Eight Ways Better Software Deployment and Management Can Save You Money

Understanding Enterprise Cloud Governance

How to Deploy Models using Statistica SVB Nodes

Dell One Identity Cloud Access Manager How to Configure vworkspace Integration

Spotlight Management Pack for SCOM

Logging and Alerting for the Cloud

Introduction to Version Control in

How To Use Shareplex

Hybrid Cloud Computing

Understanding and Configuring Password Manager for Maximum Benefits

SharePlex for SQL Server

Dell Statistica. Statistica Document Management System (SDMS) Requirements

Dell Spotlight on Active Directory Server Health Wizard Configuration Guide

Proactive Performance Management for Enterprise Databases

Dell One Identity Manager Scalability and Performance

Object Level Authentication

Simplify Your Migrations and Upgrades. Part 1: Avoiding risk, downtime and long hours

Security Analytics Engine 1.0. Help Desk User Guide

formerly Help Desk Authority Quest Free Network Tools User Manual

Security Features in Password Manager

Dell InTrust Preparing for Auditing Cisco PIX Firewall

Best Practices for an Active Directory Migration

Go beyond basic up/down monitoring

Data center and cloud management. Enabling data center modernization and IT transformation while simplifying IT management

Dell Statistica Statistica Enterprise Installation Instructions

Active Directory Auditing: What It Is, and What It Isn t

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Ensuring High Availability for Critical Systems and Applications

Best Practices for Secure Mobile Access

Quest vworkspace Virtual Desktop Extensions for Linux

Defender Delegated Administration. User Guide

Dell Migration Manager for Enterprise Social What Can and Cannot Be Migrated

Identifying Problematic SQL in Sybase ASE. Abstract. Introduction

Move Data from Oracle to Hadoop and Gain New Business Insights

Dell One Identity Cloud Access Manager How To Deploy Cloud Access Manager in a Virtual Private Cloud

Spotlight Management Pack for SCOM

Dell InTrust Preparing for Auditing Microsoft SQL Server

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

Dell Unified Communications Command Suite - Diagnostics 8.0. Data Recorder User Guide

Types of cyber-attacks. And how to prevent them

DevOps for the Cloud. Achieving agility throughout the application lifecycle. The business imperative of agility

Desktop Authority vs. Group Policy Preferences

Dell vworkspace Supports Higher Education s Desktop Virtualization Needs

Governed Migration using Dell One Identity Manager

4.0. Offline Folder Wizard. User Guide

formerly Help Desk Authority HDAccess Administrator Guide

How to Quickly Create Custom Applications in SharePoint 2010 or 2013 without Custom Code

Enterprise Reporter Report Library

Dell Statistica Document Management System (SDMS) Installation Instructions

Dell InTrust 11.0 Best Practices Report Pack

Dell InTrust Preparing for Auditing and Monitoring Microsoft IIS

Dell One Identity Cloud Access Manager How to Configure for High Availability

Organized, Hybridized Network Monitoring

Seven Steps to Designating Owners of Unstructured Data

Achieve Deeper Network Security

Reverse Proxy Three Myths Busted

Active Directory Change Notifier Quick Start Guide

Dell One Identity Cloud Access Manager Installation Guide

Dell One Identity Cloud Access Manager SonicWALL Integration Overview

Dell InTrust Preparing for Auditing CheckPoint Firewall

How To Protect Your Active Directory (Ad) From A Security Breach

Using Self Certified SSL Certificates. Paul Fisher. Quest Software. Systems Consultant. Desktop Virtualisation Group

Dell Recovery Manager for Active Directory 8.6. Quick Start Guide

formerly Help Desk Authority Upgrade Guide

Ensuring a Successful Migration, Consolidation or Restructuring

Dell Enterprise Reporter 2.5. Configuration Manager User Guide

ChangeAuditor 6.0 For Windows File Servers. Event Reference Guide

ChangeAuditor 5.6. For Windows File Servers Event Reference Guide

Achieve Deeper Network Security and Application Control

Foglight. Foglight for Virtualization, Free Edition Installation and Configuration Guide

Adopting a service-centric approach to backup & recovery

Dell One Identity Manager 7.0. Help Desk Module Administration Guide

The Top 10 Things DBAs Should Know About Toad for IBM DB2

Quest InTrust for Active Directory. Product Overview Version 2.5

Quick Connect Express for Active Directory

New Features and Enhancements

Defender 5.7. Remote Access User Guide

Nightmare on Delegation Street with Native Active Directory Tools

Foglight. Managing Java EE Systems Supported Platforms and Servers Guide

About Recovery Manager for Active

Active Directory Recovery: What It Is, and What It Isn t

Quest Privilege Manager Console Installation and Configuration Guide

How To Improve Performance Monitoring

10 easy steps to secure your retail network

Getting Agile with Database Development

Managing for the Long Term: Keys to Securing, Troubleshooting and Monitoring a Private Cloud

Quest ChangeAuditor 4.8

Spotlight on Messaging. Evaluator s Guide

Web Portal Installation Guide 5.0

Dell NetVault Backup Plug-in for Advanced Encryption 2.2. User s Guide

Enabling Useful Active Directory Auditing

DATA GOVERNANCE EDITION

2.0. Quick Start Guide

Quest SQL Optimizer 6.5. for SQL Server. Installation Guide

Transcription:

Managing the Risk of Privileged Accounts and Privileged Passwords in Civilian Agencies Reduce Risk while Streamlining Administrative Workflows Written by Dell Software Abstract Even IT environments that have two-factor authentication in place must still deal with many different types of passwords: service account, local account, Windows local administrator and Unix/Linux root account passwords. Managing them in a way that meets requirements can be a tedious full-time job, and can make even a simple job, like applying a hotfix, a complex, multi-step process that introduces far too much risk. With Dell One Identity Privileged Password Manager and Privileged Session Manager from Dell Software, managing privileged passwords is easy and far more secure. This white paper explains how. Introduction Why civilian agencies are adopting two-factor authentication Civilian agencies have come a long way with authentication. Instead of allowing users to authenticate with just usernames and passwords, organizations have implemented some form of two-factor authentication. In addition to well-publicized data breaches and other cybersecurity threats, the primary regulatory driver for improved authentication is Homeland Security Presidential Directive 12 (HSPD-12), issued in 2004. HSPD-12 requires all federal executive departments and agencies to implement a government-wide standard for secure and reliable forms of identification for employees and contractors with access to federal facilities and information systems. In 2005, the National Institute of Standards and Technology (NIST) issued Federal Information Processing Standard (FIPS) 201, Personal Identity Verification of Federal Employees and Contractors. FIPS 201 provides detailed technical specifications for meeting the HSPD-12 mandate. These specifications relate to the issuance of personal identity verification (PIV) cards, integrated with public key infrastructure (PKI), in order to authenticate users for physical and logical access.

Maintaining compliance can require turning a highly-trained security engineer into a full-time password resetter. Even the administrators on agency networks are starting to use dual certificates to perform administrative functions. This provides a solid level of assurance of user identification and ensures non-repudiation. Even with two-factor authentication in place, passwords still present challenges. But even with the security infrastructure of PIV/PKI, there are many instances where passwords are still used on these networks. All IT environments are full of service accounts and local accounts that are tightly woven into the functions of applications. For example, service accounts are used for applications that need to authenticate against either a domain or a local identity repository. These accounts may or may not be assigned any special permissions, but they authenticate with just a password. In addition, All Windows operating systems (servers and workstations) have a local administrator account and other local accounts, and platforms such as Red Hat Linux, Ubuntu, Fedora, Solaris, HP UX and Mac have root accounts. And all of these accounts have passwords. These accounts and their passwords have been treated as incurring an acceptable level of risk. But that risk is becoming more and more difficult to accept. This approach is based simply on hope. There s the hope that the people that have access to these passwords are honorable and will protect them. There s also the hope that they change the passwords at the required intervals to meet compliance requirements. Of course, there s the hope that they will use these accounts only for the purposes intended. Finally, it s based on the hope that, when they leave the organization, these passwords will fade from their memory. That s a lot of hoping, and not the best way to mitigate the risks associated with passwords.. The traditional way to manage privileged passwords Password management becomes a full-time job. Managing passwords to meet requirements has traditionally been a tedious and time-consuming job but doing it right is critical to business continuity. Some organizations have delegated the management of service and administrative account passwords to a security team or even a single person. These passwords must meet specific policy requirements length, duration, strength including those specified by other NIST publications. Maintaining compliance can require turning a highly trained security engineer into a full-time password resetter. Why? When a service account password is reset in a typical Active Directory environment, it must also be entered everywhere the service is running; otherwise, the next time that service restarts, it will fail. This could impact hundreds of servers, cause an application outage and seriously hurt productivity. Most administrators are accustomed to this problem and know that when a service account fails, they need to retrieve the password and reset it on the service to get the application going again. The larger the enterprise, the more pain this will cause. And, unfortunately, this task can be overlooked in the heat of an application failure. Just applying a single hotfix is a multi-step process. In an organization that puts some level of control around privileged passwords, the daily life of an admin can get somewhat complicated. For example, suppose that in my organization, all passwords are managed by the Security department. As an administrator, I need to apply a hotfix to an application, but this hotfix must be applied while I am logged on with the service account. Let s look at all the steps required for this seemingly simple task: 2

1. I need to submit a request to the Security department to justify my need for the password and the timeframe when I plan to use it. 2. A security auditor will consider my request. 3. Upon approval, the auditor will open a safe, retrieve the password and communicate it to me. 4. Now that I have the password, I can log on to the server running the application with the service account. I can then apply my hotfix (and do anything else I want). 5. When I complete my task, I will notify the auditor. The auditor will (or should): 6. Change the password in Active Directory. 7. Connect to each server where the service is running and enter the new password on the running service. 8. Document the new password and lock it back in the safe. Finally the job of applying the hotfix is complete! This may seem like a tedious process but it s close to the right way to do business. These are common procedures and, for the most part, they provide a slightly better security posture than sharing the passwords between administrators. The problems with the traditional process Of course, there are huge holes in this process: The workload and time required to perform these functions Security auditors are some of the most highly skilled people we have. Do we really want to burn hours of their day resetting passwords? Risk of application downtime If the auditor changes the password, but fails to enter it on any one of the servers where the service runs, the service will fail. Too much power The auditor who is tasked with meeting compliance requirements and keeping the network running has no idea what the admin did with that password while he had it. All the auditor can do is hope is that the admin had honorable intentions. Lack of visibility and accountability Probably the most serious problem is all the unknowns. In this scenario, the security auditor has access to the password. If something malicious is done with the account, we have to look to the people who might know the password. Most auditors would not want to be in that position. Moreover, if more than one person has access to the password, auditing is an exercise in futility. The solution: Dell One Identity Privileged Password Manager and Dell One Identity Privileged Session Manager from Dell Software Managing and security privileged passwords is easy and far more secure with Dell One Identity Privileged Password Manager and Privileged Session Manager. Applying a hotfix the easy way, with Dell One Identity solutions For example, the process of applying my hotfix using a service account now looks like this: 1. I open a browser and connect to a web interface for Privileged Password Manager. I look for the service account password I need and request it with a few clicks. 2. A security auditor receives an email saying I have requested the service account, reviews my brief justification, and approves the request. 3. When I receive notification that my request was approved, I reconnect to the web user interface of Privileged Password Manager and am allowed to check out the password for the time specified. I can then log on to the server and do my administration. 4. When I m done, I check in the password. This check-in will automatically: Initiate a password change to a randomly generated password based on an organization policy (for example, a password that has 30 characters, including eight uppercase, eight lowercase and seven special characters) Change the password everywhere the service is running to make sure enterprise applications continue to operate Managing and security privileged passwords is easy and far more secure with Dell One Identity Privileged Password Manager and Privileged Session Manager. 3

Dell s end-to-end security solutions ensure that your users, applications, critical data and mission are protected against internal threats. Benefits The advantages of this process are significant: Time savings Dell One Identity Privileged Password Manager streamlines the workflow for requesting and approving use of a privileged password, saving valuable time. Business continuity Dell One Identity Privileged Password Manager automatically resets the password and changes it everywhere it is required, eliminating the risk of application failure due to password issues. Real-time visibility and accountability The security auditor can decide my justification is valid but may want to audit my actions while I have access. Instead of allowing me to check out the password, he or she can simply grant my session directly to the server. I will receive notification my session request has been approved. Then I will connect to the Privileged Session Manager console, where I will see my approved session request. I ll be connected directly to the console of the server when I need to do my administration. Auditing When I wrap up my work, I simply log out of my session. The security auditor then has the option to review my work through a DVR-like playback. Security If the auditor grants my session directly to the server, I won t even need to know the password for the service account. Conclusion Dell Software s solutions for privileged accounts reduce the risk of improper use of administrative and service accounts through tightly controlled access rules. At the same time, they significantly reduce the manual effort required to manage these privileged identities. Dell s end-to-end security solutions ensure that your users, applications, critical data and mission are protected against internal threats, giving you the power to do more. For more information about Dell Software s solutions for privileged account management, please visit software.dell.com/solutions/privilegedaccount-management. 4

For More Information 2014 Dell, Inc. ALL RIGHTS RESERVED. This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose without the written permission of Dell, Inc. ( Dell ). Dell, Dell Software, the Dell Software logo and products as identified in this document are registered trademarks of Dell, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners. The information in this document is provided in connection with Dell products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Dell products. EXCEPT AS SET FORTH IN DELL S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, DELL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Dell makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Dell does not make any commitment to update the information contained in this document. About Dell Software Dell Software helps customers unlock greater potential through the power of technology delivering scalable, affordable and simple-to-use solutions that simplify IT and mitigate risk. The Dell Software portfolio addresses five key areas of customer needs: data center and cloud management, information management, mobile workforce management, security and data protection. This software, when combined with Dell hardware and services, drives unmatched efficiency and productivity to accelerate business results. www.dellsoftware.com. If you have any questions regarding your potential use of this material, contact: Dell Software 5 Polaris Way Aliso Viejo, CA 92656 www.dellsoftware.com Refer to our Web site for regional and international office information. 5 TechBrief-ManagingTheRisk-US-SW-23845

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information