I D C T E C H N O L O G Y S P O T L I G H T C a n S e c u rity M a k e IT More Productive? December 2015 Adapted from Worldwide Identity and Access Management Forecast, 2015 2019 by Pete Lindstrom, IDC #259561 Sponsored by Thycotic Given an endless stream of breaches, increasing damage to brand reputation, forced resignations of senior executives, costly remediation, and loss in revenue, security is finally being taken seriously. It is now seen as something that the business should prioritize and embrace as a strategic advantage. Technological innovation is often seen as a strategic advantage for modern businesses. However, IDC data shows that innovations driven by business units are often derailed by IT security concerns. This exacerbates executive management's negative perception. IDC believes that security is slowly undergoing a transformation from negative to positive and from obstruction to enablement. This enablement not only secures users but also can make IT more secure and productive by improving the user experience while automating tedious and error-prone processes. This Technology Spotlight examines these issues and the role that Thycotic solutions play in addressing associated challenges. Introduction Identity and access management (IAM) has always been a market that is somewhat separate from the rest of security solutions because it is much more about "letting the good guys in" than about "keeping the bad guys out." Enterprises will find out this year that these are two sides of the same coin. As attackers increasingly target "insider" accounts (e.g., employees, partners, contractors, consultants, and customers) to get access to networks, servers, applications and, most importantly, data, IAM has become critical. For attackers, just taking over low-level accounts is the first step. The next step is for attackers to capture administrative (i.e., "admin") accounts so that they can escalate their access privileges to applications, data, and administrative functions. The latter category is very important because it enables attackers to conceal their activities from legitimate admins. In this context, privileged account management (PAM) is an important segment of the array of IAM solutions currently available. Among all IAM submarkets, PAM is growing the fastest because of the threat environment and the fact that many administrative environments have fewer security controls than the end-user accounts they manage. For example, IDC did a casual poll at a closed meeting of IT security administrators. When we asked how many administrators were still using default account names and passwords, roughly one-third of the administrators raised their hands. Moreover, entire departments were often sharing the same accounts and password credentials despite that fact that they require employees to rotate passwords and implement multifactor authentication. When IT security admins are asked why they put themselves and their companies at such a high risk, they cited crushing workloads, stingy budgets, and the need to frequently cover for other admins. Moreover, the inconvenience of applying these controls to themselves was just too much hassle, and "they all know and trust one another." However, they all recognize the ambiguity of this situation and the need for PAM. US40784215
Definitions Identity and access management is a comprehensive set of solutions used to identify users (employees, customers, contractors, etc.) in an IT environment and control their access to resources within that environment by associating user rights and restrictions with the established identity and assigned user accounts. Subcategories of the IAM market include identity management suites, user provisioning, PAM, single sign-on (SSO), advanced authentication (software for both public key infrastructure [PKI] and personal portable security devices such as smart cards and one-time password [OTP] tokens), and legacy authorization, such as Resource Access Control Facility (RACF) and Access Control Facility 2 (ACF2). PAM provides password vaults, session monitoring and recording, and fine-grained authorization for user accounts not assigned to a normal user (superusers, shared accounts, service accounts, etc.). What Is PAM, and Why Is It Needed? PAM is foremost on the minds of enterprises as they defend against credential theft and other account compromise. The focus on shared accounts and partner access continues to drive the need. Furthermore, the architecture lends itself to broader use as user activity monitoring and dynamic authentication become more popular. The privileged account management space continues its strong growth. It's critical to secure privileged accounts in today's environments. Privileged accounts are used in many devices, including servers, operating systems, and databases. Attackers target privileged accounts to gain access and escalate their privileges, eventually gaining access to confidential information. Because these "bad actors" are using the privileged credentials of an authorized user, they can be very difficult to detect once access has been achieved. The situation is worsened by: Unknown and unmanaged admin accounts "Privilege creep" that unwittingly causes low-level admins to accumulate dangerously high levels of privilege over the years Default accounts and passwords that were never changed Superuser/root accounts and passwords that are shared among many admins To address these issues, many companies still rely on manual systems, which IDC strongly believes are inefficient and ineffective. Automated PAM technology and solutions offer the capability to make systems easier to use and operate and more secure at the same time. The key elements and benefits of automated capability include: Discovery Single sign-on Access from and to multiple platforms Simple user interface for policy creation and enforcement Automation of compliance reports Reduction in manual tracking of updates Rotation of privileged credentials 2 2015 IDC
Enhancing Admin Productivity and Corporate Security IT security is often seen as an obstruction, so the notion of security systems that improve user experience, increase admin productivity, and decrease IT risk is an idea whose time has come. IDC believes that to accomplish this, such systems must be: Seamless Simple Automated Secure PAM should be seamless. Tools should support the business by allowing IT administrators to do their jobs without slowing them down. This means that usability and efficiency are top of mind while still allowing for the appropriate security controls to be in place. Security tools don't need to be cumbersome they can be efficient and secure if implemented correctly. All activities should be monitored from a single console and integrate with the discovery of admin credential in applications. "Seamless" means common tools, automated activities, and reduced need for costly integration consulting. This enables admins to focus on their projects and avoid distractions from multiple consoles, manual processes, and disruptive upgrades that require additional integration activities. While maintaining proper controls, select admins should have access from anywhere at any time via mobile. PAM should reduce complexity. Customers should look for simple solutions to problems. Tools should be designed with simplicity in mind. Every piece of complexity in security tools is a barrier to adoption, an invitation to circumvention, an obstacle to successful deployment, and a potential security risk. For example, SSO should work with a vault to automatically check out needed credentials and automatically return the credentials to the vault after the task is completed. PAM should automate common tasks. Automated security functions are a contradiction in terms for many professionals, but many shops are seeing the necessity of some automation. The process of checking out and automatically checking in credentials is only part of the story. To prevent phishing and other credential-stealing attacks, passwords should be rotated after each use with the SSO function, thereby shielding admins from this inconvenience. Moreover, discovery of new applications and their credentials should be automated to prevent vulnerabilities and ensure that PAM processes are almost always in compliance with internal and external regulations. PAM should be secure. While automated processes improve security rigor, access controls and monitoring are also needed: Logging is critical, but it must be accompanied by real-time monitoring and playback so the full session can be examined and any collateral damage quickly discovered. Desktop or mobile access can be restricted (e.g., specific GPS coordinates linked to IP address, physical location linked to network activity, time of day/day of week restrictions). Anomaly monitoring can reveal when an attacker has escalated privilege by capturing a legitimate admin's access. Rotating passwords after every session can reduce the exploitation time for a compromised password to minutes. Real-time monitoring against compliance controls can automatically disable access when contractors or consultants exceed their access privileges. Automatically disabling accounts when admins leave the company prevents continued access. 2015 IDC 3
Considering Thycotic Thycotic offers privileged account password management and security solutions. The core product is Thycotic Secret Server, which is designed to quickly and automatically identify and securely store privileged accounts in a relatively short period of time. The product has been installed in over 3,500 organizations worldwide, including Fortune 500 enterprises. Secret Server audits, analyzes, and manages privileged user and account activity. It uses automatic password rotation and alerts security teams to abnormal use of credentials. It's also designed to facilitate adherence to compliance standards using a tool that provides privileged account best practice policies. The system also collects, records, monitors, and manages privileged activity so that security teams can know how privileged accounts are being used in order to deter abuse. It also provides a full view to SOC with SIEM integration of privilege activities. Nonrepudiation evidence is made available for auditors through active recording and monitoring. Secret Server offers multiple layers of built-in security with easy access management for IT admins, robust segregation of role-based duties, and military-grade AES 256-bit encryption. It's designed to be highly scalable and support large-scale distributed environments. All major operating systems, databases, applications, hypervisors, network devices, and security appliances for on-premise and cloud are supported. Secret Server also offers high-availability disaster recovery options as well as hot backups and database mirroring. Secret Server enables the use of scripts to customize how functions behave, thereby allowing admins to build custom launchers to connect with hosts, applications, or other software using PowerShell, Perl, or other types of scripting language. It also offers the following capabilities: Password Reset Server provides self-service password management to free up IT help desk staff from time-consuming and inefficient processes and enforces stronger end-user password controls. Group Management Server empowers non-it personnel to securely manage their department's Active Directory Groups without assigning them a privileged account. Challenges Thycotic faces a few challenges. IDC believes that although the company has limited cloud support today, it will need certificate authority capabilities, extended discovery and control for cloud infrastructure, and increased support for cloud-based business applications. Conclusion PAM is foremost on the minds of enterprises as they defend against credential theft and other account compromise. It's critical to secure privileged accounts in today's environments. However, attaining security goals is not enough. Doing so in a way that preserves IT productivity is also important by making systems as simple and automated as possible. Security tools don't need to be cumbersome they can be efficient and secure if implemented correctly. Thycotic has made these attributes a major goal of its product strategy, thereby improving the admin's job satisfaction and productivity. We believe that Thycotic is one of the few PAM companies that understand that PAM is an elastic combination of seamless integration, simplicity, and automation that enhances compliance and security. To the extent that Thycotic can address the challenges described in this document, IDC believes the company is well positioned for success in the PAM market. 4 2015 IDC
A B O U T T H I S P U B L I C A T I ON This publication was produced by IDC Custom Solutions. The opinion, analysis, and research results presented herein are drawn from more detailed research and analysis independently conducted and published by IDC, unless specific vendor sponsorship is noted. IDC Custom Solutions makes IDC content available in a wide range of formats for distribution by various companies. A license to distribute IDC content does not imply endorsement of or opinion about the licensee. C O P Y R I G H T A N D R E S T R I C T I O N S Any IDC information or reference to IDC that is to be used in advertising, press releases, or promotional materials requires prior written approval from IDC. For permission requests, contact the IDC Custom Solutions information line at 508-988-7610 or gms@idc.com. Translation and/or localization of this document require an additional license from IDC. For more information on IDC, visit www.idc.com. For more information on IDC Custom Solutions, visit http://www.idc.com/prodserv/custom_solutions/index.jsp. Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com 2015 IDC 5