I D C V E N D O R S P O T L I G H T Privileged Access Life-Cycle Management: How PALM Enables Security, Compliance, and Efficiency for Enterprise IT September 2009 Adapted from Worldwide Identity and Access Management 2009 2013 Forecast Update and 2008 Vendor Shares by Sally Hudson and Brian Burke IDC #219008, July 2009 Sponsored by BeyondTrust Corporation Strengthening security, maintaining compliance, and achieving efficiencies and economies of scale are top-of-mind issues for enterprise IT executives. In this paper, IDC examines the role of identity and access management (IAM) solutions in addressing these needs and specifically looks at the role privileged access life-cycle management (PALM) can play in helping heterogeneous organizations proactively refine their strategies regarding privileged access management controls, cross-platform monitoring, and automated workflow capabilities. This paper also examines the role that BeyondTrust, formerly Symark International, has in the market for PALM solutions. The Need for a Strong Security Framework IAM is a comprehensive set of solutions used to identify users in a system (employees, customers, contractors, etc.) and control their access to resources within that system by associating user rights and restrictions with the established identity. IDC research shows the IAM market will grow to almost $5 billion in product license and maintenance revenue by 2013. The top 3 market drivers for IAM are: Compliance. IAM is a key factor in achieving compliance. In fact, compliance drove 85% of IAM purchases in 2008, and we see this trend continuing throughout 2009. Security. There is an increased need for security to combat ID fraud, ID theft, and corporate sabotage. Cost control/efficiency. As organizations continue to look for ways to leverage their existing systems, vendors that provide seamless integration, ease of use, and manageability are doing well in this market. Regulatory compliance demands, such as SOX, PCI, GLBA, HIPAA, and JPIPA, are increasing on a worldwide basis. To meet many of these demands, companies rely on a combination of IAM technologies. In today's enterprise, which is usually highly distributed in nature, IAM solutions ideally should incorporate a flowing, automated system capable of facilitating a strong security framework across a variety of systems. Other mandatory requirements in a comprehensive IAM scenario include auditing, archiving, and storage for compliance purposes. Data must be easy to locate and produce for audit. The technology must allow for easy implementation of new controls because the compliance landscape is always changing. A proactive automated system that does not permit out-ofcompliance actions to occur is the goal. IDC 825
In the past, many critical access control issues were adequately addressed by point products. In complex heterogeneous environments, point solutions often fail to scale or integrate, rendering them inadequate for meeting today's security and compliance needs. Further compounding the problem is the lack of tools to monitor these disparate environments. The Invisible Privileged User IAM solutions are maturing, and they provide a good set of tools for the management of standard users in an enterprise. Privileged users present some unique scenarios and enterprise risks and as such deserve a focused, specialized approach and toolset. In a recent IDC survey of 433 IT security professionals, 37% of respondents listed internal threats as one of the most serious concerns for their organizations. While internal threats can be a result of employees accidentally misusing root or superuser privileges, many of these threats are motivated by maliciousness, greed, and revenge. Disgruntled employees, especially in tough economic times, can cause and have caused havoc in many high-profile organizations. High-profile, highly publicized examples include the Societe Generale scandal and the Fannie Mae incident, as well as privileged user security incidents at Pacific Energy Resources Ltd. and Quantum Technology Partners and in the city of San Francisco. Proper segregation of duties (SoD) and proper provisioning and deprovisioning practices are critical in preventing these situations, but organizations must be willing to implement controls that will monitor and manage systems usage at the privileged identity management level. Unfortunately, this area is often tagged as a "do later" when implementing corporate IAM strategy. Privileged access/identity management is essential to thwarting insider threats. This is accomplished via several mechanisms. While enforcing uniform password policies is a foundation of good corporate security, the ability to control access, delegate administrative privileges, and constantly monitor and take action against administrative actions is necessary for holistic risk mitigation. Management of Privileged Access in the Heterogeneous Enterprise: An Underserved Community It should not be surprising that the complexity of managing privileged user accounts grows exponentially in relation to the number of disparate systems within enterprise organizations. This potentially overwhelming scenario often subtly entices IT policy makers to shrink from addressing the issue in any truly adequate fashion. However, with the use of automated monitoring, control, and access technologies, such as those provided by the BeyondTrust PALM framework, companies can now address the privileged user situation with a greater level of ease and efficiency, thereby increasing both security and compliance across the corporation. What Is PALM? PALM can be considered a superset of privileged identity management (PIM) or privileged access management (PAM) to use common industry terms. This technology comprises a significant but often overlooked piece of the IAM landscape. PALM provides the infrastructure for centralized policy creation and auditing for access, control, monitoring, and remediation of privileged resources (see Figure 1). 2 2009 IDC
FIGURE 1 Automating Privileged Access Life-Cycle Management BeyondTrust receives identities from existing provisioning systems Role-based time-bound credentials for privileged access to IT assets Centralized policy and auditing capability across all stages "Rollback" of changes made to an IT asset by a privileged user Manages permissions down to task level, once a privileged user has access Concurrent review of actions performed by privileged users Source: BeyondTrust, 2009 Ideally, a PALM system should work seamlessly across mixed IT environments to provide a centralized point of policy creation, incident monitoring, and change control for privileged access across multiple systems and devices. Functions necessary to achieve this include: Provisioning and approvals for privileged access Principle of least privilege (sometimes referred to as the principle of least authority or POLA), which gives users only the access and privileges they need to complete the task at hand Automated, configurable workflow Role-based access control (RBAC) to support SoD, a critical component of all major compliance regulations Centralized logging; event and log reviews and approvals to simplify audit and reporting requirements Automated policy propagation to allow for policy changes to be automatically distributed across multiple systems in order to reduce cost and complexity in environments The ability to roll back undesired changes made by privileged users and to adjust policy to prevent such changes in the future 2009 IDC 3
Benefits of PALM Global organizations, government agencies, and educational institutions all must meet security compliance and data privacy requirements. PALM can play a significant role in achieving these goals by providing an access control infrastructure for strategic information specifically designed to be stored in Unix, Linux, and Windows environments. This cross-platform capability is no small feat. This approach, however, offers the ability to close the gaps created by the limited security features inherent in native operating systems while protecting digital assets from accidental damage or theft by so-called "trusted users." IDC recommends that organizations consider the solutions shown in Figure 2 when dealing with a privileged user scenario in order to minimize risk and help ensure compliance. FIGURE 2 Are You at Risk? Checklist and Recommendations Problem Many superuser and privileged accounts Inadequate control policies for: Access Procedures Logging Shared and/or overlapping administrative responsibilities No separation of duties Complexities of managing privileged access are magnified in larger organizations with heterogeneous IT environments Solution Analyze every superuser. How critical is this application/resource? Do the individuals holding these privileges place your company at risk? Lock down who grants privileged access and changes procedures; strictly control administrative access to logs. Correlate the individuals who have overlapping administrative rights. Is it necessary? Are these rights appropriate to the individuals experience and job description? Partition superuser and privileged access. Can the same individual that makes administrative changes also alter the logs? Source: IDC, 2009 4 2009 IDC
Market Trends Crime rises when economies fall. This is already happening in the physical world, as evidenced by reports of increased shoplifting and fraudulent schemes, and it is mirrored in the virtual world. As threats increase, organizations must maintain a robust security posture to guard against organized crime and malicious behaviors from inside and outside the enterprise. Identity and access management will continue to evolve as an integral component of governance, risk, and compliance. Research shows that security professionals are looking toward security and compliance solutions that provide a preventive versus reactive strategy in this area. This will include granular access control, privileged identity management, account discovery and reconciliation, provisioning, and complete deprovisioning of terminated or temporarily suspended employees and contractors across all systems and applications. In the privileged access management area, proactive, preventative measures would (and should) include the ability to manage permissions down to a task level; role-based, time-bound credentials for privileged access to IT assets; and the ability to concurrently review actions performed by privileged users. Considering BeyondTrust Founded in 1985, BeyondTrust, formerly Symark International, is based in Agoura Hills, California, and is focused on providing IAM solutions that provide secure, centralized security administration of heterogeneous systems. With the established expertise from Symark in Unix/Linux and the leadership in Windows (via the BeyondTrust acquisition), the new BeyondTrust is an industry leader in providing a comprehensive security and compliance solution for privileged users in all three environments. BeyondTrust enables granular delegation of administrative privileges, user account management, and password management in an integrated solution for Unix/Linux and Windows environments. More than half of the companies listed on the Dow Jones rely on BeyondTrust to help secure their enterprises, and current customers include many of the world's largest banks, aerospace and defense firms, and U.S. pharmaceutical companies, as well as renowned universities. The company's product portfolio contains the following offerings: The PowerSeries Management Console v1.0 (PSMC) provides a secure Web-based platform for the automated centralized management of the privileged access life cycle across heterogeneous environments. PSMC integrates with PowerBroker v6.0 and PowerKeeper v4.0 for centralized policy administration. It also provides new policy and incident workflows for privileged policy creation, aggregation of privileged logging and audit data, and automated policy propagation in large-scale deployments. PSMC enables the centralized "policy and audit" section of PALM and assists in the "remediate" section as well. PowerKeeper is a cross-platform, automated shared account password management solution that focuses on securing and monitoring access to privileged accounts. The product is delivered as a hardened appliance with a sealed operating system, or as a virtual appliance, that creates and secures privileged accounts through automated password management, encryption, and secure storage of credentials. The product's configurable security features allow IT professionals to create unique solutions to fit within their often highly individualized heterogeneous IT environments and compliance requirements. PowerKeeper enables the "access" section of PALM for Unix/Linux, Windows, and other platforms. 2009 IDC 5
PowerBroker is a comprehensive IT security and accountability solution designed to implement a consistent protocol of access control across most Unix/Linux platforms. PowerBroker allows system administrators to delegate administrative privileges and authorization without disclosing the root password. Administrators also gain the ability to grant selective access to other Unix/Linux applications and corporate resources. Reporting, including the ability to report on user entitlements, is also incorporated into the platform. PowerBroker enables the "control" and "monitor" sections of PALM for Unix/Linux. Privilege Manager enables organizations to remove administrator rights and allow end users to run all required Windows applications, processes, and ActiveX controls. By eliminating the need to grant administrator rights to end users, IT departments can create a more secure, compliant, and standard environment. Privilege Manager enables the "control" and "monitor" sections of PALM for Windows. PowerADvantage is an integrated authentication and configuration application that leverages a company's investment in Active Directory by extending its functionality beyond the Windows operating environment to heterogeneous Unix/Linux environments. PowerADvantage integrates Unix and Linux hosts into Active Directory and provides features not supplied by Microsoft's Services for Unix program. PowerADvantage streamlines and secures user access across a diverse IT portfolio, enables a centralized management of identity, and significantly reduces security risks while supporting compliance. PowerADvantage contributes to the "provision" section for enabling PALM. Future Directions The launch of the PALM framework is a strong indicator of the strategic direction of BeyondTrust. With established expertise in Unix/Linux and Windows, BeyondTrust is an industry leader in providing a comprehensive security and compliance solution for privileged users in all three environments. BeyondTrust's future direction is to continue to leverage its privilege management DNA and technology assets to extend PALM capabilities to multiple platforms, applications, and device classes, with a focus on efficiently mitigating the security and compliance risks associated with privileged access. Challenges The greatest obstacle BeyondTrust faces is the lack of market understanding and awareness, coupled with a certain element of corporate denial that privileged user problems do exist. PALM technology is not optional; it is critical to organizations today. Penalties for compliance breaches are harsh and getting harsher. This situation, coupled with loss of consumer confidence and the resulting publicity, can irrevocably damage an organization indefinitely from both a financial standpoint and a reputation/reliability standpoint. Conclusion The growing body of disclosure law governing security breaches and data loss incidents will result in increased use of products that can create and enforce security policy and provide information required by auditors. It also requires that products that aggregate data and event management have the ability to identify and remediate internal threats based on user privileges. In today's tough economic climate, corporate spending is cut to the bare essentials. Fortunately for the IAM market, bare essentials include IAM products and services with demonstrable track records of enhancing security and meeting compliance regulations. Reducing cost, cutting risk, and meeting 6 2009 IDC
compliance are top of mind for organizations today. Identity and access management is positioned to help enterprise IT meet these needs. We believe technology approaches such as BeyondTrust's PALM offering can close existing security gaps within the heterogeneous privileged user world and consequently help enterprise organizations meet the growing requirements for compliance. IDC believes that the issues surrounding privileged user identities and management will continue to surface as companies realize they can no longer take an ostrich approach to this situation. We feel that the interest in and demand for product solution sets such as PALM will steadily grow as vendors such as BeyondTrust work to address the complex needs of organizations with heterogeneous enterprise IT environments. A B O U T T H I S P U B L I C A T I O N This publication was produced by IDC Go-to-Market Services. The opinion, analysis, and research results presented herein are drawn from more detailed research and analysis independently conducted and published by IDC, unless specific vendor sponsorship is noted. IDC Go-to-Market Services makes IDC content available in a wide range of formats for distribution by various companies. A license to distribute IDC content does not imply endorsement of or opinion about the licensee. C O P Y R I G H T A N D R E S T R I C T I O N S Any IDC information or reference to IDC that is to be used in advertising, press releases, or promotional materials requires prior written approval from IDC. For permission requests, contact the GMS information line at 508-988-7610 or gms@idc.com. Translation and/or localization of this document requires an additional license from IDC. For more information on IDC, visit www.idc.com. For more information on IDC GMS, visit www.idc.com/gms. Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com 2009 IDC 7