Why You Must Close the Security Hole of Privileged and Shared Accounts

(28/05/2009)

One only has to consider the case of Jérôme Kerviel, the rogue trader at French bank Société Générale, who used multiple shared passwords and accounts to execute fraudulent trades, to appreciate the risks shared account logons pose to the modern organisation. Kerviel’s actions cost the bank €4.9bn and serious ramifications were felt across the global financial markets.

The City of San Francisco found itself in a similar situation last year when a disgruntled network administrator, Terry Childs reset all administrative passwords to the routers for the city’s wide area network. His actions prevented administrators from managing the system as he essentially held the City to ransom.

What these two stories demonstrate is that failing to manage shared passwords adequately can expose organisations to serious vulnerabilities, particularly in the case of privileged accounts where a disgruntled employee could potentially have the power to hold an entire network hostage.

Keeping track of privileged user and shared access accounts is also important for accountability. Unfortunately, however, many organisations simply don't know for sure who has access to shared passwords. Far too often, the entire IT department knows the details of what is supposed to be a limited-access password. According to a 2008 survey of its members by the Independent Oracle Users Group, nearly 40 per cent of organisations had no way of monitoring the abuse of data by privileged account users.

As a result of high-profile incidents like those at the City of San Francisco and Société Générale, legislation and industry regulations such as PCI DSS are increasingly prohibiting the sharing of accounts between users. But this causes big headaches for many IT managers in both the public and the private sector, as shared and privileged accounts have become a necessary component of today’s enterprise IT infrastructure.

All kinds of employees, from office administrators and temporary workers to nurses and civil servants require access to shared account logons for enterprise applications and systems for all kinds of reasons. IT managers therefore need to strike a balance between providing the flexibility required to meet end users’ needs and ensuring security and compliance with corporate policy and the latest industry regulations and legislation.

So, how do they protect themselves from the risks in a cost-effective manner?

To make certain of compliance - and to ensure that IT applications and systems are secure - organisations need to know who is using what shared account and when. They need absolute certainty, so they can identify the culprit if data is stolen, changed or deleted. They also need to be able to demonstrate this information in a clear audit trail.

The first step is to put in place a scalable and flexible method for regularly changing passwords, as well as a reliable way of ensuring that all passwords generated are unique on every system and suitably complex.

The second step is to centralise shared account storage and control so that a user must make a request to use a shared password. This can then be approved or denied based on pre-established policies set by the organisation. This ensures that the organisation has visibility and hence control each time a privileged credential is accessed or used.

The more people who know a password the greater the threat it poses to an organisation. So the next step is to ensure that all passwords for shared accounts are concealed so that a user never actually knows the password of an account that is checked out. This prevents the inadvertent or malicious sharing of passwords, as well as sabotage by rogue administrators. To facilitate regulatory compliance it is also important to tie shared account usage to the user within the organisation’s identity management system so that the actual user of a shared password is known at all times.

For some particularly sensitive accounts organisations might also want to consider controlling the usage of privileged or shared password by policy. For example, by setting a limited time window for their use, or prescribing maximum number of logons. A further security measure could be to introduce two-factor authentication at the point of logon to ensure that the person using the account is actually the person authorised to check it out.

The loss of revenue and the damage to their reputations suffered by the City of San Francisco administration and Société Générale could so easily have been avoided if they had put these relatively low cost security measures in place. Solutions for managing shared credentials can provide a simple, secure and audit-ready approach to providing system and application access for administrators, temporary workers and others who must share account passwords. They dramatically reduce the risk that enterprise systems will be compromised by the unauthorised use of privileged accounts.

Not only does this close the security gaps associated with shared password management but it also provides a cost efficient way for organisations to comply with data protection and PCI DSS regulations that prohibit the sharing of accounts between users.

Related topics:  Authentication and identity management   Knowledgebase   Security management and policies 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources