Everyone knows they should securely manage their user-account information, but what about administrative accounts? They're important, so why aren't they under the same microscope? Michael Kassner shares some things he learned while implementing an ID management system.
A client recently asked me to come up with a quote for an identity management system. The client's organization is relatively small, so I was surprised at the request. Still, I assured the client that I'd check into it right away. Can't be that difficult, it's just managing passwords, right? Well, not exactly. Here's what I discovered.
Note: This article is also available as a download that includes a PDF version and a PowerPoint presentation.
What is an identity management system?
In the process of researching identity management, I came across this definition by the Burton Group:
"Identity management is the set of business processes, and a supporting infrastructure, that provides identity-based access control to systems and resources in accordance with established policies."
What I began to realize
After several days of research, I began to understand the importance of identity management, especially for administrative accounts since they're the "keys to the kingdom." Remember Terry Childs? I also realized there's a lot more to it than just passwords. Fortunately, I knew a consultant who'd been through the process before.
What I was able to learn
With the consultant's help, the project proceeded smoothly. At signoff, she could tell I was pretty excited about identity management and said, "Why not write about it?" At first I didn't think so, not feeling qualified. But then I realized I could at least share what I had learned. So here goes.
1: Determine how many administrative passwords there are
Initially, this seemed trivial. But it can get murky real fast. Besides administrators, every application needing admin rights could have a distinct username and password.
For example, the backup application needs admin rights to access all the data files. It's almost guaranteed that auditors will ask for this information, so you might as well have it ready for them.
2: Establish who has what access
Think number one was difficult? Try asking people what access rights they have. Even people I thought would know didn't.
This can be simple if some type of network management system like Active Directory is in place. If not, it becomes a long drawn-out (but essential) process.
3: Consolidate and automate password management
Creating individual passwords isn't that difficult. What can be difficult is trying to manually manage all of the existing user, application, and device passwords, even in a small organization. Actually, it may be more difficult for an SMB, especially if IT is outsourced.
4: Create a policy defining password properties
An all-encompassing policy outlining the creation and use of passwords gets everyone on the same page. Without it, inconsistencies usually abound, especially in larger organizations with remote sites and multiple administrators.
For example, one admin thinks an eight-character password changed every six months is okay, but someone else requires a 13-character password changed every week.
5: Limit unconditional rights
The concept of all or nothing is alive and well when it comes to access control. You're either an admin with unfettered access or a user so locked down that Windows update doesn't even work right.
That approach may have worked before. But in today's world, free rein may not be in the company's best interest. Adding more levels of access or on-demand access can be beneficial by increasing security and creating a more efficient working environment.
6: Create a policy for disabling user accounts when employees leave
This may seem obvious, but there are countless examples on the Web of let-go employees still having access. Setting up a policy isn't that difficult and it will go a long way toward preventing regrettable situations.
Also, a clear and concise policy will prevent administrators from freelancing when it comes to disabling user accounts. They know exactly what to do and when to do it.
7: Implement a secure method for protecting identity files
Ensuring that identity files including passwords are securely stored and travel over the network in an encrypted format is vital. Most regulating bodies demand it.
This may be difficult for smaller organizations to pull together, as it requires a network-management system at minimum. For example, Active Directory accomplishes this by using Kerberos and a Key Distribution Center.
8: Audit administrative activities
The holy grail of an attacker is administrator (super user) access. It makes no difference whether the attack is from inside or outside the network perimeter; administrative rights are required to alter existing system conditions.
Capturing information about events that require elevated access is the best way to determine if and when an attack occurred. Besides, activity auditing is a healthy deterrent to illegal employee activity, a conclusive record for auditors, and evidence if criminal or civil legal action is warranted.
9: Convey the importance of password security
Ninety percent of all successful insider attacks start out by social engineering a password from a well-intentioned employee. So any identity management system, no matter how well thought out, will fail miserably if users and administrators are not educated and vigilant about keeping their passwords secure.
10: Management needs to buy in
Management buy-in is crucial for identity management to work. It's required to garner top-to-bottom employee acceptance of security measures, as well as to get financial support for the project.
The best way I know of to accomplish this it to convince management that the project will return a favorable ROI. Luckily, there are many case studies on the Web that can be cited as examples.
The more security-conscious organizations are taking a hard look at who needs elevated access rights and how to manage those accounts. I see no reason why all of us shouldn't be doing the same.
Special thanks to fellow ISSA member Adam Bosian. His article "Privileged ID Management" in the May 2009 ISSA journal was an excellent resource.
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.