Infrastructure // PC & Servers
Commentary
9/10/2009
11:32 AM
Fritz Nelson
Fritz Nelson
Commentary
Connect Directly
Facebook
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Whiteboard Video: Privileged Identities

Every time I'm around information security people I get scared. Their understanding of the potential for vulnerability is daunting enough, even when they aren't consistently flaunting the dangers. Lieberman Software's president, Phil Lieberman, must have started at least 30 sentences with "But what's really scary . . . " We were just missing the marshmallows and hooting owls, and all we were talking about was managing passwords.

Every time I'm around information security people I get scared. Their understanding of the potential for vulnerability is daunting enough, even when they aren't consistently flaunting the dangers. Lieberman Software's president, Phil Lieberman, must have started at least 30 sentences with "But what's really scary . . . " We were just missing the marshmallows and hooting owls, and all we were talking about was managing passwords.Lieberman was awash in stories, like the one about an IT guy who said he gets paid whether there are breaches or not, and the security team that told him that because they didn't get caught in an audit there was no funding for security technology this year. Or companies that buy technology and never put it in place; they only have it to prove to auditors that they are taking action. Or about the auditors you can find who will guarantee you'll pass your PCI audit for a certain amount of money.

But no matter where you look there are thieves, miscreants and liars, and that was part of Lieberman's point: some of the security problems are technology related, but still too many of them are related to human nature, and human nature sometimes leads us to inaction, to taking risks, to saving money, to saving time.

;

In the video above, Lieberman outlines some specific problems in this regard, primarily in the area of privileged accounts and privileged identities. In the former, he says we create all-too frequent, unfettered access to critical hosts (like the CEOs PC) under the assumption that just because someone on the help desk is on the help desk, he or she can have that unfettered and timeless access (including, potentially, after they've left the company). In the latter, there's a scale issue: hundreds or thousands of servers, applications and other hosts, each with their own password requirements and managed under a single domain. For both problems, it's easiest to just have a simple set of passwords that rarely change.

Naturally Lieberman (among a host of players) makes technology that can automate and manage all of this, but the more important aspect of all of this is that the answer lies not in the technology, but in whether companies see this as an important enough issue; whether they see the risk as great enough to invest the time and the money to implement complex solutions.

Comment  | 
Print  | 
More Insights
Server Market Splitsville
Server Market Splitsville
Just because the server market's in the doldrums doesn't mean innovation has ceased. Far from it -- server technology is enjoying the biggest renaissance since the dawn of x86 systems. But the primary driver is now service providers, not enterprises.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - September 10, 2014
A high-scale relational database? NoSQL database? Hadoop? Event-processing technology? When it comes to big data, one size doesn't fit all. Here's how to decide.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.