Whiteboard Video: Privileged Identities

Every time I'm around information security people I get scared. Their understanding of the potential for vulnerability is daunting enough, even when they aren't consistently flaunting the dangers. Lieberman Software's president, Phil Lieberman, must have started at least 30 sentences with "But what's really scary . . . " We were just missing the marshmallows and hooting owls, and all we were talking about was managing passwords.Lieberman was awash in stories, like the one about an IT guy who said he gets paid whether there are breaches or not, and the security team that told him that because they didn't get caught in an audit there was no funding for security technology this year. Or companies that buy technology and never put it in place; they only have it to prove to auditors that they are taking action. Or about the auditors you can find who will guarantee you'll pass your PCI audit for a certain amount of money.

But no matter where you look there are thieves, miscreants and liars, and that was part of Lieberman's point: some of the security problems are technology related, but still too many of them are related to human nature, and human nature sometimes leads us to inaction, to taking risks, to saving money, to saving time.

;

In the video above, Lieberman outlines some specific problems in this regard, primarily in the area of privileged accounts and privileged identities. In the former, he says we create all-too frequent, unfettered access to critical hosts (like the CEOs PC) under the assumption that just because someone on the help desk is on the help desk, he or she can have that unfettered and timeless access (including, potentially, after they've left the company). In the latter, there's a scale issue: hundreds or thousands of servers, applications and other hosts, each with their own password requirements and managed under a single domain. For both problems, it's easiest to just have a simple set of passwords that rarely change.

Naturally Lieberman (among a host of players) makes technology that can automate and manage all of this, but the more important aspect of all of this is that the answer lies not in the technology, but in whether companies see this as an important enough issue; whether they see the risk as great enough to invest the time and the money to implement complex solutions.