Skip Links

Revealing the 'cracks' in provisioning

Data breeches can occur when not enough attention is paid to account and access governance

Security Identity Management Alert By Dave Kearns, Network World
May 14, 2010 12:12 PM ET
Kearns
Sign up for this newsletter now!

The foundation for security and enterprise management

At the recent European Identity Conference, Cyber-Ark's Shlomi Dinoor (he's vice president of Emerging Technologies) emphasized to me that nothing is ever 100% in IdM. While our topic was "Security and Data Portability in the Cloud" he wanted to remind me that provisioning -- the oldest of IdM services -- was still somewhat problematic. He did this by pointing me to a recent article in Dark Reading: "Database Account-Provisioning Errors A Major Cause Of Breaches."  

Data breech costs top $200 per customer record

In the article author Ericka Chickowski points to a recent data breech:

"Take the case of Scott Burgess, 45, and Walter Puckett, 39, a pair of database raiders who were indicted this winter for stealing information from their former employer, Stens Corp. Burgess and Puckett carried out their thievery for up to two years after they left Stens simply by using their old account credentials, which were left unchanged following their departures. Even after accounts were changed, the duo were subsequently able to use different log-in credentials to continue pilfering information."

The problem is that too often we concentrate on the mechanisms of provisioning (and even de-provisioning) without paying enough attention to account and access governance.

But even more problematic can be those accounts that aren't particularly identified with a user.

Phil Lieberman, of Lieberman Software (who was also with me in Munich), says that organizations: "have to ask themselves the question, 'Where do we have accounts? Tell me all of the places where we have accounts, and tell me all the things they use these accounts for.'" He goes on to say: "And the second question is, 'So we're using these accounts -- when were those passwords changed? And if we're using those accounts, what is the ACL [access control list] system we're using, and when was the last time we checked the ACL system?' And finally, 'We have audit logs being generated by these databases -- are we analyzing these audit logs looking for patterns that indicate abuse?'"

Lieberman and Dinoor both represent companies in the "emerging" (in quotes, because the discipline goes back dozens of years, yet it's a hot topic today) Privileged User Management (PUM) space, also called PAM (Privileged Access Management) or PIM (Privileged Identity Management). PUM is the discipline to create, maintain and remove critical accounts (administrator on Windows, root on Unix, the DbA on a database and so on). These accounts represent the "cracks" in provisioning through which data gets breeched. If reading the article noted above gives you pause, you should check out the offerings from Cyber-Ark and Lieberman Software. It might help you sleep better at night.

EVENTS: This week (May 18-21) I'm at Novell's BrainShare in Amsterdam. Say "Hi" if you see me.

Read more about security in Network World's Security section.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News