Privileged user management: Who is watching the watchers?

Industry analysis by Beth Schultz, plus the latest news headlines.

Sensational stories of disgruntled IT workers wreaking havoc on company systems could drive security managers to upgrade their identity and access management policies, but compliance and ease-of-management are also drawing enterprise IT groups to consider privileged user management technologies.

How to stop IT managers from going rogue

Entitlement management: Access control on steroids

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Sensational stories of disgruntled IT workers wreaking havoc on company systems could drive security managers to upgrade their identity and access management policies, but compliance and ease-of-management are also drawing enterprise IT groups to consider privileged user management technologies.

How to stop IT managers from going rogue

Entitlement management: Access control on steroids

Enterprise IT security and systems administrators today deal with ever-changing, complex environments that fall under intense scrutiny from auditors seeking to prove regulatory compliance. Such demands drive up the need for fine-grained access controls and sensitive user management, industry watchers say.

“As organizations grow in size and complexity, the number of administrators accessing sensitive systems or data grows as well. Spreadsheets, sealed envelopes, printouts, sticky notes, and other old-fashioned ways of managing access and passwords on sensitive systems don't scale, don't provide sufficient levels of security, and don't provide enough auditing details that today's auditors require,” reads a Forrester Research report. 

And as complexity grows, so does the potential for insider threat, says Andras Cser, a senior analyst with Forrester. He says nearly 50% of breaches occur inside companies’ firewalls, both intentionally and accidentally, and most likely because IT groups are unable to set policies that ensure separation of duties with outdated technologies. Companies such as BeyondTrust, e-DMZ, Cloakware, Lieberman Software and Cyber-Ark today work to advance access control tools to enable security teams to safeguard their networks from internal threats. Such tools create and monitor passwords, eliminating the practice of multiple administrators logging on with the same user ID and password.

“There are cases in which developers have access to systems that violates compliance and security best practices, but it is difficult to track because environments get so complex,” Cser says. “And compliance requires now that companies show who has access to what, when and why. That all has to be documented for auditors.”

The products keep passwords in a vault of sorts, and monitor access from multiple parties. The technology can automate password changes to keep systems more secure and track the workflow of changes made and by whom in the IT group. And many of the tools provide software development kits or adapters to applications and systems to help IT encompass as many password-safe systems in the management approach as possible.

Privileged identity management tools can help companies better manager administrator access, user names and passwords, but they are not without their challenges. For one, Cser says vendors need to provide integration across systems, as BeyondTrust says it has done with its PowerKeeper 4.0 product that works with Windows, Unix and Linux environments. And tools need to be able to scale for large environments, without losing performance. And vendors must incorporate access controls on network devices, databases and other IT systems beyond servers to truly secure an environment.

Schultz is a longtime IT journalist. You can email her or find her here.