Privileged user management: Who is watching the watchers?

Advanced identity and access management technologies keep those trusted with protecting the network in check and in compliance.

Companies such as BeyondTrust, Cloakware, Cyber-Ark, e-DMZ and Lieberman Software offer products that helps security managers put safeguards in place so no one administrator holds too much power in the IT environment.

Sensational stories of disgruntled IT workers wreaking havoc on company systems could drive security managers to upgrade their identity and access management policies, but compliance and ease-of-management are also drawing enterprise IT groups to consider privileged user management technologies.

How to stop IT managers from going rogue

Entitlement management: Access control on steroids

Enterprise IT security and systems administrators today deal with ever-changing, complex environments that fall under intense scrutiny from auditors seeking to prove regulatory compliance. Such demands drive up the need for fine-grained access controls and sensitive user management, industry watchers say.

“As organizations grow in size and complexity, the number of administrators accessing sensitive systems or data grows as well. Spreadsheets, sealed envelopes, printouts, sticky notes, and other old-fashioned ways of managing access and passwords on sensitive systems don't scale, don't provide sufficient levels of security, and don't provide enough auditing details that today's auditors require,” reads a Forrester Research report

And as complexity grows, so does the potential for insider threat, says Andras Cser, a senior analyst with Forrester. He says nearly 50% of breaches occur inside companies’ firewalls, both intentionally and accidentally, and most likely because IT groups are unable to set policies that ensure separation of duties with outdated technologies. Companies such as BeyondTrust, e-DMZ, Cloakware, Lieberman Software and Cyber-Ark today work to advance access control tools to enable security teams to safeguard their networks from internal threats. Such tools create and monitor passwords, eliminating the practice of multiple administrators logging on with the same user ID and password.

“There are cases in which developers have access to systems that violates compliance and security best practices, but it is difficult to track because environments get so complex,” Cser says. “And compliance requires now that companies show who has access to what, when and why. That all has to be documented for auditors.”

The products keep passwords in a vault of sorts, and monitor access from multiple parties. The technology can automate password changes to keep systems more secure and track the workflow of changes made and by whom in the IT group. And many of the tools provide software development kits or adapters to applications and systems to help IT encompass as many password-safe systems in the management approach as possible.

Privileged identity management tools can help companies better manager administrator access, user names and passwords, but they are not without their challenges. For one, Cser says vendors need to provide integration across systems, as BeyondTrust says it has done with its PowerKeeper 4.0 product that works with Windows, Unix and Linux environments. And tools need to be able to scale for large environments, without losing performance. And vendors must incorporate access controls on network devices, databases and other IT systems beyond servers to truly secure an environment.

“Organizations need to grant certain administrators privileged access to sensitive systems; administrators for Windows domain controllers, Unix root, network devices and databases are prime examples. Organizations must also make such access available in a cost-effective and timely fashion to enable system administrators to address production issues and perform regular maintenance activities,” the Forrester Research report reads.

Interested in freeware and shareware, open source applications and scaled down versions of commercial software and services? In the coming weeks, Network World will devote an online forum to the topic of free techie stuff, which I will compile and present for your review and potential download. Let me know what you find, what you want to hear more about and what invaluable tools that didn’t cost you a thing at

Do you Tweet? Follow Denise Dubie on Twitter here

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.