« Securing SaaS: A Live Podcast With Michael T. Donaldson of Ping Identity | Main | Beware the Point-of-Sale Data Attack: A Podcast with Tripwire »

An interesting discussion has popped up on Jackson Shaw's blog about superuser accounts, which are essentially the admin accounts that much have universal access. And while a companies access and identity management might be top notch, and the entire system hardened from outsider attacks, if the superuser or privileged accounts aren't taken care of, that company is ripe for an insider attack.

The discussion on Jackson's blog is primarily about why many large IAM (Identity and Access Management) solutions don't also include a solution for superuser accounts. Some say because it's not a big enough market, or they believe that it should be a separate and distinct product, and even the ones that are building a solution (FYI, Apple has done a good job with Mac OS X) are building kernel-intrusive tools to manage the problem. As Jackson Shaw wonders, why don't they simply solve the problem at the very beginning?

At the IAM summit I had the chance to meet with e-DMZ, and their superuser solution, which they call the Shared Account Password Solution (SAPM). The first question I had for them was whether a buy-out was in the works, but while they did give me quick smile, they offered no comment. Talking about how they had developed the solution, Kris Zupan, the CEO of e-DMZ, said he had worked at a big bank a long time ago and was put in charge of the shared user passwords. He said he would have to get someone to open a big safe, pull out a large pile of shared account passwords, and when he was finished with them, put them right back.

And while that worked all right for awhile, once the system grew -- as all systems do -- it became totally unworkable (unless, of course, the bank had invested in a much bigger safe, at which point he would have been at a convention called 'Bigger Safes and Security Boxes'). So he developed the e-DMZ solution, which you can check out right here.

According to Ant Allan's presentation at the Gartner conference, baring an external solution, the best way to manage privileged accounts are as follows (this comes from Jackson Shaw's blog, and who works for Quest):

* Minimize the number of users with full superuser privileges
* Eliminate shared passwords for shared accounts - Indeed
* Eliminate hard-coded passwords for service accounts - Yes, please! Hearing that someone had one hard-coded for 18 years made my stomach turn.
* Look for tools from your preferred IAM vendors - Don't hold your breath.

Posted by pschooff in |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/2886