Gartner IAM: A Perfect Storm for Privileged User Management?
Privileged user risks were a high priority for both analysts and practitioners at the recently concluded Gartner Identity and Access Management conference in Las Vegas.
A “perfect storm” of events is driving requirements for privileged account management solutions, like Xsuite, according to Perry Carpenter, Gartner Research Director. A central issue Carpenter has identified is a level of frustration with general identity and access management (IAM) technology, which has proven ineffective at dealing with privileged accounts.
Auditors were another factor cited by Carpenter, who noted they are increasingly educated about and aware of privileged user risks and solutions — and they’re asking why organizations aren’t looking at the problem. “We’re seeing a lot of audit-driven requirements that are forcing people to look at tools in addition to best practices,” he said.
Regulatory pressures were cited by Lori Rowland, Gartner Managing VP, as another “weather pattern” contributing to Carpenter’s perfect storm. “In the last six months, I’ve heard more about regulatory pressures around privileged accounts than ever before,” Rowland noted.
Carpenter and Rowland joined Gartner analysts Nick Nikols and Ant Allen in a Town Hall meeting that provided an opportunity for practitioners to pose questions about a range of privileged access management topics.
Nikols underscored another issue: risk. “There’s a new realization that you really have to keep track of what your administrators are doing, and really have a better understanding of that, where for a long time there’s been a ‘blind trust.’ But a lot of the breaches, a lot of the internal conflicts that have happened where it’s costing companies large amounts of money, have really come from trusted sources internally that have abused those privileges,” Nikols stated.
Monitoring is another aspect of privileged access management seeing increased interest, according to Allen. He observed, “More and more clients are thinking about the monitoring aspect of this…one of the issues is there is a desire to do monitoring as a detective and corrective control in addition to password management, session management, and privilege management.”
Cloud and Virtualization Drive Evolving Requirements
While privileged access management has been a long-standing issue for organizations, Rowland pointed to changes in requirements due to virtualization and cloud computing. “The use cases are evolving, and like so many things we’ve talked about, the cloud has an influence on that, and so does virtualization,” she said.
Rowland went on to say, “Of course, with virtualization, privileged account management and maintaining separation of duties in that environment is a pretty complex problem.” Risk is also a factor. “If you get privileged access at the hypervisor level you can do a whole lot more damage than just getting access to a single application,” she said.
Cloud and virtual technologies were the focus of a separate, dedicated session hosted by Rowland, called Privileged Account Management: Gaining Relevance in the Age of Virtualization. She kicked off the session by underscoring the issue of risk. “If you look at a lot of the press that’s out there, and you look at the breaches that have gone on, it is often someone who had system-level access and that was not managed appropriately,” she said.
Lori Rowland, Gartner Managing Vice President, offered conference attendees recommendations on managing privileged users:
- Identify all users with superuser privileges across all platforms.
- Inventory all shared superuser accounts and who uses them.
- Review business and operational needs and management practices.
- Establish policy and processes for managing privileged account activity.
- Invest in appropriate SUPM, SAPM and monitoring capabilities. (These aren’t always discrete tools.)
- Implement risk-appropriate authentication.
According to Rowland, security remains a top barrier to adoption of cloud and virtualization services. She outlined a number of issues that increase the complexity of security in the cloud and virtual environments. The virtual infrastructure may not be controlled through physical security restrictions in the ways we’ve come to expect in traditional data centers. Often, the number of managed services and applications is multiplied — increasing the scope and scale of the challenge. Other complicating issues are the highly automated, complex, and dynamic nature of cloud and virtual environments, and the fact that service providers may not provide visibility into their security controls.
The potential impact of a breach or incident in virtual environments is often much wider than in the physical world, Rowland explained. “In a virtualized world, privileged users can easily access multiple systems; delete, start, and stop virtual machines; revert VMs to earlier versions; and copy VMs to offline storage devices,” she said.
Xceedium at the Conference
The Xceedium team was on hand at the conference to meet with individuals and discuss its privileged identity and access management solution, Xsuite. As was pointed out in analyst presentations, organizations have begun to focus on the challenges of managing privileged users in cloud and virtual architectures. Xceedium’s Xsuite is the only privileged access management solution capable of providing native support across the entire hybrid-cloud infrastructure.
Xsuite also was highlighted in a session on Amazon Web Services’ (AWS) IAM session Identity and Access Management service as a third-party tool that aids in administering the sometimes complex AWS environment. Analyst Mary Ruddy noted existing IAM products won’t help with AWS IAM, and pointed to Xsuite’s capabilities to support federated user policy management and to act as an identity broker, as an exception.
To learn more about Xsuite, click here.