Super users may use their powers for good most of the time, but every now
and again, an insider breach will remind us how important keeping track of
super users and shared accounts truly is.
According to a survey
performed in summer 2008 by the IOUG (Independent Oracle Users Group),
almost a third of the 316 IOUG members who responded said users can bypass
applications and gain access to application data in the database directly using
ad hoc tools. Nearly four in 10 said super-user data abuse in their
organization cannot be monitored.
Keeping track of super users and shared accounts is important for
accountability, Burton Group analyst Mark Diodati said. Unfortunately, however,
many organizations simply don't know for sure who has access to shared
passwords.
"They might have 15 system administrators, for example, who have access
to the root password, but that doesn't mean those are the only 15 people that
know it," Diodati explained.
Part of the problem is that some operating systems, routers and databases
have super-user passwords hard-coded into them. Over time, those passwords can
become more widely known by employees through the grapevine. In other cases, as
Lieberman Software's Chris Stoneff
pointed out in an article for Microsoft TechNet, enterprises tell the
IT department's entire staff what a password is. The more people who know a
secret, the more likely it will become public knowledge, he wrote.
"If all of those people who know the passwords still work for the
company and are otherwise happy and dutiful employees, this access risk is
slightly mitigated," Stoneff wrote. "But you never know when you
might have a malicious user to contend with. If any of those users have left
the company on bad terms, you have a loose, hostile element that knows how to
break into your network using an otherwise untraceable account."
When it comes to dealing with these issues, a good approach is to regularly
change shared passwords and reduce the chance that knowledge of the current
password will be widespread. There are privileged account management products
available that can automate this process.
According to Gartner, the market for SAPM (shared account password
management) tools is one of the fastest-growing segments of the identity and
access management market. By 2010, the analyst company predicts that more than
half of large organizations will be using SAPM tools.
Passlogix, for example, on Oct. 29 released v-Go Shared Accounts Manager,
which enables shared credentials to be securely stored and retrieved and
provides authorization and usage tracking. Stephane Fymat, vice president of
strategy and product management at Passlogix, said enterprises need to make
sure they have the proper procedures in place so that only the appropriate
people have access to shared IDs, even if it is only in paper format and
applied manually.
"[Also,] apply the same password policies as you do
to conventional passwords, to the extent possible," Fymat advised.
Diodati recommended that enterprises also consider
strong authentication such as RSA SecurID tokens for privileged users.
/ 4 
(Sponsor)
(Sponsor)
(Sponsor)
