Ensuring On-Demand and Run-Time Access

By Robert Grapes  |  Posted 2010-01-18 Print this article Print

4. Ensuring on-demand and run-time access

In addition to provisioning resources for privileged accounts, system, network and application administrators and developers need access to privileged accounts to connect to systems and to update software, change configurations and manage other accounts or services. This is no different for virtual systems.

Using automated security systems allows organizations to define policies and automate access code dissemination at the point of usage, limiting the exposure of the credentials to mitigate risks and potential breaches. Individuals authenticating to the privileged account management solution can be traced to the account usage on the target system, meeting audit requirements.

While programs and scripts require access to passwords to connect to back-end systems such as databases, file transfer systems and other machines, these passwords are typically hard-coded/embedded within the programs themselves or stored in files or registry settings. Security systems must provide the means to strongly authenticate and authorize the release of critical passwords to unattended programs operating on physical or VMs to minimize the risk of a breach.

5. Delivering service for privileged access management

To complete the picture of a VM environment, it is necessary to deliver the privileged account management services on a virtual platform. As VMs are dynamically provisioned within an enterprise to scale to business demand, the capacity security systems must scale in parallel. To prevent capacity problems, security systems must be able to provision additional virtual services as needed. The virtual enterprise must monitor the performance of each virtual instance of the security systems to trigger automatic provisioning and de-provisioning of services in concert with changes in demand. To maintain performance, automated privileged account management systems must:

- Replicate credentials to and from each virtual instance of the system,

- Load-balance requests for credentials among the virtual servers, and

- Distribute the workload among each virtual node, as required.

Operating these solutions within a virtual environment as a service poses the same security challenges for the authentication system as it does for any of the virtual systems it supports.

Robert Grapes is Chief Technologist at Cloakware. Robert has more than 17 years of professional experience in the technology sector. Prior to joining Cloakware in 2004, Robert worked at Entrust Technologies as a software toolkit product manager, at Cognos in vertical analyst relations, and at Allen-Bradley as a control systems automation developer. Robert's expertise on enterprise security and Governance, Risk Management and Compliance (GRC) has enabled many government and financial service organizations to meet their audit requirements for PCI-DSS, FISMA, FERC and other regulations. He can be reached at robert.grapes@cloakware.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel