Super users may use their powers for good most of the time, but every now and again, an insider breach will remind us how important keeping track of super users and shared accounts truly is.
According to a survey performed in summer 2008 by the IOUG (Independent Oracle Users Group), almost a third of the 316 IOUG members who responded said users can bypass applications and gain access to application data in the database directly using ad hoc tools. Nearly four in 10 said super-user data abuse in their organization cannot be monitored.
Keeping track of super users and shared accounts is important for accountability, Burton Group analyst Mark Diodati said. Unfortunately, however, many organizations simply don’t know for sure who has access to shared passwords.
“They might have 15 system administrators, for example, who have access to the root password, but that doesn’t mean those are the only 15 people that know it,” Diodati explained.
Part of the problem is that some operating systems, routers and databases have super-user passwords hard-coded into them. Over time, those passwords can become more widely known by employees through the grapevine. In other cases, as Lieberman Software‘s Chris Stoneff pointed out in an article for Microsoft TechNet, enterprises tell the IT department’s entire staff what a password is. The more people who know a secret, the more likely it will become public knowledge, he wrote.
“If all of those people who know the passwords still work for the company and are otherwise happy and dutiful employees, this access risk is slightly mitigated,” Stoneff wrote. “But you never know when you might have a malicious user to contend with. If any of those users have left the company on bad terms, you have a loose, hostile element that knows how to break into your network using an otherwise untraceable account.”
When it comes to dealing with these issues, a good approach is to regularly change shared passwords and reduce the chance that knowledge of the current password will be widespread. There are privileged account management products available that can automate this process.
According to Gartner, the market for SAPM (shared account password management) tools is one of the fastest-growing segments of the identity and access management market. By 2010, the analyst company predicts that more than half of large organizations will be using SAPM tools.
Passlogix, for example, on Oct. 29 released v-Go Shared Accounts Manager, which enables shared credentials to be securely stored and retrieved and provides authorization and usage tracking. Stephane Fymat, vice president of strategy and product management at Passlogix, said enterprises need to make sure they have the proper procedures in place so that only the appropriate people have access to shared IDs, even if it is only in paper format and applied manually.
“[Also,] apply the same password policies as you do to conventional passwords, to the extent possible,” Fymat advised.
Diodati recommended that enterprises also consider strong authentication such as RSA SecurID tokens for privileged users.