Click here to close now.


News Feed Item

Three Ways CXOs Can Avert Super-User Security Threats with Privileged Account Management

Today, on Cyber Monday, online retailers and banks are bracing for the likelihood of increased data breaches and security threats, while online shoppers are taking extra precautions to protect personal information. Every day, Americans trust that the corporate and government IT systems handling their critical identity information, such as credit card numbers, social security numbers and tax returns, are equipped with appropriate security measures to keep personal data safe. Heightening awareness of potential security risks is an essential step to thwarting malicious attacks. All too often, however, public and private entities must also recognize that even more risky exposure exists when administrative privilege is exploited, regardless whether by external adversaries or internal threats. Quest Software (now part of Dell) has a deep understanding of the problems organizations face when they don’t properly control and audit administrative access and “super-user” accounts.

According to a survey conducted earlier this year at The Experts Conference, an annual gathering of global IT pros co-sponsored by Quest and Microsoft, half of the responding organizations reported that their No. 1 compliance issue is ensuring correct user access rights (including privileged user access). In the case of managing privileged accounts, this challenge intensifies when administrators are given the “keys to the kingdom,” with far-reaching, shared anonymous access rights to vital IT systems. In the private sector, failure to manage access to information and compliance with security mandates can mean lost revenues, failed audits and damage to the brand. In government, managing user access rights represents a high stakes game in which getting out ahead of emerging threats is a matter of national security. To this point, Privileged Account Management is noted in many security standards, including ISO 27001 and NIST 800-53. A new report developed by Enterprise Management Associates, on behalf of Quest, identifies inadequate administrative access controls as “one of the most egregious IT risk gaps in many organizations.”

The report, “Why You Need to Consider Privileged Access Management (And What You May Not Know About It That You Should),” examines some of the most common excuses companies give to justify this oversight, and offers useful insight into how modern Privileged Account Management (PAM) practices and corresponding technology solutions can close the risk gap with flexible policy control, automated workflows and comprehensive reporting to enhance security, achieve compliance and improve efficiency.

To further help CXOs avert these all-to-common security risks, Quest offers three pragmatic tips:

1. Assign individual accountability to super-user activity

Shared and unmanaged administrative access is more than just a bad idea—it’s one of the fastest and easiest ways to expose an organization to undue risk, especially since these super-user accounts typically have extensive power over IT operating systems, applications, databases, etc. With shared accounts, any security or compliance breach can be traced back only to the account, and not to an individual administrator using that account.

A much better approach to risk containment involves granting administrators access rights only to what they need, as they need it, nothing more or less. Credentials should be issued only on an as-needed basis, accompanied by a full audit trail of who used them, who approved the use, what they did with them, as well as how and why they received them – and the password should be immediately changed once the use is completed. The ability to automate and secure this entire process is an effective way to manage administrative access across an entire organization. Similarly, PAM is essential to enabling federal, state and local agencies to work together, and can make or break government-wide information sharing and collaboration.

2. Implement and enforce a “least privilege” security stance for administrative access

Many administrative accounts, including those for Unix root, Windows or Active Directory admin, DBA, etc., provide unlimited permissions within their scope of control, and, when shared, open the door for malicious activity. For example, the widely publicized security breach at Fannie Mae involved an employee who used this type of super-user access to maliciously plant a logic bomb that, if undiscovered, would have crippled the entire organization and compromised the personal and financial information of approximately 1,100 people.

A more prudent approach is to establish a policy that clearly defines what each administrator (or administrator role) can and cannot do with their access. Since this process can be complicated and often difficult to enforce across diverse systems, Quest recommends the addition of granular delegation tools that are optimized for the designated platforms, and integrated with other PAM technologies such as a privilege safe, multifactor authentication or Active Directory bridge.

3. Reduce privileged account management complexity

One of the overarching PAM challenges comes from navigating diverse IT systems, each with their own unique capabilities and requirements for privileged account management. This often results in the use of specialized tools, along with ad-hoc policies and practices to control privileged account access. Unfortunately, this approach frequently complicates the audit process, making it difficult to prove that all access is controlled and that separation-of-duties principles are established and enforced.

For that reason, consolidating disparate systems into a common identity structure creates an environment where a single PAM approach can be readily enforced with greater consistency across a much larger portion of an organization, eliminating errors borne from multi-system complexity, reducing risk and lowering the expense of managing multiple systems. In addition, any consolidation of PAM capabilities under a common management and reporting interface provides enhanced efficiency.

The EMA report referenced above indicates that organizations focused on achieving a high level of discipline in configuration and change management tend to have better outcomes, not only in lower incidences of disruptive security events, but in better IT reliability, less unplanned IT work, more successful IT changes, higher server-to-system administrator ratios, and more IT projects completed on time and within budget.

Quest® One Identity Solutions Centralize and Simplify Privileged Account Management

Quest Software provides a modular, yet integrated, approach to identity and access management, specifically Privileged Account Management that controls insider threats and improves IT efficiency, as it enables organizations to eliminate the dangers of unchecked super-user access, adverse audit findings, direct penalties, and negative press exposure.

Supporting Quotes:

Jackson Shaw, senior director of product management, Quest Software
“Privileged Account Management will be one of the fastest-growing areas of IAM over the next few years, for good reason. Most of the recent high-profile security breaches, including the UBS Paine Webber attack and the City of San Francisco breach, happened due to lack of control over privileged accounts. What’s more, these breaches do not discriminate; they can cause equally horrific damage to any organization, no matter how large or small. It’s time for companies to take note of the severe security risk posed by poor PAM practices, and seek out a comprehensive solution befitting the task. Quest One offers a complete set of PAM capabilities, providing comprehensive controls in a flexible, modular architecture.”

Scott Crawford, Enterprise Management Associates (EMA)
“Poor controls over administrative access have resulted in real damage. PAM capabilities can help mitigate such risks and improve controls, through techniques such as ‘privilege safe’ technologies that deliver a more disciplined approach to control that supports responsible IT governance. Quest helps IT improve performance and reduce support costs by closing one of the most readily managed gaps of all: the weakness exposed when individuals have broad, anonymous, and unmonitored administrative access to the most sensitive capability in IT.”

Supporting Resources:

About Quest Software (now a part of Dell)

Dell Inc. (NASDAQ: DELL) listens to customers and delivers innovative technology and services that give them the power to do more. Quest, now a part of Dell’s Software Group, provides simple and innovative IT management solutions that enable more than 100,000 global customers to save time and money across physical and virtual environments. Quest products solve complex IT challenges ranging from database management, data protection, identity and access management, monitoring, user workspace management to Windows management. For more information, visit or

RSS Feeds:

Technorati Tags:
Quest Software

Dell is a trademark of Dell Inc. Dell disclaims any proprietary interest in the marks and names of others.

Quest, Quest Software, and the Quest logo are trademarks or registered trademarks of Quest Software in the United States and certain other countries. All other names mentioned herein may be trademarks of their respective owners.

More Stories By Business Wire

Copyright © 2009 Business Wire. All rights reserved. Republication or redistribution of Business Wire content is expressly prohibited without the prior written consent of Business Wire. Business Wire shall not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.

Latest Stories
Actifio is powering new application development and testing services from Net3 Technologies (N3T), a managed cloud services provider. N3T's new Symmetry DevOps™ service builds on its existing Palmetto Virtual Data Center (PvDC) Cloud services for data backup and disaster recovery (DR) based on the Actifio Copy Data Virtualization platform. Previously, N3T's data protection and DR services were challenged by overlapping and inefficient legacy hardware and software platforms from multiple vendo...
Most of the IoT Gateway scenarios involve collecting data from machines/processing and pushing data upstream to cloud for further analytics. The gateway hardware varies from Raspberry Pi to Industrial PCs. The document states the process of allowing deploying polyglot data pipelining software with the clear notion of supporting immutability. In his session at @ThingsExpo, Shashank Jain, a development architect for SAP Labs, discussed the objective, which is to automate the IoT deployment proces...
The cloud. Like a comic book superhero, there seems to be no problem it can’t fix or cost it can’t slash. Yet making the transition is not always easy and production environments are still largely on premise. Taking some practical and sensible steps to reduce risk can also help provide a basis for a successful cloud transition. A plethora of surveys from the likes of IDG and Gartner show that more than 70 percent of enterprises have deployed at least one or more cloud application or workload. Y...
Countless business models have spawned from the IaaS industry – resell Web hosting, blogs, public cloud, and on and on. With the overwhelming amount of tools available to us, it's sometimes easy to overlook that many of them are just new skins of resources we've had for a long time. In his general session at 17th Cloud Expo, Harold Hannon, Sr. Software Architect at SoftLayer, an IBM Company, broke down what we have to work with, discussed the benefits and pitfalls and how we can best use them ...
In demand-intensive mobile and web applications, an emerging pattern is to host the Systems of Engagement in the cloud (for maximum responsiveness) but keep the Systems of Record with the other important business systems in the company datacenter, often on a tightly secured mainframe. But what about the space in between? In this IBM Redpaper publication, we show that the IBM Bluemix cloud platform offers technologies that make it easy for cloud-based SoEs to securely connect to on-premises IBM...
Discussions of cloud computing have evolved in recent years from a focus on specific types of cloud, to a world of hybrid cloud, and to a world dominated by the APIs that make today's multi-cloud environments and hybrid clouds possible. In this Power Panel at 17th Cloud Expo, moderated by Conference Chair Roger Strukhoff, panelists addressed the importance of customers being able to use the specific technologies they need, through environments and ecosystems that expose their APIs to make true ...
Microservices are a very exciting architectural approach that many organizations are looking to as a way to accelerate innovation. Microservices promise to allow teams to move away from monolithic "ball of mud" systems, but the reality is that, in the vast majority of organizations, different projects and technologies will continue to be developed at different speeds. How to handle the dependencies between these disparate systems with different iteration cycles? Consider the "canoncial problem"...
Container technology is shaping the future of DevOps and it’s also changing the way organizations think about application development. With the rise of mobile applications in the enterprise, businesses are abandoning year-long development cycles and embracing technologies that enable rapid development and continuous deployment of apps. In his session at DevOps Summit, Kurt Collins, Developer Evangelist at, examined how Docker has evolved into a highly effective tool for application del...
We all know that data growth is exploding and storage budgets are shrinking. Instead of showing you charts on about how much data there is, in his General Session at 17th Cloud Expo, Scott Cleland, Senior Director of Product Marketing at HGST, showed how to capture all of your data in one place. After you have your data under control, you can then analyze it in one place, saving time and resources.
Too often with compelling new technologies market participants become overly enamored with that attractiveness of the technology and neglect underlying business drivers. This tendency, what some call the “newest shiny object syndrome” is understandable given that virtually all of us are heavily engaged in technology. But it is also mistaken. Without concrete business cases driving its deployment, IoT, like many other technologies before it, will fade into obscurity.
The Internet of Things is clearly many things: data collection and analytics, wearables, Smart Grids and Smart Cities, the Industrial Internet, and more. Cool platforms like Arduino, Raspberry Pi, Intel's Galileo and Edison, and a diverse world of sensors are making the IoT a great toy box for developers in all these areas. In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists discussed what things are the most important, which will have the most profound...
As organizations shift towards IT-as-a-service models, the need for managing & protecting data residing across physical, virtual, and now cloud environments grows with it. CommVault can ensure protection & E-Discovery of your data - whether in a private cloud, a Service Provider delivered public cloud, or a hybrid cloud environment – across the heterogeneous enterprise.
PubNub has announced the release of BLOCKS, a set of customizable microservices that give developers a simple way to add code and deploy features for realtime apps.PubNub BLOCKS executes business logic directly on the data streaming through PubNub’s network without splitting it off to an intermediary server controlled by the customer. This revolutionary approach streamlines app development, reduces endpoint-to-endpoint latency, and allows apps to better leverage the enormous scalability of PubNu...
Growth hacking is common for startups to make unheard-of progress in building their business. Career Hacks can help Geek Girls and those who support them (yes, that's you too, Dad!) to excel in this typically male-dominated world. Get ready to learn the facts: Is there a bias against women in the tech / developer communities? Why are women 50% of the workforce, but hold only 24% of the STEM or IT positions? Some beginnings of what to do about it! In her Day 2 Keynote at 17th Cloud Expo, San...
Apps and devices shouldn't stop working when there's limited or no network connectivity. Learn how to bring data stored in a cloud database to the edge of the network (and back again) whenever an Internet connection is available. In his session at 17th Cloud Expo, Ben Perlmutter, a Sales Engineer with IBM Cloudant, demonstrated techniques for replicating cloud databases with devices in order to build offline-first mobile or Internet of Things (IoT) apps that can provide a better, faster user e...