M ANAGING P RIVILEGED A CCOUNTS

A Spire Research Report February 2005

By Pete Lindstrom, Research Director

SP i RE
security
Spire Security, LLC P.O. Box 152 Malvern, PA 19355 www.spiresecurity.com

______________________________________________________Managing Privileged Accounts

Executive Summary
Enterprises continue to distribute computing architectures. For every new device, new operating system, new piece of middleware, and any other new component, there is a set of privileged accounts used by administrators and operators. Privileged accounts provide significant access into the computing environment. Admin accounts allow unfettered access to files, programs, and data. If they arent properly protected and managed, they represent a significant risk to any organization. But privileged accounts arent easy to manage. They are usually shared among many people, sometimes left with default passwords, and generally unkempt. Enterprises with strong control over privileged accounts often suffer from the high cost of management. Password retrieval may require the participation of multiple individuals and homegrown scripts must be managed, often creating a productivity challenge. This white paper discusses privileged passwords. It outlines the strengths and weaknesses of the high-risk approach to password management and the high-security approach. Finally, it provides a strategy for managing the characteristics of both in a real-world, shared password environment.

About Spire Security

Spire Security, LLC conducts market research and analysis of information security issues. Spire provides clarity and practical security advice based on its Four Disciplines of Security Management, a security reference model that incorporates and relates the functions of identity management, trust management, threat management, and vulnerability management. Spires objective is to help refine enterprise security strategies by determining the best way to deploy policies, people, process, and platforms in support of an enterprise security management solution. This white paper was commissioned by Cyber-Ark Software, Inc. All content and assertions are the independent work and opinions of Spire Security, reflecting its history of research in security audit, design, and consulting activities.

2004, 2005 Spire Security, LLC. All rights reserved.

Managing Privileged Accounts ______________________________________________________

Managing Privileged Passwords

Table of Contents
INTRODUCTION ................................................................... 1 THE NATURE OF PRIVILEGED ACCOUNTS................... 1
Privileged Account Types ....................................................................2

A TALE OF TWO SCENARIOS ........................................... 3

The High-risk Scenario.........................................................................3 The High-cost Scenario........................................................................3 The Tradeoff..........................................................................................4

COST/BENEFIT ANALYSIS .................................................. 4

Quantifying Risk ....................................................................................5 Towards Reduced Risk .........................................................................5 Identifying Costs ...................................................................................5 Towards Return on Investment ..........................................................6

CYBER-ARK PASSWORD VAULT ...................................... 6

Password Vault Characteristics...........................................................6

SPIRE VIEWPOINT ................................................................ 6

ii

2004, 2005 Spire Security, LLC. All rights reserved.

______________________________________________________ Managing Privileged Accounts

Introduction
The password is ubiquitous in todays computing environment. What started as a way to allocate charges for time-sharing computer services has become the primary contributor to any enterprise security strategy. The password accompanies every user account and (in theory) gets strengthened with restrictions and factors in order to demonstrate an increased level of account validation during the authentication process. But not all passwords - and accounts - are created equal. While the objective of the password is to restrict access to an account, it doesnt always mean the accounts are uniquely assigned and properly managed. Enter the shared account the accounts that ultimately exist in every computing environment that are shared among multiple individuals or even groups for purposes other than typical user activity. Some shared accounts are shared with the world. These are the default accounts that ship standard with solutions. Default accounts take the form of everything from the highest level of administrator access to the lowest form of guest access. And default accounts usually ship with default passwords passwords also available to the world. Other shared accounts are created and managed by the enterprise. These accounts are generally used to perform some particular function within an enterprise. These functional accounts may be set up for backups, training, and development purposes. By far, the most significant type of shared account is the privileged account, in the form of administrator accounts and operator accounts. These accounts are a requirement for every system and application, and any large enterprise will have many administrators and operators using them. Additionally many manufacturers include default privileged accounts out of the box. These accounts are the proverbial keys to the kingdom and have a special place in the realm of account management.

The Nature of Privileged Accounts

Given the level of depth of access into enterprise systems, it is the privileged account that provides the largest exploit opportunity in todays enterprises. A compromise of the right privileged account, or set of accounts, may create an unknown puppetmaster atmosphere where a third party has total control over a computing environment unfettered access to programs, services, and data. But one cant just turn off privileged accounts because they perform critical functions. Deleting or disabling a privileged account would lead to computers running themselves (or not running) with no human control and no possibility of management. A complete rebuild of these systems becomes a likely consequence.

2004, 2005 Spire Security, LLC. All rights reserved.

Managing Privileged Accounts ______________________________________________________

Privileged Account Types

It is important to understand the nature of privileged accounts today. Here are the most common:

By Default / For Recovery

Privileged accounts have a variety of characteristics that must be reviewed and evaluated when conducting a risk assessment in an enterprise. Two key characteristics of accounts are those that are shipped as default accounts and those used for recovery. A quick search of the Internet for default password list yields a number of sites, at least one of which has over 1,200 default user accounts and passwords associated with the many applications, database software, operating systems and network devices shipped by manufacturers. These accounts span the various functions of shared accounts, including privileged ones, but deserve special mention due to the ease of compromise. Privileged accounts with default passwords are not only common but also devastating. Another account type is the recovery account. These accounts operate as legitimate backdoors (or frontdoors) to administrators who are, for some reason, blocked from the routine means of access. Recovery accounts are especially challenging because, by definition, they are not intended to be used frequently yet they are crucial when needed. This means they may fly under the radar of those monitoring usage and managing passwords. Both account types can increase risk if not managed closely.

System Administrator Accounts. One type of privileged account is the god account for any operating system or networking device (firewall, routers, etc.). Administrator accounts provide unrestricted full access to the platform and its configuration information, programs, and data files. If you consider all the servers, networking devices, and even workstations, any large enterprise will have thousands of these accounts. Operator Accounts. It is common to also have specific accounts so that certain technical support functions can be performed without the need for Administrator access. These accounts may be available to start and stop services, create and manage users, or perform backup operations. Application Administrator Accounts. Applications that are installed in a shared environment requires some level of access to the system often as an operator but sometimes as a system administrator. Whats more, these accounts have unique depth of access into specific applications. For example, the account sa ships without a default password and provides total access to Microsofts SQL Server application. Application Functional Accounts. Oftentimes, when implementing an application, the application requires a dedicated specific user account under which to run. These accounts are common for Internet-facing applications on the Web, Enterprise Resource Planning (ERP) and financial software from the likes of SAP and Peoplesoft, and custom applications created within the enterprise.

There is always a potpourri of other various shared accounts with specific privileges within an enterprise. They may run batch processes or automated scripts, archive and clean file systems, or provide some other specific service unique to the enterprise.

2004, 2005 Spire Security, LLC. All rights reserved.

______________________________________________________ Managing Privileged Accounts

A Tale of Two Scenarios

It is common in information security to be forced to compromise between providing ease of use or maintaining strong security. These security and functionality capabilities span a spectrum that can be assessed to identify the optimum mix between the two. A good way to illustrate this sometime conundrum is to describe both ends of the spectrum these are the high-risk end and the high-security end and define the tradeoffs that exist between the two.

The High-risk Scenario

The high-risk scenario sacrifices security for functionality. In this case, an enterprise doesnt change passwords at all or does it rarely. They share the passwords among a significant number of people (administrators), and there is no accountability for activities that occur. In a high-risk scenario, passwords are treated like fast food toys they are cheap and satisfy an initial craving, then lost and forgotten. They are given away in volume yet every new one seems just like the old one. And it is always hard to figure out whose is whose. The challenges in a high-risk scenario are plentiful. Without strong controls over admin passwords, there are likely to be many unattributed events, that is, events that cant be accounted for or tied back to an individual. While this is an obvious security challenge, it is even more of an administrative burden when managing the network. With many people working on many different projects, it is extremely difficult to trace one-time, temporary modifications that impact the entire computing environment. In the high-risk scenario, there is little justification for regulatory compliance, given the relaxed controls, and any incidents, administrative or otherwise, require significant resources for troubleshooting and recovery.

The High-cost Scenario

On the other hand, enterprises may choose the high-cost scenario. Under these circumstances, the enterprise appreciates full well the risk associated with shared admin passwords and has implemented a mechanism to protect themselves. One type of high-cost scenario involves passwords in envelopes. In this scenario, the enterprise maintains the passwords within physical envelopes that are managed by an assigned employee normally the security officer. When someone needs an admin password, they make a request, retrieve the password from the security officer, perform their work, and return the envelope. At that point, the security officer changes the password, writes down the new one, signs the entry and puts it into the envelope, and returns the envelope into the safe. Progressive enterprises will have their own semi-automatic solution a set of scripts mapped into manual processes that provide a way to manage the passwords from a home-grown perspective. These solutions require time and effort to ensure
3

2004, 2005 Spire Security, LLC. All rights reserved.

Managing Privileged Accounts ______________________________________________________

that the aggregation of passwords and the corresponding delivery mechanisms remain functional and secure. The enterprises here have made the choice of high-cost in return for high security. But the cost is significant. It makes administrative tasks burdensome, potentially leading to other types of security issues like misconfigurations or unpatched systems that were left unaddressed. The resource allocation of product and employee time all have a cost that must be evaluated for the return it provides.

The Tradeoff
The tradeoff between high-risk vs. high-cost normally doesnt make anyone comfortable. It forces compromises based on a vague understanding of risk levels. Cost pressures are overwhelming to those selecting a high-risk option while regulatory requirements often drive the high-cost efforts.

Cost/Benefit Analysis
The optimal approach finds that point on the spectrum that provides the best mix of functionality with security. The way to evaluate the options is to break down the costs and risks into their atomic elements, measure the alternatives, and make a decision with complete information. These elements are: Number of Accounts/Passwords the discrete number of privileged user accounts that exist in an environment, along with their corresponding passwords. Number of Users the number and types of users who require access to shared passwords. Users are counted for each department, geographic location, or individual application. Password Information in order to gauge the risk, it is important to understand the password implications related to it. This means properly characterizing the password complexity, password change interval for every password applied to the number of users already collected. Number of Sessions a look at the logs can provide details on the usage volume of the target accounts themselves. This information can be used to quantify the amount and scope of the risk. Number of Activities within each session is (potentially) a number of activities that are performed. Though slightly harder to get, this type of information may be estimated to further narrow down the information about shared account risk. Number of Incidents in this case, an incident can be anything from a break/fix scenario requiring log review to an actual compromise of the privileged account. For cost purposes, an incident occurs for any reason that requires a log review to attempt to identify the person that was using some shared account at a particular time.

2004, 2005 Spire Security, LLC. All rights reserved.

______________________________________________________ Managing Privileged Accounts

Quantifying Risk
The risk associated with shared passwords ends up falling into three categories: Manifest Risk the risk associated with the privileged account activities that are performed. This is the most prominent risk that inappropriate activities are occurring within the sessions. Inherent Risk the exposure that comes with configuration of assets, such as allowing many individuals access to an account/password pair, as well as weak password configurations that may expose the password to a brute force attack. Process Risk the possibility that an individual will usurp the password management process in order to quickly address a problem, or that a password that is supposed to be changed doesnt get changed.

Towards Reduced Risk

Considering processes, configurations, and activities allows us to calculate the reduction in risk as a function of potential abuses. For example, we can calculate manifest risk of privileged password use by taking the total number of administrative errors and incidents in an environment and dividing it by the total number of activities that are performed. So, if 25 of every thousand activities performed are bad then the manifest risk is 2.5%. Inherent risk allows for the relative reduction of risk. So calculating the total number of administrators times the total number of privileged accounts creates an index that, when reduced, results in a corresponding amount of risk reduction. For example, 200 administrators with access to 1000 different accounts have 200,000 different combinations of admin/acct pairs. If the number of administrators is reduced to 100 or the number of accounts is reduced to 500, then the risk is reduced in half. Process risk rounds out the types of risk and is addressed through traditional means by reducing process related errors. Every process control met keeps risk at bay while a suborned step creates it. Each of the three areas of risk contributes to the overall risk profile. It is the attention to the details that creates opportunities for success or failure.

Identifying Costs
For any security function, the total cost of that activity can be calculated by adding up the individual costs in two primary areas: salary and wages allocated to the time associated with performing the function; and the cost of software solutions that are used in support of those functions. So, for example, an environment with a single administrator making $100,000 a year and spending 25% of her time performing administrative tasks should allocate 500 hours worth of time (25% of a year) at $50 per hour for a total of $25,000 administrative costs. Where appropriate, the costs of a solution are added to that. These solutions may be associated with strong authentication or automated password management.
5

2004, 2005 Spire Security, LLC. All rights reserved.

Managing Privileged Accounts ______________________________________________________

Towards Return on Investment

Once costs are captured, the ROI can be evaluated. An ROI may be attained through cost savings, by responding to the notion that no activity is completely efficient. The ROI projection itself is straightforward. First, capture the people and solution costs for privileged account password management. Then, estimate the costs of the alternative being evaluated and compare it to the existing costs. In the case of password management, ROI may be attained if an onerous process can be automated without creating more risk to the environment.

Cyber-Ark Password Vault

Up until recently, enterprises were left to their own devices to come up with a proactive approach to password management. Organizations had to create the manual processes and hodgepodge of scripts. Today, Cyber-Arks Network Vault for Passwords (Password Vault) provides a solution to manage privileged accounts and passwords.

Password Vault Characteristics

Cyber-Arks Password Vault creates an environment from which to address shared password risk. The primary benefits of Password Vault are: Secure Storage Password Vault provides a high-security storage area to house the privileged passwords. This storage area incorporates authenticated and encrypted communications, access control mechanisms, encrypted data, and auditing. Privileged Password Management Password Vault interfaces with systems to automatically change privileged passwords using previously determined policies such as type of characters and frequency of change. Controlled Use Password Vault keeps track of the state of all passwords, and ensures that passwords are checked out and checked in with a mechanism that logs the activity.

Password Vault addresses the high-risk scenario by providing a secure alternative to sharing passwords on excel spreadsheets. Risk is reduced through the extensive feature set associated with Password Vault. It ensures that passwords are tightly controlled and access is accountable without losing the level of productivity that is required.

Spire ViewPoint
Within the context of all user accounts, it is clear that privileged accounts can cause the most damage and are therefore purveyors of the highest risk. Adding to the risk is the idea that many individuals need access to the passwords, violating the key principle of secrecy.

2004, 2005 Spire Security, LLC. All rights reserved.

______________________________________________________ Managing Privileged Accounts

Yet, enterprises are caught in a conundrum. They must maintain an adequate level of security while keeping their costs down. And costs in this regard can create a significant burden on daily productivity. On the other hand, managing accounts loosely or not at all leads to many more incidents situations where enterprises must troubleshoot systems in order to identify configuration changes that result from shared passwords. This too results in high productivity loss. Implementing a password management mechanism to control and distribute passwords is the only way to get strong security without increasing costs significantly. This is likely to be extremely difficult without an automated solution. Cyber-Arks Password Vault addresses this problem. It provides a secure storage environment along with integration with key systems to manage privileged password assignment and distribution. Given its strong history and track record, it provides a significant opportunity for users.

2004, 2005 Spire Security, LLC. All rights reserved.

Contact Spire Security

To comment about this white paper or contact Spire Security, LLC about other security topics, please visit our website at www.spiresecurity.com. This white paper was commissioned by Cyber-Ark Software, Inc. All content and assertions are the independent work and opinions of Spire Security, reflecting its history of research in security audit, design, and consulting activities.