Three Ways CXOs Can Avert Super-User Security Threats with Privileged Account Management

  Three Ways CXOs Can Avert Super-User Security Threats with Privileged
  Account Management

Quest Software offers best practices for managing privileged access to
safeguard sensitive corporate and governmental information and systems

Business Wire

ALISO VIEJO, Calif. -- November 26, 2012

Today, on Cyber Monday, online retailers and banks are bracing for the
likelihood of increased data breaches and security threats, while online
shoppers are taking extra precautions to protect personal information. Every
day, Americans trust that the corporate and government IT systems handling
their critical identity information, such as credit card numbers, social
security numbers and tax returns, are equipped with appropriate security
measures to keep personal data safe. Heightening awareness of potential
security risks is an essential step to thwarting malicious attacks. All too
often, however, public and private entities must also recognize that even more
risky exposure exists when administrative privilege is exploited, regardless
whether by external adversaries or internal threats. Quest Software (now part
of Dell) has a deep understanding of the problems organizations face when they
don’t properly control and audit administrative access and “super-user”

According to a survey conducted earlier this year at The Experts Conference,
an annual gathering of global IT pros co-sponsored by Quest and Microsoft,
half of the responding organizations reported that their No. 1 compliance
issue is ensuring correct user access rights (including privileged user
access). In the case of managing privileged accounts, this challenge
intensifies when administrators are given the “keys to the kingdom,” with
far-reaching, shared anonymous access rights to vital IT systems. In the
private sector, failure to manage access to information and compliance with
security mandates can mean lost revenues, failed audits and damage to the
brand. In government, managing user access rights represents a high stakes
game in which getting out ahead of emerging threats is a matter of national
security. To this point, Privileged Account Management is noted in many
security standards, including ISO 27001 and NIST 800-53. A new report
developed by Enterprise Management Associates, on behalf of Quest, identifies
inadequate administrative access controls as “one of the most egregious IT
risk gaps in many organizations.”

The report, “Why You Need to Consider Privileged Access Management (And What
You May Not Know About It That You Should),” examines some of the most common
excuses companies give to justify this oversight, and offers useful insight
into how modern Privileged Account Management (PAM) practices and
corresponding technology solutions can close the risk gap with flexible policy
control, automated workflows and comprehensive reporting to enhance security,
achieve compliance and improve efficiency.

To further help CXOs avert these all-to-common security risks, Quest offers
three pragmatic tips:

1. Assign individual accountability to super-user activity

Shared and unmanaged administrative access is more than just a bad idea—it’s
one of the fastest and easiest ways to expose an organization to undue risk,
especially since these super-user accounts typically have extensive power over
IT operating systems, applications, databases, etc. With shared accounts, any
security or compliance breach can be traced back only to the account, and not
to an individual administrator using that account.

A much better approach to risk containment involves granting administrators
access rights only to what they need, as they need it, nothing more or less.
Credentials should be issued only on an as-needed basis, accompanied by a full
audit trail of who used them, who approved the use, what they did with them,
as well as how and why they received them – and the password should be
immediately changed once the use is completed. The ability to automate and
secure this entire process is an effective way to manage administrative access
across an entire organization. Similarly, PAM is essential to enabling
federal, state and local agencies to work together, and can make or break
government-wide information sharing and collaboration.

2. Implement and enforce a “least privilege” security stance for
administrative access

Many administrative accounts, including those for Unix root, Windows or Active
Directory admin, DBA, etc., provide unlimited permissions within their scope
of control, and, when shared, open the door for malicious activity. For
example, the widely publicized security breach at Fannie Mae involved an
employee who used this type of super-user access to maliciously plant a logic
bomb that, if undiscovered, would have crippled the entire organization and
compromised the personal and financial information of approximately 1,100

A more prudent approach is to establish a policy that clearly defines what
each administrator (or administrator role) can and cannot do with their
access. Since this process can be complicated and often difficult to enforce
across diverse systems, Quest recommends the addition of granular delegation
tools that are optimized for the designated platforms, and integrated with
other PAM technologies such as a privilege safe, multifactor authentication or
Active Directory bridge.

3. Reduce privileged account management complexity

One of the overarching PAM challenges comes from navigating diverse IT
systems, each with their own unique capabilities and requirements for
privileged account management. This often results in the use of specialized
tools, along with ad-hoc policies and practices to control privileged account
access. Unfortunately, this approach frequently complicates the audit process,
making it difficult to prove that all access is controlled and that
separation-of-duties principles are established and enforced.

For that reason, consolidating disparate systems into a common identity
structure creates an environment where a single PAM approach can be readily
enforced with greater consistency across a much larger portion of an
organization, eliminating errors borne from multi-system complexity, reducing
risk and lowering the expense of managing multiple systems. In addition, any
consolidation of PAM capabilities under a common management and reporting
interface provides enhanced efficiency.

The EMA report referenced above indicates that organizations focused on
achieving a high level of discipline in configuration and change management
tend to have better outcomes, not only in lower incidences of disruptive
security events, but in better IT reliability, less unplanned IT work, more
successful IT changes, higher server-to-system administrator ratios, and more
IT projects completed on time and within budget.

Quest® One Identity Solutions Centralize and Simplify Privileged Account

Quest Software provides a modular, yet integrated, approach to identity and
access management, specifically Privileged Account Management that controls
insider threats and improves IT efficiency, as it enables organizations to
eliminate the dangers of unchecked super-user access, adverse audit findings,
direct penalties, and negative press exposure.

Supporting Quotes:

Jackson Shaw, senior director of product management, Quest Software
“Privileged Account Management will be one of the fastest-growing areas of IAM
over the next few years, for good reason. Most of the recent high-profile
security breaches, including the UBS Paine Webber attack and the City of San
Francisco breach, happened due to lack of control over privileged accounts.
What’s more, these breaches do not discriminate; they can cause equally
horrific damage to any organization, no matter how large or small. It’s time
for companies to take note of the severe security risk posed by poor PAM
practices, and seek out a comprehensive solution befitting the task. Quest One
offers a complete set of PAM capabilities, providing comprehensive controls in
a flexible, modular architecture.”

Scott Crawford, Enterprise Management Associates (EMA)
“Poor controls over administrative access have resulted in real damage. PAM
capabilities can help mitigate such risks and improve controls, through
techniques such as ‘privilege safe’ technologies that deliver a more
disciplined approach to control that supports responsible IT governance. Quest
helps IT improve performance and reduce support costs by closing one of the
most readily managed gaps of all: the weakness exposed when individuals have
broad, anonymous, and unmonitored administrative access to the most sensitive
capability in IT.”

Supporting Resources:

  *To see how your identity and access management performance compares to the
    best-in-class, take a free interactive assessment
  *View demonstrations and videos:
  *More Quest news:
  *Quest TV:

About Quest Software (now a part of Dell)

Dell Inc. (NASDAQ: DELL) listens to customers and delivers innovative
technology and services that give them the power to do more. Quest, now a part
of Dell’s Software Group, provides simple and innovative IT management
solutions that enable more than 100,000 global customers to save time and
money across physical and virtual environments. Quest products solve complex
IT challenges ranging from database management, data protection, identity and
access management, monitoring, user workspace management to Windows
management. For more information, visit or

RSS Feeds:

  *Quest news releases:

Technorati Tags:
Quest Software

Dell is a trademark of Dell Inc. Dell disclaims any proprietary interest in
the marks and names of others.

Quest, Quest Software, and the Quest logo are trademarks or registered
trademarks of Quest Software in the United States and certain other countries.
All other names mentioned herein may be trademarks of their respective owners.


Quest Software, Inc. (part of Dell)
Nisha Morris
Press spacebar to pause and continue. Press esc to stop.