Resolving the Privilege Management Paradox

An Enterprise Management Associates® White Paper

Many have focused on the risks to sensitive information posed by a seemingly unending wave of data security breaches in the last few years – and justifiably so. These breaches often involve the exploit of hundreds or thousands of identities. Compare this, however, to the impact of exploiting of a single identity: that of the system administrator, the “root” account, and similar forms of privileged access to direct control over IT.

In the recent scandal at French bank Societe Generale, for example, the alleged actions of a single trader familiar with the implementation of technical risk controls in IT resulted in exposure that, at its worst, was greater than the GDP of oil-rich Qatar – and an order of magnitude greater than some estimates of the impact of the TJX data security breach. In December 2006, a single system administrator at financial services giant UBS was convicted of exploiting administrative privileges to plant a logic bomb that brought widespread business operations to their knees.

Paradoxically, while businesses have made substantial investments in improving security for ordinary user access, privileged access is far too often poorly secured. These accounts are often shared, which makes tracking use – and abuse – a substantial challenge. They typically unlock far greater control than is necessary for a specific task. They may be guarded by little more than a simple password, whose strength may only rarely be defined or enforced. Passwords are often infrequently changed due to the risk of locking out highly skilled technologists at a moment of critical need. This raises the risk of password discovery and abuse, with enormously disproportionate impact potential.

Regulators as well as enterprises increasingly recognize these gaps, but products do not always offer the ability to balance better control with the operational risks increased control could introduce. Solutions need to be easily deployed, minimizing risks of disrupting critical business processes or IT resources. They should integrate as seamlessly and transparently as possible with the existing environment. They must be scalable to meet enterprise demands, and assure critical availability against risks of lost access at the highest level of privilege. They should offer the flexibility needed in today’s truly heterogeneous enterprise. They should maximize the value of the investment across the widest possible range of access targets. And of course, they must demonstrate their security.

The Privilege Management Paradox: Highest Privilege Often Has the Least Control

For many years, IT risk control has focused primarily on areas such as security, particularly around network and perimeter defense and threat management. Identity management and access control have also played substantial roles, with emphasis on defining access to a wide range of information resources for broad populations of users.

Today, there is much more emphasis on the exposure of business risk in IT. Data privacy breaches, for example, have captured much attention in recent years – but the scale of exposure in most cases pales when compared to the risk posed by an individual with high knowledge of the IT environment itself, and the technical controls intended to control risk in IT.

The recent scandal at French bank Societe Generale offers a dramatic illustration. In this case, an individual who was apparently highly familiar with technical as well as business risk controls in IT allegedly exploited that knowledge to perpetrate fraud on a massive scale. At its worst, Societe Generale’s exposure in this case was reportedly in the range of $70 billion – greater than the 2007 GDP of oil-rich Qatar, and an order of magnitude greater than many estimates of losses in the case of the TJX data security breach, believed by some to range between $1-5 billion.

The Societe Generale case reveals a fundamental flaw in many approaches to IT governance and risk management: IT controls are only effective if they are resistant to subversion. Many IT risk and compliance management strategies are predicated on a framework of IT controls – but what happens when the controls on which such a strategy depends are unreliable? Many businesses have invested thousands, if not millions, in their IT controls, but how many have asked themselves this critical question: Who controls the control, and what are they doing with it?

Read the complete whitepaper at www.quest.com/privilege

About Quest Software, Inc.

Quest Software, Inc. a leading enterprise systems management vendor, delivers innovative products that help organizations get more performance and productivity from their applications, databases, Windows infrastructure and virtual environments. Visit www.quest.com for more information.

About Quest® One Identity Solution

Quest® One Identity Solution enables organizations to enhance security, improve efficiency and achieve and sustain compliance by strengthening authentication, controlling authorization, automating administration and auditing your identity and access management infrastructure. Learn how at www.GetToOne.com