Controlling IT Audit Costs Privileged Identities and Compliance
Summary A global financial institution commissioned an internal study on its costs to prepare for IT compliance audits and address auditor findings. The report surprised executive management by detailing how quickly these expenditures were spiraling out of control. When the firm's security and compliance officer was charged with improving staff efficiency he sought ways to address this issue quickly, without impacting the quality of IT service. The executive's focus turned to automating the manual controls that were then in place to manage, audit and report the organization's use of privileged accounts since this was seen as a practical way to lower staff overhead while reducing the uncertainty of IT audit results. The executive's proposed solution was first tested in a limited, pilot deployment. After the organization measured the resulting improvements the program was expanded to cover all sites on the global network. This paper outlines the ways that privileged identity management software can help lower the cost and uncertainty of IT regulatory audits. It describes the steps that organizations can take to secure privileged identities without disrupting IT services, and how to efficiently document compliance with key standards like PCI‐DSS, SOX, HIPAA, NERC and others. It also presents a case study of how this financial institution got IT compliance costs under control.
Contro olling IT A Audit Costts Privileged Id dentities and Compliance
Privile eged Ide entities a and Com mpliance Privileged d identities are accountts that hold elevated peermission to o access filees, run progrrams, and chan nge configuration settinggs. Commonly used by IT staff to perform routtine mainten nance and emeergency system repairs, privileged identities i exxist virtuallyy everywhere in IT. They are found on n server and desktop op perating systtems, on nettwork devicees such as routers, switches, and secu urity applian nces, and in n programs and servicees including databases, line‐of‐bussiness applicatio ons, web services, backu up software, scheduled tasks, and o others. Today's Identity Acccess Manageement (IAM) frameworks don't maanage or disscover privilleged identitiess; rather, the ey are mainlly designed tto provision and de‐provision users, manage no ormal user login n activity, an nd in some ccases grant ssingle sign‐on to multiple systems an nd applicatio ons. Preciselyy because th hey are outsside the control of mostt IAM techn nologies, privvileged iden ntities have beccome a significant securrity concern and a focuss of many IT compliancee audits. As P Philip Liebermaan, president of Lieberm man Softwaree, puts it, "As late as 2007 wee rarely hea ard about au udit failuress resulting frrom the lack of a privilleged identity management strategyy. Today a sizeable peercentage of o our new w customerss are enterprisses that facce expensivee compliancce failures and are lo ooking to reegain contrrol of privileged d identities, improve seccurity, and pass future audits." Key regu ulatory stan ndards – inccluding PCI‐‐DSS, HIPAA A, NERC, an nd others – – share com mmon requirem ments when it comes to ssecuring privvileged identities. Thesee include req quirements tto:
Discover and D d change all default privvileged passswords on every hardwaare and softtware assset before deploymentt on producttion networkks,
Maintain miinimum com M mplexity an nd change frequency f s standards f all privilleged for acccount passw words,
M Maintain det tailed audit ttrails of all p privileged acccess requessts,
D Document a need‐to‐kno ow when it ccomes to each privileged d access, and
Change accou unt passworrds when those with acccess are term minated or cchange job ro oles.
Failure to effectivelyy manage privileged p acccount acceess has the potential to o result in failed f complian nce audits an nd higher dirrect business costs. For example:
Organizations processingg credit card paymentss that fail to O o comply witth Payment Card In ndustry Dataa Security Staandards (PC CI DSS) pay in ncreased transaction feees and fines.
Health providers and paayers face unannounce H u d HIPAA seccurity auditss, with finess and ciivil penaltiess that can qu uickly compo ound to tenss of thousands of dollarss per day.
Electric utilities that fail to comply w with NERC sttandards facce penalties that range up to $1,000,000 per violation in the most serious casees.
Page 2 © 2009 by Liebberman Software Corporation. All riights reserved. RRev. 20091020a
Contro olling IT A Audit Costts Privileged Id dentities and Compliance
Gainin ng Contrrol A single server can n have privvileged iden ntities preseent in locall and domaain accountts, in configureed services and scheduled tasks, and in a widee range of applications a including COM+ C and DCO OM applicatio ons, IIS websites, databaases such ass Oracle, SQL Server, and so on. Mu ultiply these byy the many ccomputers aand networkk appliancess present in your organization to geet an idea of the challenges invo olved in manually documenting d g each acccount and d its interdependencies, and changin ng each acccount passw word frequen ntly enough to comply with regulatorry mandatess. Fortunately automatted processees exist thatt can reliablly help organizations regain control in a cost‐effeective manne er. The proccesses can b be described d as four keyy steps that are abbrevviated as I.D.E.A A.:
Identtify and docu ument all critical IT assets, their privvileged accounts and intterdependen ncies.
Deleg gate access to credentiaals so that appropriate p personnel, u using least prrivilege requ uired, with documented d purpose, ccan login to IIT assets in aa timely man nner at desiggnated timess.
Enforrce rules fo or password d complexity, diversity and changge frequenccy, synchron nizing changges across all dependencies to prevent service d disruptions.
Auditt and alert so that thee requester,, purpose, and a duration of each privileged p access requeest is docum mented and m managemen nt is made aw ware of unussual events.
Privilege ed identity managemen m nt software can autom mate the task to track an a organizattion's privileged accounts,, change privileged p paasswords according to o the organ nization's policy, word recoveery so that ITT staff can p perform routtine servicess and emerggency facilitate rapid passw each privilegged passworrd after checck‐out to preevent unaud dited access. repairs, aand change e
Lieberrman So oftware S Solution Enterprisse Random P Password M Manager (ERP PM) is softw ware that disscovers, upd dates, storess, and allows seecure recovvery of everry local, do omain, and process acccount in an organizatio on. It detects and a reports every locattion where privileged accounts a aree used – inccluding local and domain aaccounts, co onfigured serrvices sched duled tasks, aapplications including CO OM+ and DC COM, IIS websiites, databases such as Oracle, SQLL Server, and so on – and a then rapidly propaggates password d changes everywhere e that each account a is referenced r in order to prevent acccount lockouts and service failures thatt can occur w when manuaal processess create obso olete creden ntials. ERPM seecures its paasswords in an encryptted database that can be accessed d from any web‐ enabled device. Users check out privileged account passwords thrrough an auttomated pro ocess that takees advantage of an orgaanization's existing e iden ntity access management framewo ork to allow exp pedited, delegated acceess. Passwords are auto omatically ree‐randomizeed after checck‐in, and restrricted recovery periods,, forced check‐ins, perio odic verificattions, web ssession timeeouts, and phon netic spellingg options aree provided.
Page 3 © 2009 by Liebberman Software Corporation. All riights reserved. RRev. 20091020a
Contro olling IT A Audit Costts Privileged Id dentities and Compliance
Custom mer Case Study Liebermaan Softwaare was first contacted by the e security and complian nce officer aat a large fin nancial services firm after an a internal study determin ned that sttaff overhead to prepare for compliiance auditss and address auditor find dings was growing faster th han the orrganization could sustain. TThe executivve suspected that manual and ad‐ho oc processees for d identitiess and updatingg privileged E Enterprise Ran dom Password d Manger (ERP PM) Identifies a Wide documen nting their use, as requirred by erdependencie es Range of Privileged Acccounts and Inte several of the firm's comp pliance directives, were a key k componeent of these cossts. The execcutive told u us that his prriorities were to:
D Develop mor e efficient and repeatab ble processess to documeent complian nce,
Reduce unforreseen auditt findings, an nd
ol IT staff acccess to serveers and appliications thatt host sensittive data. Better contro
ployed Enterrprise Rando om Password Manager (ERPM) in a pilot prograam at The organization dep its headq quarters site e and examined the ressults. In usin ng the product to prepare for recu urring audits it was determined that siggnificant stafff time savin ngs had been n realized through:
The autom mation of logging and reeporting to o show privilege acco ount password changes byy system and acccount.
Lo ogging and rreporting of each privileeged acccess request, includingg a feature that t reeports the stated purrpose for each e reequest to de emonstrate n need‐to‐kno ow.
Auto‐discovery, auto remediattion, A auditing and reporting of o new systems and applications as they are introdu uced on the netwo ork.
monstrated during d the pilot p The efficciencies dem deployment were significant en nough that the organizattion deploye ed ERPM att all of its sites s
Configurable Au udit Report Showing Daates and Times of Privileged Passsword Chan nges
Page 4 © 2009 by Liebberman Software Corporation. All riights reserved. RRev. 20091020a
Contro olling IT A Audit Costts Privileged Id dentities and Compliance
worldwid de. The execcutive later rreported thaat the produ uct had met his project ggoals wherever it was deployed.
Next S Steps Organizations that desire more iinsight into potential rissks of the un nsecured priivileged acco ounts ments can co ontact Liebeerman Softw ware for an ERPM softw ware trial. ERPM E in their IT environm documen nts potentiaal risks present in the infrastructur i re, enumeraating privileged accounts by hardwaree platform, account and d service typ pe. It then continuouslyy secures privileged acco ounts everywhere on yourr network and a providess an audit trail t of each h access req quest. ERPM M trial softwaree is availablle at no co ost to qualified organizations. Fo or more infformation, email e ERPM@LLiebsoft.com m.
Aboutt Lieberm man Softtware Liebermaan Software e Corporatio on, established in 1978 as a softwaare consultaancy, has beeen a profitable, managem ment‐owned organization since its in nception. Lieeberman Sofftware pioneeered privileged account password maanagement ssoftware, releasing its first product to this markket in nce that tim me, the com mpany has continuously c y updated and a expanded its privilleged 1999. Sin password d solutions w while growin ng its custom mer base to iinclude man ny of the world's most seecure enterprisses. Liebermaan Software is a Microssoft Gold Ceertified Partn ner and hass technical partnerships p with such other industry lleaders as C Cisco, Novell,, Red Hat, H Hewlett‐Packkard, IBM, RSSA and Intell. The companyy is headquaartered in Lo os Angeles, C CA, and maintains a reggional office in Austin, TTX. All product d developmen nt, testing, and support o operations aare based in the United States. For morre information, visit ww ww.liebsoft.ccom or call 800 0‐829‐6263 (USA and Canada) or 01‐‐310‐550‐8575 (Internattional).
Page 5 © 2009 by Liebberman Software Corporation. All riights reserved. RRev. 20091020a