Welcome!

Agile Computing Authors: Liz McMillan, Elizabeth White, Sematext Blog, Carmen Gonzalez, ManageEngine IT Matters

Related Topics: Agile Computing

Agile Computing: Blog Post

With Great Power Comes Great Responsibility: Managing Privileged Users

How to Mitigate Negative Outcomes from Privileged User Access

Since the advent of the SuperUser, there has been a thorn in the side of Information Security. Administrators must be able to perform system management functions, but systems have been designed to grant them access far beyond what they actually need to do their jobs. As a result, IT has had to come up with crafty ways to help mitigate who has access to privileged accounts and the underlying data in those accounts. They have tried everything from password management, to keystroke logging, to change control procedures, to privileged user management (such as sudo, powerbroker, etc.).

However, all of these approaches have focused on either "who" can become a privileged user or "how" they can access sensitive data. In essence, they've been missing the point, which is much more about what the privileged user is able to do with data.

If you are wrestling with how to mitigate negative outcomes from privileged user access to data (and attackers who wish to exploit privileged users), here are a few different methods to consider:

  • Password Management - Create a process where privileged users must check out a password after going through an approval process, usually a change control system. (This mitigates an individual admin from just jumping into the system at will, but does not control what they can do, or if a vulnerability is abused in the system.)
  • Privileged User Management - Tools like sudo can be used to control who can run what commands as a privileged user (i.e. - jsmith can run mount as root to mount file systems). This controls individual admins to a limited set of commands, but the sudo configuration is still managed by a full root user, and doesn't control access to data, as root.
  • Keystroke Logging - Commonly used to watch what an individual does on a system, and is seen to be a very cumbersome method.
  • Data Firewalling - A tool like Vormetric Data Firewall is an effective last line of defense because it employs a separation of duties from data, all driven by policy. It uses transparent encryption (failsafe), integrated key management (no keys known to individuals), and a criteria-effects rule set to only allow approved users/processes to access data. This can be used to allow the business application to see its data, but the administrator to only see cyphertext, if anything at all. This means that admins can be monitored and limited from access to data, while still being able to perform needed tasks.

When looking to mitigate and control your privileged users so that you can keep your organization out of the media headlines around data breaches, the best method is almost always to address the problem at its root...the data itself. By taking an "inside-out" approach to security and focusing on the end-goal of data first, you can deliver a much more refined, and secure, solution.

More Stories By Sol Cates

Sol Cates (@solcates) was promoted to the role of CSO at Vormetric in February 2013. As CSO, he is responsible for ensuring Vormetric’s internal security profile remains robust while also understanding how security is perceived and used by IT/IS and how it drives technical decision making and buying behavior at the boardroom level. Cates partners with teams through the company to engage both customers and partners, and he speaks publicly to elevate industry understanding of data security best practices in today’s complex cyber threat landscape. The technical depth and understanding of the information security space Cates has developed over the last 17 years is rooted in the intelligence community, financial services industry and other large enterprise organizations. He originally joined Vormetric in 2003, when he spent four years as a systems engineer. After holding a similar role at SignaCert (acquired by Harris) for three years, Cates returned to Vormetric in November 2009 as director of field engineering and solutions architecture. In this role, he grew and led a world-class technical sales team to great success, by installing understanding of the business, not just the technology. As an active problem solver, he built the original prototype of Vormetric Toolkit, which enables enterprise and cloud service provider (CSP) customers to automate and accelerate their data security deployments. Cates’ career also includes technical sales, engineering and support leadership roles at Tripwire, Symantec and Spectra Physics. Cates has developed many real-world solutions for customers, including iPhone and Android applications as well as elastic SaaS platforms.

@ThingsExpo Stories
In addition to all the benefits, IoT is also bringing new kind of customer experience challenges - cars that unlock themselves, thermostats turning houses into saunas and baby video monitors broadcasting over the internet. This list can only increase because while IoT services should be intuitive and simple to use, the delivery ecosystem is a myriad of potential problems as IoT explodes complexity. So finding a performance issue is like finding the proverbial needle in the haystack.
The idea of comparing data in motion (at the sensor level) to data at rest (in a Big Data server warehouse) with predictive analytics in the cloud is very appealing to the industrial IoT sector. The problem Big Data vendors have, however, is access to that data in motion at the sensor location. In his session at @ThingsExpo, Scott Allen, CMO of FreeWave, discussed how as IoT is increasingly adopted by industrial markets, there is going to be an increased demand for sensor data from the outermos...
Data is the fuel that drives the machine learning algorithmic engines and ultimately provides the business value. In his session at 20th Cloud Expo, Ed Featherston, director/senior enterprise architect at Collaborative Consulting, will discuss the key considerations around quality, volume, timeliness, and pedigree that must be dealt with in order to properly fuel that engine.
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
SYS-CON Events has announced today that Roger Strukhoff has been named conference chair of Cloud Expo and @ThingsExpo 2017 New York. The 20th Cloud Expo and 7th @ThingsExpo will take place on June 6-8, 2017, at the Javits Center in New York City, NY. "The Internet of Things brings trillions of dollars of opportunity to developers and enterprise IT, no matter how you measure it," stated Roger Strukhoff. "More importantly, it leverages the power of devices and the Internet to enable us all to im...
Whether your IoT service is connecting cars, homes, appliances, wearable, cameras or other devices, one question hangs in the balance – how do you actually make money from this service? The ability to turn your IoT service into profit requires the ability to create a monetization strategy that is flexible, scalable and working for you in real-time. It must be a transparent, smoothly implemented strategy that all stakeholders – from customers to the board – will be able to understand and comprehe...
"Once customers get a year into their IoT deployments, they start to realize that they may have been shortsighted in the ways they built out their deployment and the key thing I see a lot of people looking at is - how can I take equipment data, pull it back in an IoT solution and show it in a dashboard," stated Dave McCarthy, Director of Products at Bsquare Corporation, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
What happens when the different parts of a vehicle become smarter than the vehicle itself? As we move toward the era of smart everything, hundreds of entities in a vehicle that communicate with each other, the vehicle and external systems create a need for identity orchestration so that all entities work as a conglomerate. Much like an orchestra without a conductor, without the ability to secure, control, and connect the link between a vehicle’s head unit, devices, and systems and to manage the ...
Amazon has gradually rolled out parts of its IoT offerings in the last year, but these are just the tip of the iceberg. In addition to optimizing their back-end AWS offerings, Amazon is laying the ground work to be a major force in IoT – especially in the connected home and office. Amazon is extending its reach by building on its dominant Cloud IoT platform, its Dash Button strategy, recently announced Replenishment Services, the Echo/Alexa voice recognition control platform, the 6-7 strategic...
Everyone knows that truly innovative companies learn as they go along, pushing boundaries in response to market changes and demands. What's more of a mystery is how to balance innovation on a fresh platform built from scratch with the legacy tech stack, product suite and customers that continue to serve as the business' foundation. In his General Session at 19th Cloud Expo, Michael Chambliss, Head of Engineering at ReadyTalk, discussed why and how ReadyTalk diverted from healthy revenue and mor...
As data explodes in quantity, importance and from new sources, the need for managing and protecting data residing across physical, virtual, and cloud environments grow with it. Managing data includes protecting it, indexing and classifying it for true, long-term management, compliance and E-Discovery. Commvault can ensure this with a single pane of glass solution – whether in a private cloud, a Service Provider delivered public cloud or a hybrid cloud environment – across the heterogeneous enter...
Financial Technology has become a topic of intense interest throughout the cloud developer and enterprise IT communities. Accordingly, attendees at the upcoming 20th Cloud Expo at the Javits Center in New York, June 6-8, 2017, will find fresh new content in a new track called FinTech.
You have great SaaS business app ideas. You want to turn your idea quickly into a functional and engaging proof of concept. You need to be able to modify it to meet customers' needs, and you need to deliver a complete and secure SaaS application. How could you achieve all the above and yet avoid unforeseen IT requirements that add unnecessary cost and complexity? You also want your app to be responsive in any device at any time. In his session at 19th Cloud Expo, Mark Allen, General Manager of...
The 20th International Cloud Expo has announced that its Call for Papers is open. Cloud Expo, to be held June 6-8, 2017, at the Javits Center in New York City, brings together Cloud Computing, Big Data, Internet of Things, DevOps, Containers, Microservices and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportunity. Submit your speaking proposal ...
Bert Loomis was a visionary. This general session will highlight how Bert Loomis and people like him inspire us to build great things with small inventions. In their general session at 19th Cloud Expo, Harold Hannon, Architect at IBM Bluemix, and Michael O'Neill, Strategic Business Development at Nvidia, discussed the accelerating pace of AI development and how IBM Cloud and NVIDIA are partnering to bring AI capabilities to "every day," on-demand. They also reviewed two "free infrastructure" pr...
Unsecured IoT devices were used to launch crippling DDOS attacks in October 2016, targeting services such as Twitter, Spotify, and GitHub. Subsequent testimony to Congress about potential attacks on office buildings, schools, and hospitals raised the possibility for the IoT to harm and even kill people. What should be done? Does the government need to intervene? This panel at @ThingExpo New York brings together leading IoT and security experts to discuss this very serious topic.
More and more brands have jumped on the IoT bandwagon. We have an excess of wearables – activity trackers, smartwatches, smart glasses and sneakers, and more that track seemingly endless datapoints. However, most consumers have no idea what “IoT” means. Creating more wearables that track data shouldn't be the aim of brands; delivering meaningful, tangible relevance to their users should be. We're in a period in which the IoT pendulum is still swinging. Initially, it swung toward "smart for smar...
"Dice has been around for the last 20 years. We have been helping tech professionals find new jobs and career opportunities," explained Manish Dixit, VP of Product and Engineering at Dice, in this SYS-CON.tv interview at 19th Cloud Expo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
"ReadyTalk is an audio and web video conferencing provider. We've really come to embrace WebRTC as the platform for our future of technology," explained Dan Cunningham, CTO of ReadyTalk, in this SYS-CON.tv interview at WebRTC Summit at 19th Cloud Expo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
"At ROHA we develop an app called Catcha. It was developed after we spent a year meeting with, talking to, interacting with senior citizens watching them use their smartphones and talking to them about how they use their smartphones so we could get to know their smartphone behavior," explained Dave Woods, Chief Innovation Officer at ROHA, in this SYS-CON.tv interview at 19th Cloud Expo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.