Welcome!

Agile Computing Authors: Liz McMillan, Pat Romanski, Elizabeth White, Dana Gardner, Andy Thurai

Related Topics: Agile Computing

Agile Computing: Blog Post

With Great Power Comes Great Responsibility: Managing Privileged Users

How to Mitigate Negative Outcomes from Privileged User Access

Since the advent of the SuperUser, there has been a thorn in the side of Information Security. Administrators must be able to perform system management functions, but systems have been designed to grant them access far beyond what they actually need to do their jobs. As a result, IT has had to come up with crafty ways to help mitigate who has access to privileged accounts and the underlying data in those accounts. They have tried everything from password management, to keystroke logging, to change control procedures, to privileged user management (such as sudo, powerbroker, etc.).

However, all of these approaches have focused on either "who" can become a privileged user or "how" they can access sensitive data. In essence, they've been missing the point, which is much more about what the privileged user is able to do with data.

If you are wrestling with how to mitigate negative outcomes from privileged user access to data (and attackers who wish to exploit privileged users), here are a few different methods to consider:

  • Password Management - Create a process where privileged users must check out a password after going through an approval process, usually a change control system. (This mitigates an individual admin from just jumping into the system at will, but does not control what they can do, or if a vulnerability is abused in the system.)
  • Privileged User Management - Tools like sudo can be used to control who can run what commands as a privileged user (i.e. - jsmith can run mount as root to mount file systems). This controls individual admins to a limited set of commands, but the sudo configuration is still managed by a full root user, and doesn't control access to data, as root.
  • Keystroke Logging - Commonly used to watch what an individual does on a system, and is seen to be a very cumbersome method.
  • Data Firewalling - A tool like Vormetric Data Firewall is an effective last line of defense because it employs a separation of duties from data, all driven by policy. It uses transparent encryption (failsafe), integrated key management (no keys known to individuals), and a criteria-effects rule set to only allow approved users/processes to access data. This can be used to allow the business application to see its data, but the administrator to only see cyphertext, if anything at all. This means that admins can be monitored and limited from access to data, while still being able to perform needed tasks.

When looking to mitigate and control your privileged users so that you can keep your organization out of the media headlines around data breaches, the best method is almost always to address the problem at its root...the data itself. By taking an "inside-out" approach to security and focusing on the end-goal of data first, you can deliver a much more refined, and secure, solution.

More Stories By Sol Cates

Sol Cates (@solcates) was promoted to the role of CSO at Vormetric in February 2013. As CSO, he is responsible for ensuring Vormetric’s internal security profile remains robust while also understanding how security is perceived and used by IT/IS and how it drives technical decision making and buying behavior at the boardroom level. Cates partners with teams through the company to engage both customers and partners, and he speaks publicly to elevate industry understanding of data security best practices in today’s complex cyber threat landscape. The technical depth and understanding of the information security space Cates has developed over the last 17 years is rooted in the intelligence community, financial services industry and other large enterprise organizations. He originally joined Vormetric in 2003, when he spent four years as a systems engineer. After holding a similar role at SignaCert (acquired by Harris) for three years, Cates returned to Vormetric in November 2009 as director of field engineering and solutions architecture. In this role, he grew and led a world-class technical sales team to great success, by installing understanding of the business, not just the technology. As an active problem solver, he built the original prototype of Vormetric Toolkit, which enables enterprise and cloud service provider (CSP) customers to automate and accelerate their data security deployments. Cates’ career also includes technical sales, engineering and support leadership roles at Tripwire, Symantec and Spectra Physics. Cates has developed many real-world solutions for customers, including iPhone and Android applications as well as elastic SaaS platforms.

IoT & Smart Cities Stories
The deluge of IoT sensor data collected from connected devices and the powerful AI required to make that data actionable are giving rise to a hybrid ecosystem in which cloud, on-prem and edge processes become interweaved. Attendees will learn how emerging composable infrastructure solutions deliver the adaptive architecture needed to manage this new data reality. Machine learning algorithms can better anticipate data storms and automate resources to support surges, including fully scalable GPU-c...
We are seeing a major migration of enterprises applications to the cloud. As cloud and business use of real time applications accelerate, legacy networks are no longer able to architecturally support cloud adoption and deliver the performance and security required by highly distributed enterprises. These outdated solutions have become more costly and complicated to implement, install, manage, and maintain.SD-WAN offers unlimited capabilities for accessing the benefits of the cloud and Internet. ...
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
As IoT continues to increase momentum, so does the associated risk. Secure Device Lifecycle Management (DLM) is ranked as one of the most important technology areas of IoT. Driving this trend is the realization that secure support for IoT devices provides companies the ability to deliver high-quality, reliable, secure offerings faster, create new revenue streams, and reduce support costs, all while building a competitive advantage in their markets. In this session, we will use customer use cases...
Machine learning has taken residence at our cities' cores and now we can finally have "smart cities." Cities are a collection of buildings made to provide the structure and safety necessary for people to function, create and survive. Buildings are a pool of ever-changing performance data from large automated systems such as heating and cooling to the people that live and work within them. Through machine learning, buildings can optimize performance, reduce costs, and improve occupant comfort by ...
René Bostic is the Technical VP of the IBM Cloud Unit in North America. Enjoying her career with IBM during the modern millennial technological era, she is an expert in cloud computing, DevOps and emerging cloud technologies such as Blockchain. Her strengths and core competencies include a proven record of accomplishments in consensus building at all levels to assess, plan, and implement enterprise and cloud computing solutions. René is a member of the Society of Women Engineers (SWE) and a m...
With 10 simultaneous tracks, keynotes, general sessions and targeted breakout classes, @CloudEXPO and DXWorldEXPO are two of the most important technology events of the year. Since its launch over eight years ago, @CloudEXPO and DXWorldEXPO have presented a rock star faculty as well as showcased hundreds of sponsors and exhibitors! In this blog post, we provide 7 tips on how, as part of our world-class faculty, you can deliver one of the most popular sessions at our events. But before reading...
Poor data quality and analytics drive down business value. In fact, Gartner estimated that the average financial impact of poor data quality on organizations is $9.7 million per year. But bad data is much more than a cost center. By eroding trust in information, analytics and the business decisions based on these, it is a serious impediment to digital transformation.
Charles Araujo is an industry analyst, internationally recognized authority on the Digital Enterprise and author of The Quantum Age of IT: Why Everything You Know About IT is About to Change. As Principal Analyst with Intellyx, he writes, speaks and advises organizations on how to navigate through this time of disruption. He is also the founder of The Institute for Digital Transformation and a sought after keynote speaker. He has been a regular contributor to both InformationWeek and CIO Insight...
Bill Schmarzo, Tech Chair of "Big Data | Analytics" of upcoming CloudEXPO | DXWorldEXPO New York (November 12-13, 2018, New York City) today announced the outline and schedule of the track. "The track has been designed in experience/degree order," said Schmarzo. "So, that folks who attend the entire track can leave the conference with some of the skills necessary to get their work done when they get back to their offices. It actually ties back to some work that I'm doing at the University of ...