How multiple platforms impact user privileges
Windows has always come with its share of vulnerability and malware threats. Android has issues with malicious apps getting through too easily. And we can no longer say with confidence that Apple products are immune from infections or attacks, as vulnerabilities in its software are being found too frequently. Privilege management is finally gaining some traction to stem insider threats, but, for the most part, only addresses Unix/Linux and Windows OSs, due to their dominance in the enterprise.
Providing options while maintaining order
The addition of iOS and Android into the workplace has complicated the management of user privileges. According to Morey Haber, Vice President of Technology with BeyondTrust, the first challenge is the paradigm for interfacing with each platform. For Unix and Linux, user interaction is primarily through the command line while OS X and Windows is almost always (with maybe a small percentage of PowerShell on Windows) graphical. This requires two different methodologies for targeting applications, he explained. The simplest solution is to consolidate the monitoring and reporting of user activity so that regardless of how a user interacts with a platform, a single report can document all activity regardless of interface.
Less frustration, more consolidation
The second challenge: users themselves. “Different platforms have their own native authentication stores and provide loose integration into other directory services,” Haber said. “Managing user privileges on multiple platforms, while using only native OS tools, typically requires that each platform have accounts for the same user. This is an undesirable security and implementation practice.”
Instead, it is best to use a tool like an Active Directory Bridging solution to consolidate all user accounts in Active Directory such that user privileges, regardless of platform, can be managed in one location to streamline privilege management and minimize account stores.
The third challenge focuses on role-based access. Many embedded platforms and infrastructure technology do not have granularity for role based-access or permissions, Haber pointed out, which means the security model is typically all or nothing and defining user privileges is impossible.
“The only way to manage them is by controlling session access and performing strict auditing when privileged access does occur including the automatic rotation of passwords, keystroke logging, and session recording of all user activity,” Haber said. User access typically cannot be associated with an identity unless a proxy solution is used to gain access as well.
Challenges posed by BYOD
Finally, there is the unique set of challenges presented by mobile devices and the rise of BYOD in the office setting. Android, iOS, and Windows Mobile do not have a concept of multiple users, role based access, or even proper access logging, said Haber. Yet, these platforms are found regularly within organizations, remotely connecting to internal systems from within the corporate network and via web based applications and VPN.
What is worse, Haber added, these operating systems are not just on mobile phones.
“They are finding their way into point of sale terminals, printers, and even security solutions,” he said. “Without the foundation to manage these operating systems with security best practices, they merely become hardened kiosks with little to no real management tools to provide visibility into user (or malware) activity. For example, have you ever seen a SIEM collect user activity from an iOS or Android device? Probably not, since there are no APIs or logs that can be easily parsed and forwarded as required by security best practices.”
The growth of PAM
So how can the security of multiple platforms be best addressed? On the heels of a series of high-profile breaches which can be attributed to malicious insiders or cyber-attackers who gained access to victim organizations using insider credentials, the Privileged Access Management (PAM) market is experiencing tremendous growth, Renee Bradshaw, Manager of Solutions Strategy at NetIQ, the security portfolio of Micro Focus, explained. For companies with a small IT department, may want to consider turning to PAM to looking for security solutions that help them to establish controls around privileged access.
“With their emphasis on securing user passwords, controlling access to shared accounts, managing privileged sessions, and controlling what activities can be performed by administrators, security solutions that fall within the PAM market are good choices to implement when looking to strengthen controls around privileged access and activity,” Bradshaw said.
With respect to the problem of multiple platform coverage, it’s important to look for a solution that supports these PAM capabilities for all credential-based systems that access your IT environment, Bradshaw added. “This ensures you will be able to manage and monitor privileged user activity across business-critical applications, cloud services, platforms and databases, regardless of where they reside.”
When it comes to privilege management, ideal approach is both pragmatic and proactive. “Deploy privileged access management solutions that enforce the principle of least privilege,” said Bradshaw, while also monitoring access and activity to ensure that privileges are being used appropriately.”