Application Credentials: The Hidden Attack Pathway into Your Organization
December 1, 2016 | Endpoint | Sigalit Kaidar
Today, it’s well-understood that credentials belonging to IT administrators, business users, partners and others with high levels of network access are critical for gaining unauthorized access to key systems, and ultimately, the heart of the enterprise. As we’ve explored previously, too many organizations continue to equate privileged credentials with IT administrators alone. The reality is that privileged access is not limited to users with a “heart beat.”
Every day, countless applications across the enterprise use privileged credentials to connect to sensitive resources. Sought after and exploited by cyber attackers when left unprotected, these application credentials include SSH keys and hard-coded, embedded passwords. Many privileged credentials accessed by applications are often not well managed, secured or even tracked for a number of reasons. Though IT security teams increasingly realize the importance of shoring up the security of privileged credentials used by applications, the process can understandably seem to be complex, time-consuming and overwhelming.
The key to implementing an effective privileged account security program for applications is to create a comprehensive, long-term plan, but to start small. Tackling the initiative piece-by-piece will help your IT security team to mitigate risk, build repeatable processes and demonstrate “quick wins” that will help garner further support from key stakeholders.
To do this, it’s important to understand that not all applications are made equally and most enterprise applications can be classified into two distinct tiers based on both their availability level and risk level:
- Tier 1: Business/mission-critical, high availability applications, such as consumer-facing web applications, are integral to an organization’s operations, and if they fail they can cause significant financial or reputational damage. They often enable access to an organization’s most sensitive resources, and as such, need to be protected and available 24x7x365.
- Tier 2: These applications are also critical to an organization’s operations, yet do not need to be “always on.” For example, scripts or applications that perform simple, often automated tasks, such as running a scheduled backup script on Windows.
CyberArk Application Identity ManagerTM offers a variety of flexible deployment options to protect privileged credentials linked to each application tier. This gives organizations the ability to approach privileged account security initiatives in manageable pieces—beginning with a specific kind of application, such as Commercial Off the Shelf (COTS) applications or J2EE application servers (such as IBM, WebSphere, Oracle, Weblogic, JBoss and Tomcat), then scaling over time as program milestones are successfully completed.
Our recent eBook, “An Attack Pathway into Your Organization? There’s an App for That,” explores these deployment options in detail, while offering actionable recommendations for improving privileged credential security, management and compliance. We invite you to download the eBook here.