Privileged Credentials in COTS Applications: What IT Pros and Their Application Providers Need to Know Now
December 4, 2015 | Security and Risk | Adam Bosnian
Organizations recognize the importance of locking down privileged account access. As they proactively build enterprise-wide security programs, they also increasingly understand this access is not limited to users with a “heart beat.” Third party, commercial off-the-shelf (COTS) applications often require the same level of access to privileged accounts that an IT Administrator or DBA needs to do his or her day-to-day work.
In the case of a COTS application, the credentials are used to gain access to a given target in order to perform a task – such as resetting a service, conducting a vulnerability scan or initiating a back-up. From a risk perspective, it’s important to not only understand this is the same level of powerful admin access, but also how pervasive an application’s access is across an organization. Considering the number of COTS applications within an enterprise can be in the thousands and the types of key processes that these apps repetitively do on a daily basis, the magnitude of risk to the enterprise can start to be appreciated.
The fact that the privileged credentials accessed by applications are often not well maintained, managed, secured or even tracked exacerbates the risk. Why aren’t these credentials better managed? There are a number of reasons. For example, they are not frequently updated because it’s a cumbersome process if it’s not automated. IT admins don’t always want to change embedded passwords because they don’t know what other systems could be negatively impacted. In that case, operations takes priority over security. Some vendors even tell companies not to change the credentials because they don’t know what will happen. That’s scary to us and inviting to a potential attacker.
So with this in mind, you ask might ask again, ‘why does an application’ need to reach out and login into a target system? There is a wide range of critical functions including:
- Restart a service
- Set a policy
- Provision an SSL certificate
- Do a vulnerability scan
- Define identify configurations
- Do an asset discovery
- Initiate a backup
- Validate a service ticket
- Import/Export data
- Execute DevOps read/writes
Based on this, a growing number of our customers now have a ‘mandate’ to improve privileged credential management horizontally – across all ‘people’ users as well as applications that leverage privileged access. To address the latter requirement, customers often ask us to work with their application vendor to ensure they can effectively meet this mandate. Customers want the application’s credentials to be secured and managed via their existing CyberArk deployment.
Some of the types of applications that customers have requested work with CyberArk to securely retrieve and use privileged credentials include:
- Vulnerability Management
- IT Operations Management
- Data Backup
- IAM/Governance Tools
- Configuration Management
- Data Management/ETL applications
- Cloud tools
As a result, we have a rapidly growing roster of technology partners that integrate with CyberArk via our Application Identity Manger API. This allows the application vendors to focus on their core competencies, while leveraging the privileged credential management expertise and capability that CyberArk provides to more than 2000 customers worldwide. In addition, they’re delivering this integration to market and using it as a competitive differentiator.
Collectively, this is a positive development in the market. Customers have a better understanding of cyber security risks and increasingly take proactive measures to mitigate risk. Technology vendors are beginning to do the same. Enterprise security requires a collaborative approach that extends beyond any one vendor and customer. Better integration and informed decisions improve the entire technology ecosystem.
Technology vendors interested in integration opportunities with CyberArk should contact us directly for more information: https://www.cyberark.com/contact/.