Privileged Credentials within Commercial off-the-shelf (COTS) Applications Creates an Exponential Security Threat
CyberArk’s Executive Vice President Adam Bosnian regularly talks to customers, partners and security experts. He is also frequently invited to conferences to address security trends, so we’d like to share some of his recent insights.
Q1: What trends do you see in the market related to privileged account security?
Adam: Most information security professionals recognize that the cyber security battleground has shifted from the network perimeter to the inside of the enterprise. Often attackers seek to exploit privileged accounts specifically, given the extensive control and access to sensitive data they provide. As a result, the need to secure, manage and track privileged account access is increasingly understood and accepted. Many C-level security professionals have enterprise-wide mandates to address what is now viewed as a horizontal risk.
Despite this widespread understanding of the importance of locking down privileged account access, some continue to equate privileged credentials with IT admin users alone. The reality is that access is not limited to users with a “heart beat,” and in fact, many COTs applications often require the same access to privileged accounts. Recognition of this security risk is growing, and we’ve had a number of our customers and software application partners contact us to help them more effectively address this vulnerability. Ultimately, an enterprise-wide privileged access mandate should cover all “sources” of privileged users/access to be effective.
Q2: So, COTS applications use the SAME level of privileged access to target systems as IT Admins?
Adam: Yes they do, and awareness of this security vector is low, but growing. Many COTS applications require some privileged access to perform necessary functions. Whether it is a vulnerability or asset discovery application or an IT operations management service, administrative privileges are provided by the organization to access virtually every asset on the network.
These privileged credentials are usually defined once for each application and reside in applications or scripts, or they are stored in configuration files within networks, servers and databases. With hundreds of commercial application privileged credentials to manage manually, and for the sake of operational simplicity, these credentials have remained unchanged.
As a result, each application becomes a significant threat and potential pathway for cyber attackers. Understanding the relationship between privileged credentials and COTS applications has become an “ah- ha” moment for our customers and partners. They want to have a centralized credential management system in place covering all types of access regardless if by an IT user or COTS application.
Q3: How should organizations secure critical COTS applications?
Adam: They should stop using credentials that are statically stored in the COTS application, databases scripts, or are stored in configuration files as they can easily be captured by attackers. They need a system to automatically manage, secure and rotate credentialed access to privileged accounts.
Companies will often start with a discovery process to inventory the applications they have organization-wide and pinpoint what vulnerabilities exist. There are tools specifically designed to scan the entire IT environment to find privileged user AND application accounts, and the associated credentials. A growing number of customers have asked the application vendors they use (often our partners) to work with us to securely manage the access their applications require.
For example, CyberArk offers integrations of CyberArk Application Identity Manager™ with leading commercial IT applications. Together, we help our shared customers to eliminate credentials (passwords and SSH keys) from commercial applications, application scripts and/or configuration files. Instead they store them in the CyberArk Digital Vault® and automatically rotate the credentials used to authenticate to the organization’s target systems. With CyberArk Application Identity Manager, organizations will not only reduce the risk of unauthorized application credentials usage and be able to detect and alert on credential usage anomalies, but will also simplify credentials management.
Q4: Is this focus on securing applications new?
No. In fact, CyberArk Application Identity Manger has been available and used by many of our customers for years. Early on, companies used to manage in-house applications with this product, but as awareness around the security risks associated with privileged accounts increases, companies are paying closer attention to vulnerabilities associated with COTS applications as part of their holistic privileged account security strategy.
To learn more about how CyberArk can help you address your privileged account risk and secure privileged credentials accessed by both users and applications, download our free eBook, Seven Things To Consider When Evaluating Privileged Account Security Solutions.