by Adam Bosnian
After years in the works and a number of recent twists and turns in the story and production, the Broadway show “Spider-Man: Turn Off the Dark” finally opened in New York City last night to an eagerly-awaiting crowd of Spidey and U2 fans. The show is amazing, with acrobatics unmatched elsewhere on Broadway and powerful music with Bono’s and The Edge’s unmistakable signature vibe. With countless stories detailing the problems the show has faced with a re-write of major portions, injuries to actors, technical and mechanical difficulties, the show endured plenty of pains before being ready for prime-time. That said, this blog entry isn’t a review of the show’s performance; you can find plenty of them here, here and here.
Rather, the revival of Spiderman in the form of a Broadway show actually ties into the lives of IT professionals in many ways – whether purely as comic book fans or as an analog to the superheroes in the server rooms responsible for enterprise systems’ performance and security. This especially holds true in the area of privileged identity management, where Uncle Ben’s proclamation, “with great power there must also come great responsibility” resonates so clearly. If not managed or monitored properly, the power of privilege and the pervasiveness of embedded credentials and admin accounts pose a significant threat to data security and business performance.
It’s an operational and compliance imperative for companies to “Turn off the Dark” and shine a spotlight on their privileged users, applications and sensitive information. Understanding where all the accounts and identities are, what they have access to – and what’s done once that access is gained — is a crucial step toward asserting better control of all these accounts and ensuring their appropriate use. The privilege problem is more widespread than you probably think. It’s not just about protecting your customer data base or credit card information; it’s about understanding all of the threat vectors and how to stop them. At a time when the perimeter is disappearing, the workforce is increasingly mobile and a plethora of devices and systems tie into corporate networks, a security superhero’s job is never done.
For instance, consider recent headlines about Cisco’s videoconference products that contain vulnerable credentials hard-coded into the software that open the door for someone to gain access to the system. Stuxnet gained notoriety by leveraging embedded credentials in programmable logic controllers from Siemens software, and was used to knock out centrifuges in Iran late last year. As security professionals, it’s time to think beyond the perimeter and the ‘usual targets’ to realize that so many things in our every day lives come equipped with hard-coded passwords or weak admin accounts that afford backdoor access to high-value systems, networks and databases.
The power of these privileged accounts, identity and information needs to be understood and transparently controlled. Whether your Green Goblin is an embedded credential, your Dr. Octopus is a shared account or your Venom is an admin account, you’ve got to use your web-slinging skills to vanquish these villains and restore order to your business before it’s too late. Like Spider-Man, you may not be appreciated by the editor of the Daily Bugle for all the work you do to keep your city safe, but it’s still vitally important to doing what’s right for your company and its citizens.
So, are you a security Spider-Man? What menace do you face each day?