Reinforcing the Identity Perimeter

June 16, 2016 Sigalit Kaidar


Identities and their credentials are considered to be a major vulnerability. It’s been well documented, that nearly all advanced attacks investigated involved stolen credentials, and whenever possible, attackers go after privileged credentials. So it comes as no surprise that companies seek to reinforce new identity perimeters by extending their IAM solution visibility and control to privileged users, applications and access entitlements.

As part of the C³ Alliance, leading Identity and Access Management (IAM) solution providers have integrated their solutions with CyberArk Privileged Account Security to give mutual customers unified identity and access governance solutions for all identity types – privileged and non-privileged users and applications.

With the joint solution in place, companies can fully manage privileged users and application entitlements lifecycles through their IAM solution. They can effectively create, review and approve privileged user access permissions based upon group affiliations, roles and other commonalities directly from the IAM solution. What’s more, all privileged access requests are verified using an automated approval workflow.

To address common risks and challenges, companies can update user or group access privileges directly from the IAM solution to avoid orphan privileged accounts, privileged entitlement creep and excessive privileged permissions. Consider this scenario, an Oracle Database Administrator, who is a privileged user, is also granted access to MS-Windows domain accounts while retaining previous access privileges to root accounts. This dual access may constitute a Segregation-of-Duties (SoD) violation, which can result in more than a failed audit. Leveraging the CyberArk integrated solution, the IAM system will be able to alert on SoD violations, so that user access permissions can be updated. Performing periodic reviews and re-certification of privileged access directly from IAM is also possible.

To effectively manage all privileged identities, accounts used by commercial-of-the-shelf (COTS) applications and custom/in-house applications must also be considered. Many organizations often overlook the fact that these applications are also granted administrative privileges to access many assets on the network. Whether it’s a financial management application, inventory discovery software or a vulnerability and compliance management solution, they are all granted administrative privileges by the organization to access sensitive assets on the network.

For example, in order for a vulnerability assessment tool to execute an authenticated scan, a domain admin account or a service account credential is used to access the file system on the target machine. Therefore, IAM solutions should also provide users with visibility and control of access permissions for applications. Defining application access permissions and the ability to manage these accounts automatically is key, as well as enforcing any permission changes to ensure the application can only access authorized assets.

To learn more about CyberArk partnerships with leading IAM vendors, click here

C³ Alliance: RSA, The Security Division of EMC & CyberArk


Previous Article
Service Accounts – Weakest Link in the Chain?
Service Accounts – Weakest Link in the Chain?

At DerbyCon 2014, Tim Medin introduced a novel technique to elevate privileges by exploiting service accoun...

Next Article
Combatting the Threat of Enterprise Ransomware
Combatting the Threat of Enterprise Ransomware

Ransomware has been around for decades, but it’s quickly gaining popularity among attackers. In 2015, the F...