Privileged Identity Management News Line January 2012

Top of Mind

Happy New Year and Welcome to a New Release of E/RPM

Philip Lieberman, President & CEO
Lieberman Software

Over the last 6 months we have worked with customers to complete an astonishing range of implementations. As part of this work, we tried to learn something from each customer and roll those requested features, lessons, and needed improvements into the latest version of our product. The revision history list we put up on the web site barely scratches the surface of the evolutionary work accomplished by our development team.

Overall we added a ton of new features, made configuration of complex environments much easier by providing import/export of configuration settings, added Windows DSRM support, SAP support, improved SSH speed by 20x-50x, further improved scalability and speed for monster-sized enterprises, cloud providers, ISP and MSPs. We also made major changes to the web application to organize and display vast amounts of per-system and per-account data. We even spruced up the web interface to provide easier skinning. And, of course, lots of bug fixes, more targets for propagation, reworking of dialogs per customer feedback, and improvements in just about every area of the product.

There were a few things we were working on that did not make the final release schedule in December, but we are working on a slipstream release of 4.83.3 with updated documentation. We are hoping that a few of the features we were not able to get into the December general release make it into the slipstream release coming out in the next few weeks.

Do You Store Sensitive Data on Shared Spreadsheets?

Hint: Something New in 4.83.3 Has Shipped…

Do you store your sensitive credentials and other secrets on spreadsheets or in Microsoft SharePoint, Lotus Notes, or other shared file repositories? One of our customers was faced with a scenario of having over 500+ spreadsheets containing sensitive data. After an audit, their auditors were not happy that there was no real tracking or need for employee justification for access to sensitive spreadsheet information. Further, spreadsheets provided no way to achieve the disclosure of the minimal amount of information for specific purposes. Does any of this sound familiar (i.e. too much access to information without any justification)?

To solve this problem, version 4.83.3 of both ERPM and RPM adds a new module (free upgrade to existing customers under support) called the Password Spreadsheet Manager (PSM) module. This module allows you to mass import all of your sensitive data spreadsheets (CSV files), mass import permission rules for the sheets (CSV files), and use the existing access, authorization, auditing, encryption, and integrations of ERPM and RPM to control access to the data.

The outcome of using this new module is the total removal of unsecure spreadsheets floating around, controlled and audited access to specific rows (minimal knowledge and minimal disclosure) of data, and the solution to a big problem. Because we are using a serious database for our backend storage and because we don’t license by users, administrators or secrets, you can store an unlimited amount of information accessed by an unlimited number of users and administrators for no extra cost if you already own RPM or ERPM.

But I already have a Secure File Vault…

You might wonder why Password Spreadsheet Manager is needed if we already provide a secure and encrypted file vault/file store in our product.

Simple: Once someone checks out a spreadsheet file, you really don’t know who has seen/shared access the data, and to a degree, you don’t know how the specific pieces of information on the spreadsheet will be used (limited accountability). Spreadsheet files, once they are transferred from a secure storage system give up all their secrets in one shot. Without any sort of Digital Rights Management (DRM) on the file, it can be shared, printed, etc.

With spreadsheets, you also lose track of which rows of secret data were used for which purposes. By converting public spreadsheets into collections of encrypted rows of data where each sheet and specific row needs to be requested/recovered/justified, you now have a system that provides accountability and audited controls. The secrets on the spreadsheet might be passwords, but they could just as well be PIN codes, phone numbers, account numbers, or any other piece of sensitive information that you need to control access to.

Solutions to simple problems are important

Although we are well known for our sophisticated technology for privileged identity management with features like auto-discovery, correlation and propagation; sometimes just getting rid of an out-of-control information proliferation problem is just what the doctor ordered.

Standalone Password Spreadsheet Manager

We will be offering the PSM module with our secure file storage system as a standalone product in Q1 2012 at a very attractive price. We will have more details about the standalone version in an upcoming newsletter.

What do you think? Email me at: phil@liebsoft.com. You can also follow me on Twitter: @liebsoft or connect with me via LinkedIn.

Tech Tip of the Month

Upgrade to ERPM 4.83.3 or RPM 4.83.3!

If you are an existing Enterprise Random Password Manager (ERPM) or Random Password Manager (RPM) customer, we STRONGLY recommend you upgrade to the new version. There is so much more functionality and flexibility in this release. Download the new installer package, run it, and upgrade the website - it's that simple!

To upgrade, please contact your account manager for the download link.

Events / Press / Analysts

RSA Conference 2012. February 27 - March 2 @ San Francisco, CA. Come by and visit us in Booth #341. We would be happy to demonstrate our solutions to you!

InfoSec World 2012. April 2-4 in Orlando, FL. We will be in Booth #306 - stop by and visit if you will be attending this show. Get 10% off your registration by using the code OS12/VDIS when registering. Or, get your FREE EXPO-PLUS PASS on us!

Microsoft Management Summit 2012. April 16 - 20 at The Venetian, Las Vegas, NV. This is the only conference dedicated to Microsoft System Center users and partners. Visit our booth to see how we integrate with Microsoft System Center Configuration Manager, Operations Manager and Service Manager.

Infosecurity Europe 2012. April 24-26 in London, UK. Don't miss Europe's Number 1 Information Security Event. We welcome you to visit us in our prime location on the show floor: Booth #D22.

Microsoft TechEd North America. June 11-14 in Orlando, FL. Attend this conference to learn about Microsoft's current and soon-to-be-released suite of products, solutions, tools, and services.

Preventing ITIL Failure in Four Easy Steps. TechWeek. Twenty years on, ITIL best practice is still widely used and implemented. Philip Lieberman explores the pitfalls that may lead to failure and offers ways to prevent it.
Poor security exposes voice mail to hacking, finds study. The Economic Times. ... much of the digital technology that protects the privacy of cellphone calls was developed in the 1980s and 1990s and is ripe for attack.

The pros and cons of information sharing. FierceCIO. Sharing information about data breaches with the government and fellow corporations is the right thing to do, isn't it? There's a difference of opinion on this one, and it is exemplified by the positions of Peter George, president and CEO of Fidelis Security Systems, and Philip Lieberman, president and CEO of Lieberman Software.

In-depth: Security predictions for 2012 part one. MicroScope.co.uk. To get an insight into what is on the horizon in the security market next year we have canvassed opinion from several companies to find out what those in the industry think is round the corner in 2012.

One in four IT security staff abuse admin rights, survey shows. ComputerWeekly.com. At least one in four IT security staff use their privileged login rights to look at confidential information, a survey has revealed. More than a quarter of the 300 IT professionals polled in the latest annual password survey by identity management firm Lieberman Software said they could not resist peeking at redundancy lists, payroll information and other sensitive data including, for example, Christmas bonus details.

Unraveling The Riddle Of Privileged Identity. Dark Reading. Some argue for monitoring to take a greater role in refining privileged identity policies, but root accounts pose problems.

Password apathy common among IT workers, survey finds. Federal Computer Week. Many IT professionals are apathetic about changing their enterprise passwords and lack rudimentary understanding of IT security, particularly in the areas of password control and privileged log-ins, according to a survey.

How Filipino phreakers turned PBX systems into cash machines for terrorists. Ars Technica. A quartet of hackers based in the Philippines have allegedly bilked AT&T and possibly other telecommunications companies out of millions, which they channeled to their own bank accounts and to accounts associated with a terrorist organization. And apparently, AT&T helped them collect the money.

Four rising threats from cybercriminals. CSO. Criminal hackers never sleep, it seems. Just when you think you've battened down the hatches and fully safeguarded yourself or your business from electronic security risks, along comes a new exploit to keep you up at night. It might be an SMS text message with a malevolent payload or an errant signal designed to jam GPS receivers.

Is the Firefox 10 silent update feature a good thing? Help Net Security. Mozilla is planning to implement silent background updates in the upcoming version of Firefox 10, which could be very bad news on the security front, according to Philip Lieberman, CEO of Lieberman Software.