Lieberman Software

PRIVILEGED IDENTITY MANAGEMENT NEWS LINE
June 2010

Top of Mind
A Story About Passwords… And Claims of a Sole Sourced Solution

Philip  Lieberman, President & CEO
Lieberman Software


Our primary competitor in privileged identity management recently claimed (to a customer and major analyst firm) that they are the only vendor on the planet that can manage application passwords; therefore, no other solutions should be considered. 

Unfortunately for the competitor, the analyst decided to check the facts, and what do you know? Lieberman Software has been providing enterprise level privileged application credential management for years. So much for sole-sourced purchasing.

Background: What is Application Password Management?
Just as you might log on to a system with user credentials, applications also must log on or be verified to gain access to critical resources using operating system, database, and locally stored credentials. How does an application know which credentials to use?

Applications typically store the credentials in a variety of formats: sometimes the credentials are encrypted (good), stored in plain text files (not good), and even compiled into the applications themselves (scary bad). 

Given that credentials used by applications can change behind the back of the application (due to password change mandates), the application must be updated to use the new credentials – immediately.

[Tip from the trenches: The updates of application passwords on multiple systems concurrently can be a time critical operation with many dependencies that does require a human be actively involved monitoring as well as controlling the change process. Because not all changes can be accomplished at exactly the same time, and some resources may be off-line or non-responsive, the change process should rarely be completely automated and done in an unattended mode. A high quality password management solution can make the process go quickly and reliably due to automation, but human judgment is essential in anything other than simple lab test cases.]

Easy Ways to Manage Application Credentials
If an application is implemented as a combination of Microsoft Windows Services, COM+, DCOM, MTS, IIS, ASP.NET and other standard Microsoft Windows platform component types, our products can automatically detect and change credentials and their usage using our auto-discovery/auto-correlation technology.

For non-Windows platforms, password updates are accomplished by a combination of remote command line commands (secure CLI changes) as well as by file pattern matching and updating (also secure). There is also the ability to support the remote update of a JAVA based secure storage mechanism where the application can consume it.

Some applications store their credentials in files (binary, text and encrypted), so we also support secure automated file patching. 

Upgrading Legacy Applications That Use Clear Text Passwords
When an organization needs to upgrade the password security (i.e. uses clear text passwords in a file) of an existing application where it has the source code and expertise, we support the industry standard solution of using a platform’s secure credential storage mechanism that is part of the operating system or language run time (i.e. JAVA). 

As part of our product’s design, we can update not only the credentials in the operating system or database, but we can also update the secure credentials store automatically as part of the password change process.

The Real World Intrudes: Upgrading Legacy Applications is Never Easy
Switching old legacy code bases to secure credential storage is rarely implemented in the real world since it assumes that the original application developers or their successors have the ability to rewrite their applications in a more secure manner. Typically, there is no in-house talent to accomplish the program rewrite and the knowledge as well as the source code for the application is typically unavailable.

To “get the deal” other vendors claim that they can deliver magical professional services to accomplish the change. Or, the client is under the naive impression that such a security upgrade is a trivial effort for their staff given the claimed capabilities of a vendor’s product. In the real world the vendor does not have this capability and the organization with the legacy code generally underestimates the “issues” involved in the update. We write code every day and there are always “issues” in even the simplest project.

Most organizations are better off accepting the reality that it is better to keep legacy applications working as-is (with insecure storage of credentials), but instead think about improving the better access control methods on the files as well as adding auditing. Obviously updating insecure code to a secure credential storage mechanism is ideal, but rarely succeeds due to the realities of time, employee turnover, and lost expertise. 

Summary
We fully support the management of application credentials in both application-to-application (A2A) and application-to-database (A2DB) modes, and we provide you with the ability to do it yourself by filling out a few dialogs.

If you ever talk to “this” other vendor about their “unique” sole-source A2A and A2DB solution, ask them to actually demonstrate how you can do it yourself on all of your platforms. If you must go to class or employ their professional services, I think you will figure out the truth of their solution for yourself.

We do A2A and A2DB and so can you in just a few minutes right from the instructions in our manual.

Questions or comments, or want to discuss how you tried or failed at A2A or A2DB?
Email me at: phil@liebsoft.com
 

Tech Tip of the Month

Find Out What's Being Shared on Your Network

What are your users sharing? Music? Sensitive documents? Customer data? Customer purchasing history? R&D?

How can you get a list of machines that are sharing content?
If you’re running Windows 7, you need to know what’s being shared...

With User Manager Pro Suite you can run a report and stop the unwarranted sharing immediately. You simply highlight all the shares that aren't supposed to be out there, right click and delete. And they're – poof – gone. How long does that take? You’re already done! The data is still there, it's just not being shared anymore.

Click here for more information.


Lieberman Software Corporation
1900 Avenue of the Stars, Suite 425
Los Angeles, CA  90067
Liebsoft.com

(01) 310-550-8575

newsletter@liebsoft.com
 

Customer Snapshot: Major Television Network

The organization’s IT infrastructure supports television stations in all major U.S. markets and operates out of multiple datacenters and server rooms. Hundreds of servers and thousands of client systems make up their environment with a mix of Windows, UNIX and Linux operating systems. To protect the organization’s data assets, the CIO required a solution that could manage any of these components, reliably and affordably, while helping to meet their company’s regulatory compliance and security initiatives.

The Situation: Needed to protect sensitive data – without adding unnecessary staff or system overhead. Motivated by Sarbanes-Oxley compliance goals.

The Solution: Enterprise Random Password Manager was deployed to control access to privileged accounts and to report who had access, at what time, and for what purpose.

The Result:
The television network eliminated anonymous access to sensitive data and improved its compliance with Sarbanes-Oxley and other.

Click here to read the detailed case study.

Partner News
  • Raytheon SureView Integration - Insider Threat Detection Combines with Privileged Identity Management: Lieberman Software has partnered with Raytheon to combine Raytheon’s military-grade, DVR-type incident recording, replay and advanced insider-threat detection and monitoring capabilities with Lieberman Software’s privileged identity management solution set. The combination of Raytheon SureView and Lieberman Software’s Enterprise Random Password Manager (ERPM) offers unparalleled protection against insider threats, providing control over administrative access to sensitive data throughout corporate and government networks.
  • Sybase iAnywhere Integration: ERPM manages the accounts used by Afaria Services. ERPM also manages privileged accounts within the Sybase Adaptive Server Enterprise (ASE) database.

Product Updates / Launches / Podcasts
  • ASP.NET Credential Management: Enterprise Random Password Manager (ERPM) discovers and continuously secures the privileged account credentials present in ASP.NET web applications. In doing so, ERPM improves security and regulatory compliance for organizations whose ASP.NET credentials control access to corporate databases and back-end application tiers.

Events / Press / Analysts
  • Microsoft Issues Security Guidelines for Windows Azure. Redmond Magazine. Security is the number one inhibitor to cloud adoption and Microsoft has addressed many key issues, according to experts. "By Microsoft providing extensive training and guidance on how to properly and securely use its cloud platform, it can overcome customer resistance at all levels and achieve revenue growth as well as dominance in this new area," said Phil Lieberman, president of Lieberman Software Corp., a Microsoft Gold Certified Partner that specializes in enterprise security.
  • Microsoft's Smartphone Strategy Needs a Genius Plan. Redmond Channel Partner. Phil Lieberman of Lieberman Software believes that the recent turnover of the SmartPhone management team at Microsoft was well overdue. "Everyone in Microsoft management needs to ask the question: ‘what about Windows Mobile 7 is going to wow me, make this a different platform and a must buy for everyone?' The world does not need another unreliable phone that runs like a Zune and can kind of play some XBox games."
  • The Three Biggest Risks You Face. CFO Zone. "The rough economy is also posing a greater internal threat to companies' information systems, says Philip Lieberman, CEO of Lieberman Software. High turnover naturally increases the risk that employees on their way out the door will download sensitive information with the intention of offering it to a new employer, Lieberman warns." 
  • Five Key Questions When Considering Working with a Cloud Service Provider. IT Business Edge. "There are certainly a lot of points to take into consideration with cloud computing, particularly security within the cloud. I had the opportunity to speak with Phil Lieberman, president and CEO of Lieberman Software, who presented a list of security-related questions a company should ask before doing business with a cloud service provider and his advice on what should be looked for in the answers."

Lieberman Software Corporation respects your right to privacy, and believes any information you provide us should be protected from disclosure to others. For more information, please read our privacy policy.