|The Trust Time Bomb
Lieberman, President & CEO Lieberman
Rodney Gedda of CSO Magazine posted an excellent description of a
security phenomenon known as the “trust time bomb” on cso.com.au this
month in an article called: Access
build-up a new concern for CIOs: security pro.
In his article he explained how over time, employees build up an
incredible number of privileges that grant dangerous privileged access.
This is akin to the current problem with database administrators that
retain DBA super user privileges indefinitely, as well as IT staff
using the same password on every system in the company as a matter of
convenience. Below is an edited response I sent to Rodney. Let me know
what you think of my response by writing me directly at: Phil@liebsoft.com
“I totally agree with your position on the ‘trust time bomb’. The
problem of privileged identity creep extends from physical systems
(i.e. switches, routers, KVM, ILO), through hypervisors, hosted
operating systems, stacks such as Windows and LAMP, middleware, and up
to applications. Compound this with IT sharing the same password on all
these systems and never changing passwords when there is turnover, and
you have a recipe for a disaster.
The problem is that IT does not want to change its habits and prefers
the convenience of poor security to make their jobs easier.
Unfortunately, many CSOs are not aware of the bad practices employed by
their IT staff and developers. When CSOs try to implement a solution,
they are frustrated by both passive and active resistance to efforts by
C-level staff to implement proper security controls (segregation of
duties, need to know, approvals of access, limited time access, etc.).
What needs to happen is a direct hands-on attack of the privileged
identity management problem by the CSO rather than delegating the
problem to IT to fix. Technical solutions exist to solve the problem,
but the problem must first be solved at the organization level by
implementing appropriate policies and enforcement to reasonable
It is also important that the auditors be part of the remediation
process to make sure that privileged credentials are cut back to a
least privileged and least time rule. Auditors must also come back
regularly to assure that the security controls are not only
implemented, but are also followed so as not to fall into the PCI point
in time security trap (i.e., we were okay on our January 1st audit, but
fail every other day).
Most of all, the CSO must get personally involved in both the technical
and business end of reducing the privilege threat. The solution
requires both technology and process, and in the end a third party
auditor must confirm that real security has been achieved rather than a
point in time compliance.”
Tip of the Month
Configuring Delegation Rules and Rights
It's well known that
Enterprise Random Password Manager (ERPM) can delegate user access to
the privileged account passwords in the enterprise. But do you
know the extent to which ERPM can be configured to control the access
of delegated users within ERPM itself?
>> Learn more
Avenue of the Stars,
Angeles, CA 90067
Heartland Financial USA, headquartered in Iowa, is a publicly traded
financial services company that provides banking, mortgage, wealth
management, insurance and consumer finance services across 73
required a solution to secure and manage privileged account access in
order to comply with regulatory mandates, including Sarbanes-Oxley.
Enterprise Random Password Manager (ERPM) was acquired and deployed to
all branches in the network.
"Our biggest advantage is that our systems are now much more secure.
Controlling our privileged identities helps protect us against threats
like malicious software. Another benefit with ERPM is the time savings
and increased productivity compared to scripting."
Shane Nicely | VP of Information Services, Heartland Financial USA
Click here to read the detailed case
Silver Business Partner Announcement: Lieberman
Software's participation in the HP Software Enterprise Management
Alliance Program demonstrates our commitment to develop privileged
identity management solutions that help safeguard deployments of HP
Operations Center and HP Network Management Center (formerly known as
Launches / Podcasts
Virtual Strategy Magazine - Interview with Philip Lieberman about
cloud computing security and the new release of Enterprise Random
Password Manager (ERPM) v4.82. Duration 15:39.
Events / Press /
us at the Microsoft Management
Summit: Las Vegas, NV. April 19-23, 2010
World, March 2010
"Lieberman Software's Enterprise Random Password Manager (ERPM)
provides new levels of visibility and control for cloud service
providers and large enterprises to secure privileged identities."
named one of 25
Hot Products to Watch at RSA! "With this version of ERPM,
cloud service providers can assure both customers and IT auditors that
privileged access to sensitive data is continuously monitored and
- Help Net
Security, March 2010
"ERPM now delivers fine-grain management features to protect every
asset in the cloud infrastructure – including physical and virtual
computers and network appliances, hypervisors, databases, middleware,
line-of-business applications, and more."
"ERPM continuously discovers, secures, and grants fully audited,
role-based administrative access to physical and virtual IT assets
within the cloud infrastructure."
- ebizQ, March 2010
ERPM Helps Cloud Service Providers and Large Enterprises Manage and
Secure Privileged Identities
Security Magazine, March 2010
"ERPM adds the capability for cloud service providers to delegate
different levels of privileged access, audit and compliance reporting