Lieberman Software
PRIVILEGED IDENTITY MANAGEMENT NEWS LINE
  Follow us on Twitter  Follow us on LinkedIn  Blog  Lieberman Software on YouTube
November 2012        

Top of Mind

Going Beyond Local Account Management: Service Account Discovery, Correlation and Propagation

Philip  Lieberman, President & CEO
Lieberman Software


Continuing from last month...

The Good News and Bad News

The developers of Microsoft Windows created a well-organized framework for the storage and retrieval of service accounts that is consistent from Windows NT to Windows 2012. This means that applications written for this platform pretty much use the same methodologies for the management of credentials. The Microsoft platform also provides remote management APIs (interfaces) that allow credentials and their references to be managed in a consistent manner.

Having stated that the Microsoft platform has a consistent structure does not mean it is simple to manage; I am only stating that it is consistent. The platform itself has an enormous number of
services to manage and with each new version of the operating system we have had to develop ever more sophisticated discovery, correlation and propagation engines.

The story on managing correlation and propagation on non-Windows systems such as Linux is a whole different kettle of fish. First, there is no ubiquitous remote management API, no (consistent) framework for the storage of credential usage, and applications are free to install and put their configuration files wherever they wish. There is also no consistent central repository to review that tells you what is on that machine and where it is installed. It is for this and many other reasons that companies choose Windows rather than Linux simply because of standardization and remote management. By the way, this is not a Linux only problem since many cross platform products such as Oracle 11g and many other Oracle and IBM products have a completely arbitrary and frankly bizarre way of installing themselves and maintaining their credentials.

All is Not Lost

But, all is not lost and we have developed connectors for these non-Windows based services. These connectors do provide the full discovery, correlation and propagation features, but because there is no remote management API, we provide remote management connectors for these platforms such as IBM WebSphere and Oracle WebLogic. Similarly, we also provide these same types of remote management connectors for JAVA and other middleware repositories.

We also have a remote CLI capabilities, files search and replace (great for CONF files), and SSH/Telnet command files.

In Practice: Windows… A Dream to Manage

Because we have a rich and mature set of engines for Windows, the discovery, correlation and propagation process is a breeze. Almost everything is fully automated; credentials and their use are displayed as trees. Changing passwords and where they are being used is also simple and takes less than a minute to configure once and for all. Since everything is in the box, there is no need for professional services to customize our software.

In Practice: Linux and Others… Easy, But Secret Sauce Must Be Known

Managing credentials and their use on non-Windows machines does not require professional services or customization of ERPM; however, it does require some knowledge of the platform, and where and how credentials are stored. You also need to know the method used by the services to change credentials for services/daemons.

Because all of the propagation settings are user configurable, you simply enter the configuration settings for your platform(s) and you are done once and for all.

Embedded Credentials

Both Windows and non-Windows platforms sometimes have applications that store their service credentials in plain text files. This practice makes auditors and regulators go insane with panic when/if they discover this practice.

We have implemented the following solutions to address this issue:

1) Push credential change whereby our product finds and changes the clear text credentials automatically and periodically in the background for these clear text files, or patches binary files containing clear text passwords.

2) Pull credentials where you update your code that uses the clear text files and have it pull credentials directly and in real time from our application. This method uses our SDK (free) that provides APIs for pretty much every platform out there.

3) In cases where the password storage mechanism uses encryption, we have already incorporated decryption, scanning, change, and re-crypt for many technologies such as .NET. For other technologies you can use CLI.

Summary

If you have been tasked with changing credentials on a regular basis, but have given up because these changes have caused outages due to the complexity and scope of not only changing credentials, but also where they are being used;  there is an automated solution that does the job quickly and at scale with minimal to no human interaction: Enterprise Random Password Manager (ERPM).

By the way, deployment of this product and the ability to do propagation to service accounts at scale - reliably - is generally a one to two week process initially.  Why? Extensive automation and deep domain specific knowledge embedded within the ERPM product make this seemingly impossible task for humans, an easy task for our product.

What do you think? Email me at: Phil@liebsoft.com. You can also follow me on Twitter: @liebsoft or connect with me via LinkedIn.
What's New in Identity Week

Featured commentary on our
Identity Week blog this month includes:
  • The Status and Future of Software Development. Throughout the past several decades we’ve seen quite an evolution in the field we now refer to as software development, as you’d expect. The dilemma we face in software development today is, with technology all around us, there is so much that can be done, but not enough time to do it all. The complexity of technologies, and their problems interacting reliably and at scale, is becoming a serious challenge...
  • Regulatory Compliance and the Privileged Account Principle. Two common drivers compel organizations to invest in new IT security and management technologies – data breaches and failed compliance audits. Companies such as mine – we develop privileged identity management (PIM) products – receive new customers seeking to rectify both such incidents. Preventing data breaches is an obvious impetus for investing in a PIM product, but for many people, the tie in with regulatory compliance is less clear...

Events / Press / Analysts
  • How to get promoted in IT security. Help Net Security. Not only has landing a job become more difficult; it's also getting harder to get promoted once you have the job. Here are some tips to getting ahead in today's competitive, cutting-edge world of IT security.
  • Running Lights Out Management Without Putting Your Organization's Lights Out Permanently. Continuity Central. Intelligent Platform Management Interface (IPMI) technology underpins lights out management (LOM) in IT departments around the world. LOM allows an IT administrator or IT security manager to manipulate and manage servers using remote control - even switching on the machines when they are ‘off’. LOM is a potent technology which has its uses; however it also poses some potential risks which every enterprise must be aware of.
  • Lieberman updates identity management software. Finextra. Lieberman Software has launched new functionality that allows ERPM to provide secure check-in/check-out of privileged credentials directly through the McAfee ePolicy Orchestrator (McAfee ePO) web-based interface, and provides identity and configuration data enrichment for ePO.

Tech Tip of the Month

Remotely Create, Update and Remove Services

Has a vendor sent you an updated Services executable that needs to be installed across a large group of machines?

Do you have an internally developed application that requires installed services, but doesn’t have an install package?

Do you have obsolete services defined on Windows hosts in your environment, but no time to go clean them up?

In addition to modifying Windows Services, Service Account Manager can create or remove services.
Here's how.

Lieberman Software Corporation respects your right to privacy, and believes any information you provide us should be protected from disclosure to others. For more information, please read our privacy policy. You are receiving this email because you have granted us permission to contact you. If you do not wish to receive email messages from Lieberman Software in the future, please click here.
Lieberman Software Corporation
1900 Avenue of the Stars, Suite 425
Los Angeles, CA  90067
                 www.Liebsoft.com    |    (01) 310-550-8575  |   newsletter@liebsoft.com