BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Computerworld’s Advice Still Relies Too Much on Trust

Posted November 17, 2010    Peter McCalister

In a Computerworld article, last week, exploring the ‘scary side of virtualization’, the reporter, took some time out in a sidebar, to offer some sage staffing advice.

His riposte, ‘Beware the All-Powerful Admin’, made clear the risk of giving server admins the ‘keys to the kingdom’ – not a good thing so consultants and IT execs unanimously agree.

They might for example create virtual FTP servers ‘or they may inadvertently use a virtual-machine migration tool to move a server onto different hardware for maintenance reasons, without realizing that the new host is on an untrusted network segment.’

His sage advice, is to establish a clear separation of duties in virtual infrastructures, and develop a strong change-management process that includes issuing change management tickets.

BeyondTrust, naturally would agree, but with one caveat. Businesses don’t rely on trust alone. BeyondTrust’s name doesn’t invite businesses to put their faith in some kind of metaphysical state that transcends our human frailties, it simply invites you to recognize that people can and do make mistakes, and when they are people with the ‘keys to the kingdom’, these mistakes can be costly.

Better to trust your people, and, take out an insurance policy against human frailties, whether those be fat fingered mistakes, or willful misuse of responsibility.

In any environment especially the deployment of virtualized environments, strong identity management practices, and specifically control around privileged access, must be put in place. As BeyondTrust’s Jeff Nielsen says: “As the number of virtual hosts increases, there is a natural tendency to create islands of identity that are difficult to manage. As individual virtual servers are created that serve the needs of departmental applications, there will be typically be a push from the departments for them to own the access to the server, specifically the privileged access, in the name of departmental efficiency. As the number of identity sources increases, the prospect for orphaned or inappropriate privileged access increases. Without a well-orchestrated management scheme for identity management and privileged access, the company will soon lose control compromising security and audit compliance.”

Leave a Reply

Additional articles

PBPS-screenshot-blog aug2014

Failing the Security Basics: Backoff Point-of-Sale Malware

Posted August 22, 2014    Marc Maiffret

At the beginning of this month, US-CERT issued a security alert relating to a string of breaches that had been targeting Point of Sale (POS) systems. The alert details that attackers were leveraging brute forcing tools to target common remote desktop applications such as Microsoft’s Remote Desktop, Apple Remote Desktop, Splashtop and LogMeIn among others….

Tags:
, , , , , ,

Troubleshooting Windows Privilege Management Rules with Policy Monitor

Posted August 21, 2014    Jason Silva

When defining and testing PowerBroker for Windows rules for production or pilots, customers sometimes tell us, “I don’t think this policy / program is working.” This is usually a case of the policy not properly triggering because of the way the rule was created. A unique feature of PowerBroker for Windows compared to other solutions is a client-side…

Tags:
, , ,
darren-mar-elia

BeyondTrust Webcast: Darren Mar-Elia’s 4 Active Directory Change Scenarios to Track

Posted August 20, 2014    Chris Burd

In our latest webcast, we joined Darren Mar-Elia, CTO at SDM Software, to discuss best practices for Active Directory (AD) change management. Here are some key takeaways from the presentation, followed by a link to a full-length video of the presentation. Mar-Elia kicks things off with a critical insight: that the best AD change management…

Tags:
, , , , , , ,