Recent breaches around the world, amounting to billions of dollars, has shaken the world’s business community into closely scrutinizing their “back-office” security controls.
Companies such as Cyber-Ark Software are seeing an unprecedented demand from corporations globally looking for solutions that will securely manage their privileged identities.
Cyber-Ark Software recently released a rather different approach to securing application-to-application credentials – which has been timely in light of predictions that both Jerome Kerviel at Société Générale and the anonymous informant who gave out customers’ details at the Liechtenstein Bank, part of the LGT Group to both the German and UK Tax Authorities, were able to do so due to the lack of security controls over privileged users.
The new product, Enterprise Password Vault (EPV) 4.5, addresses the full range of security and audit challenges surrounding application identities within applications, scripts and application servers.
“The investigations are not complete, but both of these recent occurrences within European financial institutions most probably came down to the lack of IT security controls and processes to protect and manage privileged access to systems and applications,” said Udi Mokady, president and CEO of Cyber-Ark.
“Organizations have got to learn to take greater care of their sensitive information to make sure it is not accessible to staff without proper controls. Securing sensitive data and managing access to privileged accounts is crucial if more institutions are not going to hemorrhage vital information, costing them greatly financially as well as leaving their reputation somewhat tainted.”
Research by CERT and law enforcement agencies shows that 86 percent of those who’ve committed cyber-crimes held technical positions and an overwhelming 90 percent had system administrator or privileged system access.
Managing credentials for application authentication poses security, auditing and administration challenges, and the lack of management of these powerful identities has been the “elephant in the room” in the IT infrastructure. Medium to large enterprises usually have thousands of servers, each running many applications, thousands of processes, and scripts that constantly use the credentials in order to communicate with databases and other systems.
Despite this fact, while more than 90 percent of enterprises regularly change passwords for employees, up to 42 percent never change hard-coded and embedded passwords for application IDs, testing scripts and batch jobs. This is in direct conflict with their own internal security policies, and is increasingly being highlighted by both internal and external audits covering a range of governmental and industry specific regulations such as SOX, PCI, Basel II and NERC/FERC.
“While all of the platforms accessed via a privileged password are critical and vulnerable, a particularly complex situation arises with embedded application passwords,” said Sally Hudson, research director for IDC’s Security Services and Identity Management Products program.
“The danger of these application-embedded passwords being misappropriated or mishandled is growing accordingly, and organizations should take measures to make Application Identity Management a strong component of their overall IAM system implementation.”
“What we’re seeing and hearing from customers, partners and prospects is that securing privileged accounts—and application passwords in particular—is their number one area of concern right now. Cyber-Ark has never seen a greater interest from global companies seeking us out for a technology solution that can securely manage, store and audit their application identities,” added Mokady.