Externalizing Credential Management for ITOM and ITSM

October 1, 2020

Over the years, a pretty simple causality has emerged that represents one of the most significant security risks for organizations:

PRIVILEGED ACCOUNTS = DATA BREACH

Many of you paid attention and embraced the warnings and guidance from analysts, press, and vendors, implementing privileged access management (PAM) security controls to mitigate the risk. Bravo.

The question is, did you go far enough?

ANOTHER SLICE OF THE ATTACK SURFACE

As it relates to privileged accounts, the attack surface can be enormous and very diverse. Reducing this attack surface is a primary objective. However, for many organizations, the first - and often, only – focus is on the human administrator and their privileged activities.

Today we’re going to visit another slice of this attack surface that often flies under the radar. Your mileage may vary, but this risk can be just as significant, if not more so. It’s the use of privileged accounts by IT automation software; tools commonly found in IT Service Management (ITSM), IT Operations Management (ITOM), and Continuous Configuration and Automation (CCA) platforms, such as asset discovery, vulnerability scanning, and software orchestration.

ITOM ITSM CCA

For example, you may use Tenable.io™ with Nessus to scan the network for systems and analyze each one looking for exploits, vulnerabilities, and misconfigurations. ServiceNow® Discovery may help you maintain a single system of record for your IT assets by conducting an inventory of each system, feeding results into other tools such as ServiceNow Service Mapping to show applications, infrastructure, as well as service relationships and dependencies. Red Hat Ansible Tower® may be helping you control your IT infrastructure, job scheduling, and inventory management. Like the others, it needs administrative access to IT infrastructure. There are dozens of other tools that provide similar services from vendors such as Rapid7, Qualys, and Trustwave.

In common, they all need to log into IT systems via SSH or WinRM to run commands and scripts with privileges and obtain system-level intelligence.

Therein lies the risk.

EXTERNALIZING CREDENTIAL MANAGEMENT

By default, IT configures these privileged account IDs and passwords statically within the tool. Let’s be clear about what this means. You’re entrusting the keys to every IT system – on-premises and perhaps in the cloud as well - to an application whose core strength is not identity and credential management. Not only that, IT must manually configure dozens or even hundreds of credentials in the tool. Multiply that by the number of tools requiring privileged accounts, and the lights never go off for IT.

Password

Thankfully, several leading vendors in the space have recognized this. As an alternative, most allow IT to externalize identity and credential management to a third-party solution designed for the job, such as Centrify Privileged Access Service. Relocating credentials to a hardened password vault is the best practice to mitigate this risk. Instead of IT configuring passwords within the tool, the tool fetches them from the vault at scan time. If an attacker compromises the tool, they won’t find any privileged account passwords in its configuration settings, preventing lateral movement to the IT servers and limiting what could amount to a complete compromise of every server in your IT infrastructure, including domain controllers.

MORE BANG FOR THE BUCK

The value doesn’t end there, however. IT can use the vault to strengthen passwords and help prevent login denials. We all know passwords are inherently weak, introducing risk. Frequent rotation helps mitigate the risk, along with setting long, cryptic passwords. Unfortunately, this falls below the line of high priorities for many IT shops, resulting in a “set it and forget it” mentality. With the vault, you get automatic account password rotation coupled with password quality of service policies. You avoid the risk of stale passwords with low entropy. No longer must IT manually log into each system to change the local account password, then manually update them in each tool to ensure consistency.

The vault also helps prevent scan failures that occur in-between the scheduled password rotation jobs. Someone (a well-meaning internal admin or a threat actor) changes a local system password, but the tool is still using the old one. Subsequently, the login would fail, and you now have gaps in system coverage requiring manual intervention. The vault can automatically reconcile out-of-sync passwords in real-time during password check out to ensure the local system account password and the vaulted password are the same. This client-based password reconciliation feature is unique to Centrify (check out this blog for more details) and ensures that at scan time, your tool will always fetch a valid password from the vault with which to log in.

So, for those of you using these tools, I hope this has given you insights into the incremental risk and a way to mitigate it. For more information, please visit the Centrify Privileged Access Service page on our website.

©Centrify is a registered trademark of Centrify Corporation in the United States and other countries. All other trademarks are the property of their respective owners.