When I think about managing identities and privileges within anorganization, one of my favorite analogies for the whole privilegedidentity lifecycle is biblical.

Everything starts “in the beginning” with a super user. Whethersomeone starts with a server or a workstation, creates on-premisesolutions for their network infrastructure, or builds out a cloud,they'll always have to start out with an account with god-likepower that will control all other accounts accessing that resourcegoing forward in the future.

Now, if you were not there at the setup of new resources, you'dprobably be unaware that there was a superuser account created atthe genesis. But that superuser account never goes away and in mostcases is used day-to-day, either by someone or something (eitherapplications or automated systems).

As time goes on, the knowledge of these superusers accounts,where they are, how they're being used and so on, gets lost. Justas the history of how the Bible originated is a mystery to mostpeople except for scholars, so it goes with privilegedidentities.

As time goes on, things change in the world of IT and, again,most people don't understand the implications. Add new appliances,switches, routers and software and new root accounts pop up. Blendthat in with new superuser accounts for things like intrusiondetection devices, antivirus systems or DLP and you get a whole newlayer of privileges added to the environment.

People don't really think about it, they simply interact with itat the user level and the environment continues to evolve andmorph.

But when auditors and regulators come in and ask 'Who createdall of this?' and 'Who has access to these accounts?', you've got agood old-fashioned debate on par with creationism and evolution;because there's no one still around who can answer where theaccounts came from and no records detailing who can accessthem.

Mining Infrastructure with Privileged IdentityManagement

So where does privileged identity management play in thismetaphor? I like to think of it like being the archeologist of thebunch. When you're managing these identities, your job is to go outand mine the infrastructure, looking for “fossils,” or those cluesthat provide your organization with a view of where those god-likeaccounts are, how they're being used and what they're being used todo.

It's an important task, because there are plenty of roguescientists – hackers out in the field – that know all about thesefossils. They're also looking for DNA in the bones embedded in therock that can be used to piece together where the original accountsare in your infrastructure. So much information about thesesuperuser accounts is publicly available, waiting to be mined bythe bad guys.

Don't believe me? Google the phrase “default administratoraccount” and see how many websites there are that list the defaultaccount information that will get you into most systems if thelogins are not changed.

Still don't believe me? Visit the Default PasswordsList website – your passwords are probably there, for the worldto see.

Don't kid yourself. Those default logins are lurking in thebedrock. The problem with most organizations today is that theperson provisioning new users may do so through a root accountwithout even realizing it. Even if they do know what they're doing,they may not know that these accounts are actually only a subset ofall of the privileged accounts out there – many of which havealways been accessible through default login information.

The Identity Management Lifecycle

IT folks are somewhat like the priest or the rabbi talking aboutthe Bible and conducting well-organized and inspirational services,but not necessarily understanding the history of the materials theyare presenting. Many of the true scholars in the field knowinformation that may shock the flock and those that are leading theflock.

For IT staff, the shock would be if they knew how the process ofprovisioning and de-provisioning results in many open privilegedaccounts that can easily be compromised.

The process starts with someone getting hired. With a great,wide, wonderful world of systems out there, from an empty millmachine on a factory floor or a key card to get you through thefront door, all the way to an SAP system or a really complicatedline-of-business system that was written decades ago by an unknownin-house developer, new accounts need to be created to give thatemployee access to these systems. Some systems may beWindows-based, some Linux-based. It's a smorgasbord.

So, when HR brings someone on board, they have the problem ofgovernance and access in which they have to get these peopleenrolled into all of the systems they need.

The difficulty is that with all these systems out there – legacyand new – you've got to figure out not only what systems they needto access, but what kind of access they're entitled to.

In the Windows world it is fairly easy. You just use ActiveDirectory to classify employees in roles for the applications andlevel of privilege they need and you're done. When they leave thecompany, you delete them from Active Directory and when they changeroles you change their group membership.

But enterprise applications creep far beyond the Windowsplatform and that's the problem. You've got all these othercultures and religions to deal with as well – and believe me, otheroperating systems are regarded as religions – plus the cult of SAPand Salesforce to think about.

And while many applications do have Active Directory connectorsbuilt into them, the dark secret of it all is that these connectorsdon't work all that well. Further complicating things, when acompany adds new systems, takes systems away or updates them,almost universally these provisioning systems stop working and thatends up leading to more manual work. Over time, these systems justfall apart.

One of the most common reasons the systems fail to work is theproblem of paperwork. When someone leaves or joins the companythere's usually a mountain of paperwork involved and there is aworkflow that has to be taken care of that is partially manual andpartially electronic. Now, when people come in to thecompany, their bosses are screaming for access and that becomes toppriority. But when they leave, the sense of urgency justisn't there

Similarly, when employees change jobs the demand from up top isfor new access but no one pressures for the old access to be turnedoff. So you run into a queuing problem where you can go into anygiven organization and potentially see hundreds of people who havebeen discharged or who have changed their roles and there is one HRperson who has to go through the paperwork and go into the systemsto get rid of their accounts.

A backlog inevitably grows. People forget about accounts thatare orphaned and left opened to be used by the previous employee oranyone else that knows about the account. The danger is that notonly are there low-level accounts in this back log but alsoprivileged accounts with a direct pipeline into the company's mostimportant IT assets.

Bringing in a privileged identity management system automatesthe digging and the finding of these omnipotent accounts tounderstand how everything connects together. Putting it in place isa science, one which will better help you control who does whatwith your most critical data.

And remember, if God created the world in six days, shouldn'tyou be able to find and secure all of your privileged accounts inthe same amount of time? With the right privileged identitymanagement solution you can.

Philip Lieberman ispresident/CEO of LiebermanSoftware in Los Angeles.