Co-Management involves sharing the responsibility for theconfiguration, management and operation of a particular device oroffering.

I first started using the term in 2002 to talk about firewallmanagement. Co-Management represents a hybrid between a managedservice (where the service provider provides all of the functionsdefined above) and an internal solution (where no service provideris involved).

The term has been used over the past 10 years in a number ofcontexts, but most recently to describe Co-Managed PrivilegedPassword Service. Privileged Password Management relates to thelifecycle of privileged account passwords, likeAdministrator on Windows or root on Unix.

Co-Management has a number of advantages if properlyimplemented, but typically is more difficult to execute than amanaged service or an internal solution. This is primarily due tothe largest risk of Co-Management, which is accountability.

True Co-Management means that either organization, the serviceprovider or the customer, has the ability to implement change. Thisrequires a system with rock-solid auditing to ensureaccountability. Also, many service providers do not want the levelof transparency Co-Management dictates. These are two reasons whymore service providers do not offer this approach.

However, the advantages of Co-Management are the following:

• Cost: A co-managed solution will typically beless expensive than an internal solution, since the resourcesneeded to provide the service can be shared among multiplecustomers, allowing each customer to pay less. For example, eachperson required to manage the service does not need to be hired bythe customer, but in fact can be shared across multiple customers,allowing the service provider to allocate cost across multiplecustomers.

• Expertise and Experience: People usespecialists (whether a doctor, plumber or handyman) either becausethey need a skill they do not have (like medical training) orexperience they lack (like installing a sink), or time they do nothave (like the handyman that hangs the picture you have been tryingto hang for months). The same applies for Co-Management. In thefirewall example, you may need a skill (how to effectively writefirewall policy) or experience (when does a port scan mean anattack versus a misconfigured server). For Privileged PasswordService, it may be expertise (how do I make it work) or experience(is it working correctly) that drive the need. In either case, thecustomer gets the advantage of a specialist to work directly withthem.

• Knowledge: The main advantage ofCo-Management over a typical managed solution has to do with theknowledge the customer has over their environment. The customertypically designed, built, and lives in their environment. They cansay immediately whether they have employees in another country thatshould be accessing their resources at 2 a.m. They also own andunderstand their risks better than any service provider.

• Control: This is the other factor that givesCo-Management an edge over a managed solution. In a true co-managedoffering, the customer has the ability to affect changeindependently. This gives the customer control to makes changes fora variety of reasons — safety (they need a password in the next twominutes to reboot a critical system), operations (this firewallrule is not allowing the e-commerce site to function), or privacy(thank you, but the HR system will only be accessed by us). Controlalso allows the customer to have transparency into the actions ofthe service provider.

With these advantages, why hasn't Co-Management become thestandard approach for security services? As I mentioned before, itis easy to describe but difficult to execute. In the firewallexample, if a firewall rule change knocked out the e-Commerce site,who made the change? If there is any doubt, Co-Management willfail. It also requires the service provider to provide transparentaccess to their activities. The customer can easily see that thechange they requested has been completed, when it was completed,and most importantly, how it was completed. Some service providerssee this as sharing the expertise that reflects their value.

Co-management for Privileged Password Management makes a lot ofsense. First, look at the evolution of Privileged PasswordManagement. In the 80s and 90s, this was only handled internallythrough in-house developed technology. During the 2000s, commercialproducts began to displace in-house technology in these internalsolutions. Now, Managed Solutions are beginning to appear in themarketplace.

Co-Managed Privileged Password Service represents all of theadvantages of Co-Management:

• Cost: The commercial solutions describedabove are primarily designed for Fortune 1000 customers, which leadto Fortune 1000 capabilities and prices. This has been a deterrentto smaller companies trying to satisfy this requirement.

• Expertise and Experience: Privileged PasswordManagement is still relatively new technology compared withfirewalls or authentication. Experts are not common. Experiencetends to reside in the large companies that were early adopters,and definitely not in the SMB space.

• Knowledge: The customer knows which accountsand systems are the most important to manage based on risk oroperational uptime. More importantly, they know which individualsshould have access to these passwords, and under whatconditions.

• Control: Control and management of thesepasswords are critical, as these passwords represent the 'keys tothe kingdom' and must remain under the customer's control. This iswhy a large centralized system has not been successful. Cloud CRMhas critical information, but most companies (no matter their size)do not feel comfortable with the local administration password fortheir CEOs laptop sitting in a datacenter they do not control.

Privileged Password Management is a key control for individualaccountability. Compliance and auditing organizations are becomingincreasingly aware of how this affects other mechanisms. A strongtwo-factor authentication mechanism does not work well ifadministrators can bypass this control by logging in with a sharedlocal administrator account. System logging doesn't help describewhat has happened if multiple individuals are using the rootaccount which was noted in the log.

The world is becoming more connected every day, which means thatmore and more small companies are using the internet for basicbusiness functions. As threats continue to evolve and adversarieshave the ability to use the internet to reach all companies, smallcompanies are becoming targets at an increasing pace. Co-Managementis an answer for companies that need expertise to help them solvetheir problems, without creating new ones by reducing the controlover their environment.

Kris Zupan, CISSP, is CTO atRallypoint Solutions LLC in Wilmington,Del.