The Genesis of Privileged Identity - The Creation and Evolution of The Superuser
When I think about managing identities and privileges within an organisation, one of my favorite analogies for the whole privileged identity lifecycle is biblical. Everything starts 'in the beginning' with a super user. Whether someone starts with a server or a workstation, creates on-premise solutions for their network infrastructure or builds out a cloud, they'll always have to start out with an account with god-like power that will control all other accounts accessing that resource going forward in the future.
Now, if you were not there at the set-up of new resources, you'd probably be unaware that there was a super-user account created at the genesis. But that super-user account never goes away and in most cases is used day-to-day, either by someone or something (either applications or automated systems). As time goes on, the knowledge of these super-users accounts, where they are, how they're being used and so on, gets lost. Just as the history of how the bible originated is a mystery to most people except for scholars, so it goes with privileged identities.
As time goes on, things change in the world of IT and, again, most people don't understand the implications. Add new appliances, switches, routers and software and new root accounts pop up. Blend that in with new super-user accounts for things like intrusion detection devices, antivirus systems or DLP and you get a whole new layer of privileges added to the environment. People don't really think about it, they simply interact with it at the user level and the environment continues to evolve and morph.
But when auditors and regulators come in and ask 'Who created all of this?' and ‘Who has access to these accounts?’, you've got a good old fashioned debate on par with creationism and evolution; because there’s no one still around who can answer where the accounts came from and no records detailing who can access them.
Mining the Infrastructure with Privileged Identity Management
So where does privileged identity management play in this metaphor? I like to think of it like being the archeologist of the bunch. When you're managing these identities, your job is to go out and mine the infrastructure, looking for 'fossils,' or those clues that provide your organisation with a view of where those god-like accounts are, how they're being used and what they're being used to do.
It's an important task, because there are plenty of rogue scientists--hackers out in the field--that know all about these fossils. They're also looking for DNA in the bones embedded in the rock that can be used to piece together where the original accounts are in your infrastructure. So much information about these super-user accounts is publicly available, waiting to be mined by the bad guys. Don't believe me? Search Google with the phrase 'default administrator account' and see how many websites there are that list the default account information that will get you into most systems if the logins are not changed. Still don’t believe me? Visit the Default Passwords List website - your passwords are probably there, for the world to see.
Don't kid yourself. Those default logins are lurking in the bedrock. The problem with most organisations today is that the person provisioning new users may do so through a root account without even realizing it. Even if they do know what they're doing, they may not know that these accounts are actually only a subset of all of the privileged accounts out there--many of which have always been accessible through default login information.