In the thousands of networks, systems and applications I’ve assessed and audited in my career I’ve encountered two vulnerabilities far more than any other: weak user account security and poor passwords contributing to unauthorized access to company assets. Rarely does a security assessment go by where I don’t find a user account that had never been used and that I was able to penetrate using a standard default password that the administrators issued for all new accounts. I can’t count how many times I’ve discovered vendor application accounts configured with the default password, most often the same word as the account itself. On more occasions than you would believe, I’ve cracked into the root (UNIX/Linux) or Administrator (Windows) accounts because the passwords were embedded in backup scripts, set up for convenience and not properly protected. And of course, the most common security vulnerability of them all, poor user account passwords that are never changed, never expired, and not forced-configured with complexity (symbols, numbers, etc.), account for the most instances of unauthorized access.
The problem is so widespread that it is the underlying reason for the most talked-about “hacks” in the news. The theft of credit cards, intellectual property (IP), health records and other sensitive information can be attributed in large part (even more so than SQL injection attacks) because of a poorly protected user or system account that were penetrated. From my experience the reason why this issue is so prevalent is because companies do not have the resources – people and time – to properly administer their user accounts and access to their networks and systems. Companies are also increasingly outsourcing their IT operations to third party service providers who sometimes don’t do any better at securing user accounts. As IT staff has shrunk over the past four years, the effective security of user accounts and access has diminished. It is becoming more and more evident that automating the management of user accounts and passwords, or identity and access in the security vernacular, is the key to addressing this problem.
According to Wikipedia, identity and access management (sometimes abbreviated as IDM or IAM) “describes the management of individual identities, their authentication, authorization, and privileges/permissions within or across systems and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime and repetitive tasks.” In other words, an IDM product suite, such as Oracle Identity Management 11g, provides a centralized capability to manage and secure user accounts and access including ensuring that user accounts are valid, users have only the access to what they have a valid business need for, passwords are secure and consistently applied to all systems and applications according to company security policy, and that the company can monitor and audit user activities to ensure that access is not abused. These products can also provide additional benefits such as single sign-on and reporting for compliance purposes. With these kinds of protections in place my job of penetrating your systems and stealing your sensitive data is that much more difficult, and that’s a good thing.