Java Platform, Enterprise Edition

Java EE Journal

Subscribe to Java EE Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Java EE Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

J2EE Journal Authors: Zakia Bouachraoui, Douglas Lyon, Stackify Blog, APM Blog, Sumith Kumar Puri

Related Topics: Cloud Computing


BeyondTrust Focuses on Privileged Access and Cloud Computing Security

Identity Management, Hypervisor Lie at Core of Company's Platform

Security issues related to Cloud Computing will not go away. So, rather than complain about that, I thought I'd interview someone whose company focuses on a critical aspect of security, say identity management.

In that spirit, I had the opportunity to speak with Brian T. Anderson, CMO at BeyondTrust. Brian's been around the industry for awhile, working for FileNet, Access360 and IBM, Avamar (which was acquired by EMC), and HNC (acquired by Fair Isaac). I started by bringing up the topic of "inside jobs" when it comes to security...

I saw some figures that state that 70% to 80% of cyber-mischief and outright cybercrime is committed with the help of insiders. Sounds like a big identity management problem. How does this square with your experience, and what does your company do to prevent it? Also, could you outline your concept of "brokered privilege"  for us?

I wouldn't doubt those numbers. Additionally insider breaches cost more than outside ones at $2.7 million per attack.

Awareness for the insider threat is high, but what most people don't realize is the vast majority of vulnerabilities and hackers leverage administrative access in some way to become a threat. For example, last year we went through Microsoft's security alerts in our annual analysis and found that 90% of vulnerabilities Microsoft patched that were identified as critical, could have been mitigated by eliminating admin rights.

Insiders with computer knowledge are the most dangerous. Even the recent case of Jerome Kerviel, a stock trader, is rooted in the fact that he had a technical background that allowed him to circumvent computer-enforced policies. IT staff can be the most dangerous because they have the expertise and access.

Finally, another area that many don't realize is that administrative access can allow outsiders to break in without the insider's knowledge. For example, malware can install backdoors and keyloggers on the desktop of an aloof employee with unlimited administrative access, who thought they were downloading a free antivirus.

How will more widespread Cloud Computing increase the challenge your customers face?

Cloud computing tends to give a broader number of IT staff more access to more servers across less regulated and more varied organizations.

For example, a company with their own email servers might have two admins designated to those servers, who are accountable for them. However, when this company outsources to a cloud vendor, that cloud vendor probably has 20 staff who each have access to the email servers of 20 other companies. Additionally, that cloud vendor is not held accountable by its customers to follow regulations.  This begs the question of whether or not secure multi-tenancy can exist in the cloud?

The hypervisor of the virtualized servers that run cloud computing also creates an additional layer that needs the same security precautions as the servers themselves. In most virtual environments today, IT staff can mount data to the hypervisor as an easy way to gain unlimited, unsupervised access.

These issues weren't as critical when organizations were virtualizing less critical servers, but now many organizations are virtualizing even their most sensitive servers without implementing the appropriate tools for admin access and that's scary.  Ultimately what is needed are controls for those priveleged users (admins) to ensure nothing outside of corporate policy or government regulations is even possibe.

What about accidental misuse? Your customers have no doubt seen the "fat finger syndrome," too, right?

Though difficult for many to admit, humans are fallible. We are not perfectly consistent in our principles personally or professionally. Accidental misuse of privileges on desktops and servers does happen, and it does have a measurable impact on the organization as a whole. For example, desktop configuration errors cost companies an average of $120/PC, according to IDC report, "The Relationship between IT Labor Costs and Best Practices for IAM."

There are three fundamental misuses of IT privilege that your IAM solution should be perpetually protecting against: intentional, accidental and indirect.

Identity and access management is typically looked at from the AAA perspective: Access, Authentication and Authorization.  Access solutions answer the question "can I come in?", Authentication solutions answer the question "are you who you claim to be?" and Authorization solutions answer the question "what privileges do I have when I'm in?"  A fundamental issue facing corporations today is the threat posed by this insider.  This sets up the question of "how can I protect against good people from doing do bad things?

* Intentional harm is the most visible and usually results in significant cost to your corporation.  This "insider attack" is the result of an administrator intentionally deleting or stealing data, planting some malware.

* Accidental harm is the most common but is usually not measured in direct impact to your corporation.  This is the result of someone attempting to do a specific action (i.e. install or upgrade software, go to a specific website, use a system task) and either miss-keys a step or doesn't follow the directions and a problem occurs that requires the Help Desk to step in and fix the mistake.

* Indirect harm is the most esoteric but in reality another potential for significant cost to your corporation.  This is when some malware hijacks an administrator's credentials and causes damage while impersonating that administrator.

Do you consider "Private Cloud" to be Cloud Computing? That is, private cloud to me seems simply to be virtualization. Am I just getting hung up on semantics here? Does the definition matter that much to your customers?

Private cloud is really just another name for a "corporate portal", "extranet" or "intranet".  Whether or not that environment exists on a virtualized server is dependent upon how it was configured, so you are actually mixing two different computing concepts.  Virtualization is running multiple computing environments on one physical server instead of separate physical devices leveraging the underutilized computing capacity that has historically plagued IT resources.

Cloud is just putting data and/or applications out on the web to leverage the economies of outside resources (public cloud) or centralized management of resources that many be geographically dispersed (private cloud).

You've given actual public demonstrations of how privilege can be abused. Can we find that online somewhere?

There are a couple video demonstrations on our YouTube channel at: These are ~5 minute command prompt presentations where we show how an IT admin can use the hypervisor to gain unlimited and unmonitored access to data.

Who do you talk to personally, techies or the business side? How important is it for the business side to understand exactly what you're doing, how it adds value, and how it prevents catastrophe?

We talk to the tech side about integration, fit and ongoing management within the current identity and access management infrastructure (reducing operational costs and response time for incidents).  The business executives need to understand the delicate balance between security, governance and compliance with individual productivity.  Historically an organization that is secure has poor productivity due to the imposed constraints while organizations that have productivity are a "shooting gallery" for inside attacks.  Going back to the fundamental question of "how do I stop good people from doing bad things (even if accidentally)?" is the core value proposition that we at BeyondTrust are solely focused upon.

BeyondTrust is a relatively new name for your company, which you took on after an acquisition. Could you give us a brief background of your company's history?

BeyondTrust was founded as Symark in 1985. Symark was a privileged identity management (PIM) vendor that sold solutions for Unix/Linux servers under the PowerSeries brand. The company's landmark product, PowerBroker allowed enterprises to break down root admin passwords into individual accounts for each admin that incorporated accountability and monitoring based on corporate policy into privileged access. 

From 2003-2008 Symark grew 300% and expanded around the globe. Simultaneously a desktop company named BeyondTrust was introducing AutoProf, the first commercially available product built into Microsoft's Group Policy Objects, which managed admin access on desktops. In 2005 alone their revenues grew 90%. BeyondTrust changed the product name to DesktopStandard and by 2005 had over four million desktops under the solution's management across 500 customers. 

In 2009, seeing the potential to become the only single-vendor solution with integrated technology to manage privileged access on both desktops and servers, Symark acquired BeyondTrust and inherited the company name. The PowerBroker brand became the platform name for all the company's products and the modern day BeyondTrust now has a plethora of integrated solutions that together manage administrative access in any common environment for desktops, servers, devices or virtual OS.

More Stories By Roger Strukhoff

Roger Strukhoff (@IoT2040) is Executive Director of the Tau Institute for Global ICT Research, with offices in Illinois and Manila. He is Conference Chair of @CloudExpo & @ThingsExpo, and Editor of SYS-CON Media's CloudComputing BigData & IoT Journals. He holds a BA from Knox College & conducted MBA studies at CSU-East Bay.