School Employees Credit Union of Washington doesn't fall under the scope of Sarbanes-Oxley (SOX) requirements, but its auditors are increasingly interested in seeing that the credit union has the same types of internal controls that SOX requires of public companies.
"They want a chain of control for who has been accessing systems with administrative-level passwords," said John Campbell, information security officer at the not-for-profit financial cooperative.
While the credit union typically has the trail auditors look for because employees have their own accounts, it gets some help from a tool by e-DMZ Security, LLC. Password Auto Repository (PAR) controls access to privileged accounts, such as Unix root accounts and Windows aAdministrator accounts that are shared by administrators.
"In the event that a machine suffers a breakdown that can't be dealt with by normal accounts, we need to go back to root passwords or to the local admin passwords," Campbell said. "This way, we can prove to whom the password was released and therefore who was associated with the activity performed, so there's non-repudiation."
SOX compliance requirements and other regulatory demands, combined with heightened security concerns, are driving demand for privileged account management technology like that used by the Washington credit union, experts said.
"Auditors are getting more sophisticated about the risks associated with privileged accounts," said Mark Diodati, a senior analyst for identity management and information security at Burton Group. "You only have to look at the news and see data breaches associated with privileged accounts to see that they're spot on."
Even in a down economy, the market around privileged account control is exploding, he said. There's increased demand for privileged account management products that control access to privileged accounts, as well as authorization products that control what those accounts can do, and many companies are marketing a broader view of privileged management, he added.
Financial services is the hottest market for the privileged account management, but the technology is being deployed across all verticals, including healthcare, Diodati said.
In addition to e-DMZ, privileged account management vendors include Symark International, Inc., Cloakware Inc., Cyber-Ark Softwaree, Ltd., Lieberman Software Corp., Passlogix Inc., and Quest Software, Inc.
"Whether it's Sarbanes-Oxley or security audits, controls over administrator passwords appears on everybody's audit checklist," said Paul Rohmeyer, assistant professor at Stevens Institute of Technology in Hoboken, N.J.
Anything that helps automate the ongoing monitoring of administrator credentials "fits into a sweet spot" for firms that must comply with SOX compliance requirements and banking regulations, he added.
For School Employees Credit Union of Washington, which has offices in Seattle and Spokane and more than 74,000 members, e-DMZ Security's PAR product provides more than audit support. It's also a disaster recovery and vendor management tool.
With one PAR appliance deployed in the cooperative's primary data center in the Seattle area and another deployed at its disaster recovery site at the other end of the state, PAR is implemented as both a primary and failover strategy, Campbell said.
"If we have a disaster, all the local administrative passwords and encryption keys would be at either site and could be released if necessary," he said.
And when vendors need access to an administrator password, he can release it through PAR and audit the access. Overall, the tool helps reduce risks on many fronts, Campbell said.
"I don't have to worry about someone not being able to take care of a machine if something goes wrong after hours or if we have a disaster," he said. "I don't' have to worry about unaudited use of powerful credentials that people aren't supposed to use on a daily basis."
The credit union looked at some other privileged password management products but found that PAR was the most cost effective, Campbell said. Plus, the organization was already familiar with e-DMZ Security through the managed security services it used to offer.
Martin Ryan, vice president of sales and marketing at Wilmington, Del.-based e-DMZ Security, said about 80% percent of the vendor's sales are driven by compliance needs, with SOX and PCI compliance major drivers. In addition to PAR, e-DMZ Security offers eGuardPost, which records and manages privileged account sessions; the two products are the foundation for the company's Total Privileged Access Management Suite.
In addition to regulatory concerns, a need to control developer access to production has been a driver for large financial firms to use eGuardPost, Ryan said. Any changes to production systems that cause problems can cost financial firms a lot of money, he added.
John Mutch, chief executive officer at Agoura Hill, Calif.-based Symark, said increasingly complex security issues, internal threats and growing audit pressures will continue to drive demand for what his company markets as privileged access lifecycle management. It's critical for organizations to control "super users" - administrators with access to large system resources, he said.
"This is the individual who can plant the logic bomb, who can perpetrate massive fraud and cause catastrophic damage to your IT infrastructure," he said. "They can create the nightmare that every CEO wants to avoid."
For more details on privileged account management technology, check out Diodati's article on privileged account management, in the current issue of Information Security magazine.