How many IT departments control the passwords being used by administrators and yet fail to do the same for services, scheduled tasks, and other applications that use credentials? Organizations fret about their private keys being stolen and used in malware but then donít enforce any security policy around the protection of keys. Organizations allow hundreds, and in some cases thousands, of employees to have privileged access to their PCs because it is easier than enforcing a policy that demands permission to install software. Yet how many organizations regularly check the registries of their workstations to see if anything has been added or modified?
The placebo effect
Today more often than not, security related projects usually start off with a failed audit Ė the equivalent of a sharp pain in the chest. This is usually as a result of bad habits that have developed over the years. You would think that the patient would rush to hospital to make sure everything is fine. Yes it is inconvenient, but surely you donít want to take risks!
But the reality is different. What the patient (management) generally does is call in the consultants who frequently have no practical experience; consult industry reports which frequently are not much more than regurgitated marketing material from a variety of vendors. The result is frequently an RFP that consists of little more than a list of irrelevant questions. This is then sent to a group of vendors who promise to cure all diseases for the lowest possible cost. Itís little more than a placebo. Actually Iíve come to realize more and more that most technology seems to be little more than a placebo Ė in other words you will feel better for taking the stuff that you buy but it probably wonít do you much good. You might as well start browsing health websites when you have a heart attack, put together a questionnaire and send off to several hospitals and see what they offer as a solution.
No pain no gain
Too many organizations have learned through bitter experience that implementing a privileged identity management solution is too important a process to delegate to a rubber-stamp RFP or a battle of vendor checkboxes. If handled correctly your implementation can help you close critical security loopholes; help make staff members accountable for actions that impact IT service and data security; and lower the cost of regulatory compliance. Yet the wrong choices too often turn into expensive shelf-ware Ė or worse.
Privileged Identity Management software is not a commodity and should not be purchased based on RFP checkboxes and up-front fees alone. Vendor claims to the contrary, not all solutions perform equally well under vastly different deployment conditions.
Youíd never choose a doctor based solely on cost, nor would you trust a physician who writes a prescription before taking the time to diagnose your condition, check your medical history, and perhaps run some tests. Maybe the time has come to treat your IT Security like your personal health. After all when youíre in the operating theater it is comforting to know that youíre neither the guinea pig for a first time surgeon, or the patient keeping them from their next round of golf!