May 28 2014

Identity & Access Management: Don’t get Death Starred!

Many things seem impenetrable until a “small vulnerability” is exploited. The phrase “small vulnerability” almost sounds like an oxymoron when you think about it.  Take the fable of one Luke Skywalker and the Death Star.  In the story Luke exploited a small two-meter-wide thermal exhaust port in the Death Star’s design to destroy the ultimate weapon and break the back of the Galactic Empire in their moment of triumph. To make matters worse the Empire was warned about this “small vulnerability”, but the Galactic bureaucrats reasoned that the risk was small and the whistleblowers were overestimating rebels’ chances.  

Death StarredEvery fable has a lesson and the lesson here is that you are only as strong as your weakest link. No vulnerability is too small and no risk is worth taking when your entire business is at risk. This should all sound familiar if you follow business and security news.  Time and time again the story remains the same.  Business X is warned of a potential risk, but takes no action because the risk is “small” or the solution costs too much. Then someone exploits this weakness only to cost business X way more money than the actual fix would of cost. Afterwards business X’s reputation is further damaged when it comes out they knew about this vulnerability all along and did nothing.


One thing remains constant and that is when you have something someone else wants they will never stop looking for ways to take it from you.  The gate didn’t stop the barbarians and the Death Star was no match for the rebel scum.  When a motive presents itself to an interested party, be it a tactical victory in an intergalactic war or the theft of critical data, such vulnerabilities will be discovered and exploited. It’s not a matter of if, but when.

Considering the time, effort and expense the modern enterprise invests in IT Security and specifically Data Loss Prevention (DLP) to gain visibility into and control of their environment, isn’t it shocking to know that most organizations don’t extend these capabilities into their encrypted networks?

While Next-Generation Firewall (NGFW) technology has improved the intelligence of IT Security efforts by enabling some content inspection, there are still some “small vulnerabilities”. For instance, while NGFW control of SSL is very granular and can occur in real time, the lack of a detailed audit trail represents a substantial security risk.

NGFWs focus on real-time content inspection, often overlooking forensic analysis. They do not index content, making future search functionality impossible.  This is all rather useless even if you do hire people to monitor your traffic 24x7.  Additionally, NGFWs only offer command-level logs of SSH sessions, lacking support for graphical protocols such as RDP, and do not provide a means of supporting shared account mapping, or a key or password vault.  A modern enterprise requires a modern security strategy.

In short, next generation firewalls are valuable tools, but leave Privileged Access Management (PAM) vulnerabilities that by no means should be considered too small to address.

The inability to inspect encrypted traffic, apply Data Loss Prevention policy and provide a tamperproof audit trail represents a tremendous vulnerability in modern cybersecurity strategy.  For many enterprise businesses this is the proverbial thermal exhaust port. The threat could come from a malicious insiders, à la Edward Snowden, or tomorrow’s headline-worthy security breach. Don’t wait for an audit failure to take action because it might be too late. 

The best defense is a holistic, inline approach that includes Active Directory integration, shared account mapping, encrypted channel monitoring, DLP enablement, real time alert functionality, session termination and thorough audit capabilities to addresses the comprehensive Privileged Access Management needs of the modern enterprise.

Do not get Death Starred by overlooking seemingly “small vulnerabilities” capable of bringing even the mightiest of empires to its knees.

The bad news is that you can’t control J.J. Abrams’mind as he directs the upcoming Star Wars VII film.

The good news is that your enterprise can still avoid the Death Star’s fate by unleashing the hound.

John Walsh by John Walsh Software Engineer, Core Development
John Walsh is a Software Engineer and a member of R&D at SSH Communications Security where he has focused on core product development and technical support. John has over 10 years of experience in software design in the IT security industry. Prior to joining the company, he worked at IBM where he designed and developed a number of key software features for security products such as LDAP, Firewall, and Java Cryptography. John holds a BS in Computer Science from Binghamton University as well as an MS in Management Information Systems from Marist College.