Securing Privileged Accounts in a World of Mass Communications
Thycotic dates back all the way to 1996, when it was initially founded as a consulting company that helped to solve user access issues in Microsoft, Linux and Unix systems. With the intent of making their lives easier and helping their consultants do their job, they developed a software that helps manage and control privileged accounts within organizations. As time went by, they realized the huge potential of their software and shifted from being a consultancy firm to a fully dedicated software development company. Nowadays, with over 7,500 customers worldwide and 180,000 IT administrators successfully protecting their privileged accounts, Thycotic is dedicated to innovating and building leading Privileged Account Management software. We sat down with Cyber Strategist Joseph Carson to talk about privileged accounts, why they are such a risk to security and how can they be protected. Share
What's unique about the Thycotic software?
While the software was created for IT people, ease of use has been a core value for Thycotic right from the start; we decided our product needed to be really easy to install, use and customize, so that users can take full advantage of the features and get immediate value. Even today, ease of use continues to play a significant role as we add more features.
What makes privileged accounts a problem for organizations?
Before Thycotic, I was a system administrator in a data center with thousands of servers. With my fully-privileged account, I could login to all servers and perform any action I wanted; obviously, that was a very sensitive account.
Today, there are so many of those accounts that IT admins are struggling to manage them.
Typically, there are 2-5 times more privileged accounts then the number of systems in place.
Almost every server, hardware and software comes with privileged accounts; every cyber-criminal uses those accounts to perform malicious activity; but in many organizations, users don’t even change those default passwords.
To get back in control, IT administrators should be able to manage, create and delete privileged accounts and keep track of their permissions at all times.
We help organizations discover and secure those privileged accounts by changing generic ID's and passwords, protecting endpoints, controlling access and auditing capabilities.
My personal view is that once a cyber-criminal is inside your system, you're in disaster recovery mode. The difference between a perimeter breach and a cyber catastrophe is whether or not a privileged account had been compromised.
Therefore, our goal is to reduce the cyber footprint of privileged accounts to the minimum and to protect and secure them.
How easy is it to deploy and use Thycotic?
Securing privileged accounts is one of the fastest growing areas in the cyber world today. While many see it as a complex project to take on, our solutions simplify it to enable a quick turnaround for our customers.
There are many solutions out there; even if you're an IT admin with fantastic skills, most of them would still require a learning curve with hands on experience before you can start using them efficiently.
In our situation, an IT administrator possessing fundamental to intermediate abilities can set up and configure Thycotic within a span of 1-2 hours and acquire sufficient proficiency to effectively operate it within a day. The process is highly intuitive, requiring minimal, if any, consultation.
Our solution is suitable for organizations from 50 employees up to more than 10,000+; they all need this kind of solution, even if there's only one administrator.
Some of the smaller organizations only need a certain set of the tools, which our free version can provide; for larger institutions we have a richer feature set, and we can also tailor our solution according to specific needs.
What can you tell us about your free tools?
We leverage a couple of areas to allow people to see if they need the full Thycotic capabilities. These online tools include Benchmark surveys and peer reviews to evaluate the organizations' current state.
We also have a privileged account discovery tool for Windows, Unix and Linux, which provides an immediate report on the current footprint and discovers all privileged accounts, protected and unprotected.
Next, using our Windows application discovery tool we can discover applications, inventory about which applications are on the environment and what the risk’s are.
The free version of our Secret Server, which is our core product, provides the ability to discover and manage privileged accounts. Many companies with smaller environments can use the free version and get value quickly, and upgrade to the paid version anytime if they need more features.
The significance of privileged account management is growing rapidly these days. I've been in this industry for more than 25 years, the global technical advancements and pressure that technology companies have faced to be more innovative and fast paced have come at a massive cost of our cyber security and privacy in which both have often been sacrificed for innovation and ease of use.
How do you see the future of cyber-crime?
Many nation states have highlighted cyber threats as having the biggest impact on important topics like the economy, immigration and war. Recently the USA released a 100-page report on enhancing national cyber security, where they recommended the recruitment of cyber security experts to protect the countries virtual assets and prevent cybercrime.
Moving forward, cybercrime will become fundamental. We will start to see the cyber virtual and physical worlds merge, with direct physical damage causing major concerns.
Cybercrime will no longer be an IT problem, but a collective effort with many human factors involved.
The next generation of work force will need to be properly trained for security "hygiene". There will always be vulnerabilities, so we need to start educating the current workforce to have a better understanding of security issues and adopt best practices.
Another escalating issue that will need to be addressed is solving the identity problem with online services, where you never know who's at the other side. There's a lack of trust and identity validation will be the way forward.
Technology-wise, we will see a lot more implementations of security by design, and companies will need to prioritize that over ease of use and speed. There are new regulations that are helping to change this mindset, and inevitably, the market will need to adapt.
Some industries will be prioritized over others in cyber-crime prevention, which will become one of the top 10 concerns of all states.
Currently, there are 3.5 billion people using the web, and figures are continuously increasing. This year we've seen some of the biggest breaches to date.
In 2016 alone, 2 billion identities and passwords were stolen; that's two-thirds of all internet users! In other words, anyone who was using the internet this year experienced the impact of cyber-crime, whether they knew about it or not!
What best practices would you recommend for individuals who want to secure their online identity?
First and foremost, you should limit the amount of personal info you reveal online, and increase the default security level of social media accounts or any other online tools you use. Things like Multi-step authentication with memorable long passwords will increase your security, as well as using secure encrypted sites and VPN solutions, which secure their users by default.
With regards to emails, you should have multiple accounts in place: one for communications, another for subscribing to forums and websites, and a third one dedicated for recovering accounts, which should be done outside your normal account.
If you're using public Wi-Fi, remember you're being monitored, so limit the use of it and make sure to encrypt your data.
Doing all that wouldn’t necessarily ensure that you will not be hacked, but it will make a huge difference.