Since the introduction of multi-user computer systems over 40 years ago, there has been a fundamental flaw in their security architecture. The flaw? - The concept of a Root User, Domain Administrator, System Administrator or other high level computer operator – and their data access rights. These users have always had access to every aspect of a system – software installation, system configuration, user creation, networking, resource allocation and more, as well as user access to all the data associated with the system.
These accounts exist because of the need for system maintenance and management. But, as systems have become more closely interlinked and with increasing amounts of private and confidential data accessible to them, there is increased risk from privileged user account access.
Compounding this are the ways that many enterprise IT departments have traditionally done business, and the advent of new technologies and threats:
The tasks performed by privileged users to maintain, repair and initiate systems are not optional – these roles exist in order to meet essential requirements for all enterprise environments. What’s needed is to enable these privileged users to perform their tasks, while removing their ability to access private and confidential data. And when a category of privileged user account has a legitimate need for access to this sensitive data, to have the information available that allows identification of anomalous usage patterns that may indicate that the privileged user account has been compromised.
Transparent – The Vormetric Data Firewall meets these needs with a transparent solution - enabling critical system processes to continue, without exposing data. Using protections at the file system and volume level, the privileged user access management solution allows the meta-data and file system structure to be seen by administrators, but reveals only encrypted data to these accounts. At the same time, processes and privileged users that legitimately require access (such as a database process to a database table file) have access to unencrypted data (cleartext).
Strong – The Vormetric solution firewalls your data – using a policy driven approach, linked to LDAP and system accounts, that provides granular access to protected structured information (in databases) or unstructured data (in file systems) by process, user, time and other parameters. Vormetric even monitors and prevents access by tracking how users become their role. If a Root user creates a new account with data access rights, then escalates to become that account, Vormetric will still identify that user account with the Root user and prevent access to cleartext data. The result of this approach – Privileged users can manage systems without risk of exposure to protected information
Efficient – Vormetric Encryption is a high performance, low overhead solution, leveraging the AES NI hardware encryption built into Intel x86 processors. The result: Minimal changes to response times for operational processes.
Easy – Deployments in days to weeks, not weeks to months, across physical systems, cloud, big data, and virtualized environments that are easy to manage, easy to understand.
Organizations that need to protect data from the inherent risks of privileged users must do so in order to meet critical requirements:
Vormetric Encryption seamlessly protects enterprise environments at the file system and volume level from the risks posed by privileged user access. The privileged access control solution allows organizations to secure of their data – with no changes to the operation of the applications or to system administration.
Data Firewall – Using high performance encryption along with privileged user access controls to provide multi-layer data protection, Vormetric creates a Data Firewall that protects against both internal and external threats to data.
Encryption and Key Management – Vormetric provides the strong, centrally managed, encryption and key management that enables compliance and is transparent to processes, applications and users.
Fine-grained Access Controls – Vormetric provides fine-grained, policy-based access controls that restrict access to encrypted data –ensuring that data is decrypted only for authorized users and processes.
Security Intelligence – Vormetric logs capture all access attempts to protected data, providing high value security intelligence information that can be used with a Security Information and Event Management (SIEM) solution to identify compromised accounts and malicious insiders.
Automation – For fast rollouts and integration with existing infrastructure , both web and command line level APIs provide access to the Vormetric Data Security environment for policy management, deployment and monitoring.
With commercial tools, such as Vormetric, you can actually give certain people certain access without root-level privileges. You can encrypt your data in storage to set up roles of who actually gets to see the data. The admins can do their jobs, and they don’t get access to any data files.
former CISO at the CIA
GovInfoSecurity – June 21, 2013
I've been a systems engineer, systems administrator … When you're in positions of privileged access like a systems administrator for the intelligence community, you're exposed to a lot more information on a broader scale than the average employee
– Former infrastructure analyst at the NSA – June 2013