Refining User Access to Keep Employee Power in Check
Jul 23, 2009 4:00 AM PT
It has been a year since the city of San Francisco was held hostage because a city network administrator, Terry Childs, allegedly locked down the city's IT system through a privileged account. Yet today, even with the heightened awareness created by this headline incident, companies continue to struggle, as evidenced by the Fannie Mae and Quantum Technology Partners cases, to protect access to their key systems and resources and reduce the risk of data breaches. Why?
If unmanaged, privileged accounts -- those with carte blanche access to critical networks, systems and applications -- still pose significant challenges as they convey broad and deep access privileges that cannot be traced to a specific person. These privileged accounts are increasingly scrutinized by auditors and are becoming one of the key reasons that many organizations fail compliance audits. Yet many organizations still have not implemented processes, procedures and technologies to demonstrate more effective control over who has access to powerful privileged accounts and what activities occur during those privileged sessions.
This imperative to manage and protect access to key systems isn't meant to disparage IT workers with privileged access -- in fact, the vast majority of employees are trustworthy. The reality is that organizations have a responsibility to control the power they provide to their employees -- and as an organizational issue, the fact is that trust is not a good security policy. Instead, implementing an approach that adheres to the accepted security axiom of "Trust, but Verify," needs to be increasingly adopted by organizations of all types and sizes.
It's human nature to want to look at confidential information. Whether it's someone simply being curious or someone looking to steal data for personal purposes, the threat to the data and information is the same.
The main cause of this problem is that privileged accounts are often unmanaged, neglected and not well monitored, with existing system logs of activities difficult to interpret due to the anonymous nature of the "administrative user."
In addition, the prevalence of applications with embedded username and password credentials that are hard coded and in clear-text inside applications, scripts and parameter files creates additional organizational risk. An insider can easily expose and anonymously leverage these privileged application identities for criminal purposes.
However, the risk of internal data misuse can be significantly mitigated by implementing policies and technologies that provide special treatment for privileged identities. In accordance with newly proposed consensus audit guidelines that suggest automated and continuous control of administrative privileges, organizations need to effectively address the security threat of privileged accounts and related audit challenges.
The first step is to ensure that administrative and application identities and passwords are changed regularly, highly guarded from unauthorized use, and closely monitored, including full activity capture and recording. Changing privileged passwords on a routine basis, however, is nearly impossible without placing an inordinate resource and expense burden on the IT organization.
Tightening the Reins
With the dispersed nature of today's IT environments, it is exceedingly difficult for one group to keep tabs on, and actively manage all the high-value systems and applications and associated passwords in use across the enterprise.
By automating these tasks, the organization is assured that password refreshes are made at regular intervals in line with the organization's IT and security policies. In addition, having an automated system in place allows the company to have a streamlined mechanism for disabling these privileged accounts immediately when an employee leaves the company.
This eliminates lag time that commonly occurs between the time when someone is terminated, and the time when their access to all of the key systems they worked with is manually deprovisioned. It is particularly important to disable these passwords immediately, preventing a disgruntled ex-employee from wreaking havoc on the organization.
To prevent internal breaches, granting privileges on-demand is another effective measure. Having a privileged identity doesn't mean any individual should be granted unfettered user rights. This leaves the door open to legitimate access privileges being used for unauthorized purposes.
For example, a system administrator might have full acess rights so that he can perform specific functions on a sales database, but that also means he could share that confidential sales data with a competitor to retaliate against his employer, or leak unflattering information to the press, harming the company's financial standing.
Don't give privileged users free rein to do whatever they like. Instead, adhere to the "Least Privilege" concept: Provision privileged users' rights on an as-needed basis and track them for auditing purposes. In this way, an administrator may be given the right to access a server -- but not the ability to copy or modify sensitive information housed within it.
Implementing Proven Processes
It is important to monitor and report actual adherence to the defined policies implemented. Again, "Trust, but Verify." This is a critical component in safeguarding companies, and it helps to simplify audit and compliance requirements, as companies are able to answer questions associated with "who" has access and "what" is being accessed.
Auditing the actions of privileged users allows organizations to know exactly who used a specific password and what was done with it, without having to peruse log files. Combined with auto logging and auto alerting, a visual auditing capability ensures the organization has a strong prevention and detection mechanism.
This is a helpful deterrent against information theft, which is a necessary record for auditors and a critical piece of evidence should legal action be warranted against a perpetrator.
By implementing proven processes, procedures and technologies to automate adherence to the security policies they put in place, organizations can better protect privileged accounts and identities that provide access to the most high-value targets and information.
In doing so, they can better uphold their responsibility to manage, control and monitor the power they provide their employees, while also significantly reducing insider breaches.
Adam Bosnian is the vice president of products and strategy at Cyber-Ark, an information security company that develops and markets digital vaults for securing and managing privileged identities and highly sensitive information within and across global enterprise networks.