Computerworld has an interesting article ‘Security fail: When trusted IT people go bad‘ with the even more interesting subtitle “One rogue IT employee can do more damage than an army of hackers“. It’s well worth a read, if only to get a feel for the nightmarish scenarios CIO’s can be faced with.
The 3 case studies presented deal with one issue: Privileged IT Administrators who have complete access to systems, and use it to either systematically abuse your trust or wreak havoc when provoked. In every case, the damage to the organization was substantial, and the steps needed to recover were extreme (I especially liked one companies solution to their potential hostage crisis: put the guy on a cross country flight, and use those 5+ hours to change all the passwords).
It has been well understood for years that insider fraud is a far bigger threat to organizations than anything that could be done from the outside (barring specific domains like national security). Not only do system administrators usually have complete access, but they can move around your network with impunity – no auditing, no oversight, no accountability. In effect, the IT environment that you spend so much time locking down has a wide open backdoor that can be exploited by a small but highly skilled populace to do significant damage. And when you broaden your view a bit, you find that this goes beyond just the system administrators to other “trusted” users as well – employees that use shared, highly privileged accounts to execute transactions that are sensitive and crucial to the business, but could also be abused.
Organizations that take a comprehensive and holistic approach to identity and access management can protect themselves against the possibility of these sort of nightmare scenarios playing out. While the article outlines some basic HR type steps that organizations can take, like better background checks, it doesn’t go into any specifics about how a properly defined identity management program can help in mitigating these risks. So how can IdM address some of the issues brought out by the article? Let’s review.
1) Strengthen Your Core
The core of identity management – SSO, identity administration, provisioning (including de-provisioning) – is obviously essential. Within that, it’s important to realize that one reason shared accounts proliferate is due to its convenience and expediency, because no one wants the overhead and pain of getting properly privileged accounts. But a well designed access request system, with intuitive self-service, adequate workflow and policy controls and the right level of automation will help organizations avoid slipping into shared account hell – by empowering users without sacrificing security.
2) Avoid Excessive Privilege Accumulation
The article points to classic “privilege escalation” as a culprit, where users are given additional privileges to deal with short term project needs, but then those privileges are never taken away after the need goes away. Over time the user accumulates a large set of privileges that not only allow them to continue to do things long after they should no longer be able to, but can can create a toxic combinations of privileges that gives them the ability to take actions that should never be allowed by policy.
There are a few things you can do to address this problem. First, your identity administration system should support time or context bound privilege escalations. If a user is being given additional privileges because of a specific need, make that grant role-based or time-bound. That way, when the conditions that led to the privilege escalation expire, those privileges get taken away and are not left with the user. Second, make sure to leverage Separation of Duties (SoD) policies, so that you can detect and therefore prevent situations where a privilege grant is going to result in the user having an undesirable combination of entitlements that could be abused. This would be leveraged not only during the initial privilege grant to alert someone with oversight responsibilities (like a manager), but also during an entitlement review, which is the third mitigating control. Periodic entitlement reviews are now essential to combat privilege accumulation and also prove compliance. And entitlement reviews that get triggered when events such as privilege escalation occur not only help in keeping people focused on the problem (instead of it getting buried in the details), but also let your people know that they are being monitored. Getting in-depth and comprehensive insight into your IT environment is key to managing excessive privilege accumulation.
3) Make your Access Context-Aware
This is where we think the future of identity management is headed. Two of the scenarios outlined in the article describe situations where the privileged employee decided that they were going to take drastic action to inflict maximum damage on the company. By profiling the behavior of the user, and comparing the users actions to established patterns, you can detect anomalies that would indicate that some kind of fraudulent activity is underway. The article also talks about “Sally” taking her laptop home and still being able to use high-level privileges. But if your access management system can leverage environmental variables like device IDs, network profiles and IP geo-location as part of its authorization context, then it can limit the use of elevated privileges when the right conditions are not met.
In all these cases, the IdM system, having detected potential fraud, now has the ability to initiate corrective action, like elevating the monitoring of the user activity, up-leveling the assurance of the identity in play by asking additional authentication questions or presenting 3rd party or application data that only the correct user could verify, and even outright denying the user access. By monitoring the full picture of what is actually occurring in real-time, you can detect or prevent fraud. And you can do it without negatively impacting the user experience. In effect, the access adapts dynamically to the user behavior and the risk level of the transactions.
4) Protect Your Keys to the Kingdom
The article points out that “threats from privilege-laden IT employees are especially hard to detect. For one thing, staffers’ nefarious activities can look the same as their regular duties”. And when you have multiple people in the IT staff who know how to utilize these system accounts, it’s hard to pinpoint the exact perpetrator of the actions. That’s why using a Privileged Account Management system is so important. By putting a control system around the most sensitive and powerful accounts that an organization has, you can make sure that you are never going to be in the situation where an employee can hold you hostage. Administrators can no longer go in and change the passwords without the organization knowing, all their activity can be monitored and traced, and their access to the privileged accounts can be cut off in one fell swoop (instead of having to put them on a plane ride to California).
5) Protect Your Data
Sounds obvious, right? But the fact that the current state of affairs means that your DBA can go in and “download 400 customer credit card numbers from your e-commerce server” is all too common. Your database cannot be overlooked in your access management strategy. Organizations need to ensure that their privileged users and DBAs are restricted from accessing sensitive application data, despite having high-level privileges on the database. They need to implement controls to enforce separation of duties and also use solutions like transparent encryption to protect data against unauthorized access by OS level users. And they need to monitor their database configuration on a continuous basis, and audit their users to know who did what and when for accountability.
The Right Tools Make the Plan
The article correctly points out that technology is not enough. “It’s a combination of technical safeguards and human observation that offers the best protection, says CERT’s Cappelli”. On the identity management side of things, however, there are a number of things that organizations should be doing that they don’t. And by putting in place this kind of comprehensive identity management program, with the right controls that constantly optimize and enforce policies that mitigate risk, an organization can help the people in charge be informed, aware, alert and in control. And that sounds like a plan.