Key to effective breach prevention: privileged user governance
- By Mordecai Rosen
- Sep 01, 2016
With cybersecurity attacks in the news almost daily, the new normal for organizations is to assume they have been -- or will be -- breached.
A recent Forrester study reported 80 percent of breaches involve privileged credentials. As evidenced by the hacks at Sony, Home Depot and the Office of Personnel Management, once hackers are in the system -- whether gaining access via a phishing attack or another means -- they can methodically infiltrate a system further by increasing their user privileges to gain unfettered access to systems and organization’s most sensitive data.
Stopping attacks somewhere along this methodical approach that bad actors use, a process known as the kill chain, is critical.
Privileged access management (PAM) has emerged as a top solution battling cyberattacks and interrupting the kill chain. Without good governance, however, PAM is doing only half the job.
Too many organizations have users with elevated privileges that do not need those rights, leading to a “waxy build-up” of privileged access. For example, according to a Ponemon Institute study of over 650 organizations, 38 percent had users with privileged access rights for no apparent reason, and 36 percent of these organizations failed to revoke those rights when the users no longer needed those privileges. This is a hacker’s dream.
The key to reducing risk is ensuring privileged users have the minimum amount of access needed to do their jobs, a principle known as “least privilege.”
This concept is so critical that it is the core focus of Phase 2 of the Department of Homeland Security’s Continuous Diagnostics and Mitigation program. Building on CDM Phase 1 -- which focused on identifying and securing network assets -- Phase 2 seeks to give federal agencies the security tools they need to manage privileged users and ensure that those users and accounts with the “keys to the kingdom” are closely monitored for unusual activity. These two phases, discovery and enforcing least privilege, will then lead to a third phase focused on incident response, event management and boundary protections.
Controlling the risk equation with privileged user governance
Securing privileged user access, when looked at holistically, includes three core elements:
Discovery -- knowing exactly who an agency’s privileged users are, whether they are network administrators, third-party contractors or cloud service administrators.
Enforcement -- continuous monitoring so that irregular user behavior is quickly identified and stopped.
Governance -- making sure that only users who truly need elevated privileges and access have that access.
There are two important steps when it comes to governing privileged access -- when the access is requested and when those requests are certified. These vital security events must be considered together because neither one alone can ensure that least privilege is enforced.
Access requests are the first checkpoints for preventing improper or excessive privileged user entitlements. For example, all access requests should be checked automatically for compliance with segregation of duties (SoD) controls -- an especially important assessment for privileged users because their access is already elevated. This check ensures that the person requesting funding is not the same person approving the budget and signing the checks, for example.
Even if a request passes the SoD test, privileged access still may pose a risk to the organization and require further analysis to determine whether or not to approve the request.
Access certification requires a manager to determine if the requested access is valid or whether improper permissions have been granted.
Privileged user governance covers not only changes in technology, but also in company culture.
For many years, managing, controlling and monitoring those who were trusted with the “keys to the kingdom” seemed almost an afterthought. After all, a privileged user was a trusted employee of the company or a trusted third-party partner or contractor. Then came Terry Childs, Chelsea (Bradley) Manning and Edward Snowden, along with breaches at Target, OPM and Home Depot. Those breaches resulted from either abused or compromised privileged access.
Today, there is a growing awareness in both the private and public sectors of the need to better manage and monitor privileged accounts and users with access to sensitive data. It’s now on the must-do list.
Change isn’t always easy; it takes time and leadership to implement. But without taking control of privileged access management, an agency risks being in tomorrow’s headlines.
Mordecai Rosen is senior vice president and general manager of the security business at CA Technologies.