3 questions every agency should ask about privileged user access
- By Michael Crouse
- Nov 23, 2020
When employees’ roles or responsibilities change, so do their data access requirements -- at least in theory. In reality, far too many agencies are struggling to properly manage privileged users. In a recent survey of privileged users in government conducted with the Ponemon Institute, half of respondents said it is difficult for their agency to audit and validate changes to employee access, while nearly three-quarters said their organization assigns more access than is required.
With so many agencies unable to keep up with access changes, other shortcomings with managing privileged user sprawl are hardly a surprise. Few organizations have enterprise-level visibility into privileged users, much less the ability to tell if a user’s actions constitute a threat.
While some privileged access is required for employees to do their jobs, much privileged access represents unnecessary risk. Reining in this risk requires not just the right technology, but the right staff and visibility to make critical decisions. Here are three questions agencies should ask themselves in regard to privileged users -- and some steps they can take toward better management of the problem.
1. Should this user have access?
Although access should only be granted to users when it is absolutely required -- not just for convenience -- many employees have access either from previous roles or for no reason at all. To avoid such risks, agencies must ensure their access tracking technology is up to the task. Relying on legacy systems like spreadsheets to manage privileged users is insufficient.
Yet, only about half of the survey respondents said their organization’s privileged users are vetted through background checks or have their access monitored through identity and access management tools. Without integrated identity management and the ability to confirm that access has been properly applied, employees who leave the agency may have their main accounts shut down but may accidentally retain access to numerous cloud services. A converged platform that includes IAM, user activity monitoring and data leak prevention gives agencies better visibility for right-sizing privileged user access based on user risk.
2. Who owns the problem?
In addition to deploying IAM policy monitoring tools and performing background checks, agencies should also conduct regular privileged user training programs and ensure supervisors and managers conduct manual checks of employee access. Sometimes agencies cannot dedicate enough staff to this issue, but it must be clear who “owns” the issue of privileged user access. The owner must be empowered to call on stakeholders for help with filling in missing gaps in technology, resources and expertise. Put another way, there should be a single point of contact who works with different stakeholders across the agency to make sure the right technology is being applied to the problem. Technology that provides a single pane of glass featuring actionable data will make the human touch -- which will always be required -- more effective and timely.
3. Is this activity suspicious?
Unfortunately, there is a good chance unnecessary access will be granted even with IAM tools and adequate supervision. The key is making sure that access doesn’t facilitate a leak or breach. With behavioral analytics, agencies can monitor employees’ habits and gauge if someone is acting maliciously or if credentials have been unknowingly compromised. By gathering a baseline of users’ normal activity, agencies can monitor behavior in real-time -- tracking everything from keystrokes to psychological factors. Only with such granular visibility can agencies spot risky anomalies.
The bottom line
Agencies must not only be diligent when it comes to granting employees access to data and systems, but they must also rein in privileged users and mitigate any risk that remains. That means making sure they have the required staff, expertise and technology in place to properly own and manage this growing risk. And while background checks combined with point products such as IAM technologies can help agencies verify users at the door, continuous monitoring and vetting is still required to ensure malicious and non-malicious activity is detected and quickly remediated.
For such monitoring to be successful, agencies need enterprise-level visibility into not just which users have access, but what data those users normally access and what risk that access presents to the organization. This information will also help mitigate risk as employees change positions or leave the agency. Combining these critical user and data protection principles represents key components for a strong overall security built for the modern age.
Michael Crouse is director, enterprise user and data protection, global governments and critical infrastructure, at Forcepoint.