3 questions every agency should ask about privileged user access

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Michael Crouse,
Director of Enterprise User and Data Protection, Forcepoint
 

Connecting state and local government leaders

By Michael Crouse

|

Agencies must not only be diligent when it comes to granting employees access to data and systems, but they must also rein in privileged users and mitigate any risk that remains.

When employees’ roles or responsibilities change, so do their data access requirements -- at least in theory. In reality, far too many agencies are struggling to properly manage privileged users. In a recent survey of privileged users in government conducted with the Ponemon Institute, half of respondents said it is difficult for their agency to audit and validate changes to employee access, while nearly three-quarters said their organization assigns more access than is required.

With so many agencies unable to keep up with access changes, other shortcomings with managing privileged user sprawl are hardly a surprise. Few organizations have enterprise-level visibility into privileged users, much less the ability to tell if a user’s actions constitute a threat.

While some privileged access is required for employees to do their jobs, much privileged access represents unnecessary risk. Reining in this risk requires not just the right technology, but the right staff and visibility to make critical decisions. Here are three questions agencies should ask themselves in regard to privileged users -- and some steps they can take toward better management of the problem.

1. Should this user have access?

Although access should only be granted to users when it is absolutely required -- not just for convenience -- many employees have access either from previous roles or for no reason at all. To avoid such risks, agencies must ensure their access tracking technology is up to the task. Relying on legacy systems like spreadsheets to manage privileged users is insufficient.

Yet, only about half of the survey respondents said their organization’s privileged users are vetted through background checks or have their access monitored through identity and access management tools. Without integrated identity management and the ability to confirm that access has been properly applied, employees who leave the agency may have their main accounts shut down but may accidentally retain access to numerous cloud services. A converged platform that includes IAM, user activity monitoring and data leak prevention gives agencies better visibility for right-sizing privileged user access based on user risk.

2. Who owns the problem? 

In addition to deploying IAM policy monitoring tools and performing background checks, agencies should also conduct regular privileged user training programs and ensure supervisors and managers conduct manual checks of employee access. Sometimes agencies cannot dedicate enough staff to this issue, but it must be clear who “owns” the issue of privileged user access. The owner must be empowered to call on stakeholders for help with filling in missing gaps in technology, resources and expertise. Put another way, there should be a single point of contact who works with different stakeholders across the agency to make sure the right technology is being applied to the problem. Technology that provides a single pane of glass featuring actionable data will make the human touch -- which will always be required -- more effective and timely.

3. Is this activity suspicious?

Unfortunately, there is a good chance unnecessary access will be granted even with IAM tools and adequate supervision. The key is making sure that access doesn’t facilitate a leak or breach. With behavioral analytics, agencies can monitor employees’ habits and gauge if someone is acting maliciously or if credentials have been unknowingly compromised. By gathering a baseline of users’ normal activity, agencies can monitor behavior in real-time -- tracking everything from keystrokes to psychological factors. Only with such granular visibility can agencies spot risky anomalies.

The bottom line

Agencies must not only be diligent when it comes to granting employees access to data and systems, but they must also rein in privileged users and mitigate any risk that remains. That means making sure they have the required staff, expertise and technology in place to properly own and manage this growing risk. And while background checks combined with point products such as IAM technologies can help agencies verify users at the door, continuous monitoring and vetting is still required to ensure malicious and non-malicious activity is detected and quickly remediated.

For such monitoring to be successful, agencies need enterprise-level visibility into not just which users have access, but what data those users normally access and what risk that access presents to the organization. This information will also help mitigate risk as employees change positions or leave the agency. Combining these critical user and data protection principles represents key components for a strong overall security built for the modern age.

NEXT STORY: State unemployment agencies can use federal funding to reduce potential fraud

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.