According to the Oxford English dictionary, the modern-day definition of the word ‘privilege’ is “A special right, advantage, or immunity granted or available only to a particular person or group”. Mmm. I bet those tasked with securing their organisation’s IT security wouldn’t use those words. For them, ‘privilege’ as in ‘privileged access management’ is a real headache. And one that’s about to get worse, particularly as organisations increasingly move to a cloud-based computing environment.
[easy-tweet tweet=”Privileged access management is problematic says Bruce Jubb of @Wallixcom” user=”comparethecloud”]
In fact, privileged access management is so problematic that it has emerged as the top risk in two separate studies carried out into cloud computing security. Gartner listed it as the number one risk amongst seven (Source: ‘Assessing the Security Risks of Cloud Computing’) whilst another report – this one from the Cloud Security Alliance – listed it as the most important risk of three key issues (their other ones being Server Elasticity and Regulatory Compliance).
So why does this area represent such an Achilles Heel for companies? The problem might lie in the ‘binary’ view that IT professionals have about IT security with a world divided up into two groups: insiders and outsiders. Of these, outsiders have traditionally been viewed as being the most ‘hostile’ or representing the greatest threat and so the majority of security resources are spent on ‘defending the perimeter’.
55% of all cyber-attacks last year were carried out by people who had privileged access to an organisation’s IT system
The reality is that these two groups have blurred to the extent that outsiders are now insiders. And insiders have the potential to do considerably more harm to an organisation. In fact, 55% of all cyber-attacks last year were carried out by people who had privileged access to an organisation’s IT system (IBM’s 2015 Cyber Security Index).
And in a cloud-computing environment, where is the perimeter? With so many privileged accounts not just being made available to administrators and super users but routinely to external service providers too, how can these accounts be controlled and monitored in a truly effective way? Blaming the cloud service provider for ‘their’ lax security procedures may not cut any ice either. According to Gartner’s ‘Top Predictions for IT Organisations and Users for 2016 and Beyond’ one prediction looked particularly chilling, ‘by 2020, 95 per cent of cloud security failures will be the customer’s fault’, they wrote.
The problem – as I see it – falls into two main areas. (So fix those and you’ve fixed the problem).
Problem number one concerns control. Being able to successfully manage users accessing the right resources at the right time dramatically reduces the risk of a breach. However the vast majority of firms are – for legacy reasons – reliant on directory services to control access and manage users of network infrastructure. The problem with that is it’s easy enough to grant access but hard to actively control or even revoke it.
[easy-tweet tweet=”It’s easy enough to grant access but hard to actively control or even revoke it” user=”wallixcom” hashtags=”security, cloud”]
Problem number two is around visibility. You may know that you have a set of privileged users who log into a critical infrastructure of systems containing highly sensitive data but do you know when, for how long and what they’re doing during those sessions?
So, what can be done to get a better handle on this vital group of users? IT admins are the beating heart of an organisation’s IT infrastructure (even if they are made up of contractors and not employees, but that’s a different topic) and so leadership teams are understandably daunted by the thought of disrupting ‘business as usual’. I’ve outlined five conditions that I believe must be met for the more efficient management of privileged users.
- Passwords: Those shared accounts have got to go. Organisations must have the ability to generate, hide, disclose, change or sustain passwords targets and secure them in a certified safe.
- Access control: Being able to define, award and easily revoke access to each system for each privileged user is a must.
- Monitoring: the ability to view and control the connections and user activity on systems, and generate alerts on events. This is not only a big help when it comes to compliance but also in the event of a breach.
- Seeing is believing: the ability to watch video recordings of user sessions privileges.
- Audit: the ability to create a reliable and enforceable audit trail of all activities of users privileges on the target systems.
Privileged accounts remain a weakness from both insider threats as well as a target for external attackers and with more systems in place and data being used, there are more privileged users than ever. Those tasked with securing these systems need to adopt and execute as efficient a privileged access management strategy as they can.
Privileged accounts remain a weakness from both insider threats as well as a target for external attackers