According to the Oxford English dictionary, the modern-day definition of the word โprivilegeโ is โA special right, advantage, or immunity granted or available only to a particular person or groupโ. Mmm. I bet those tasked with securing their organisationโs IT security wouldnโt use those words. For them, โprivilegeโ as in โprivileged access managementโ is a real headache. And one thatโs about to get worse, particularly as organisations increasingly move to a cloud-based computing environment.
[easy-tweet tweet=”Privileged access management is problematic says Bruce Jubb of @Wallixcom” user=”comparethecloud”]
In fact, privileged access management is so problematic that it has emerged as the top risk in two separate studies carried out into cloud computing security. Gartner listed it as the number one risk amongst seven (Source: โAssessing the Security Risks of Cloud Computingโ) whilst another report โ this one from the Cloud Security Alliance – listed it as the most important risk of three key issues (their other ones being Server Elasticity and Regulatory Compliance).
So why does this area represent such an Achilles Heel for companies? The problem might lie in the โbinaryโ view that IT professionals have about IT security with a world divided up into two groups: insiders and outsiders. Of these, outsiders have traditionally been viewed as being the most โhostileโ or representing the greatest threat and so the majority of security resources are spent on ‘defending the perimeterโ.
55% of all cyber-attacks last year were carried out by people who had privileged access to an organisationโs IT system
The reality is that these two groups have blurred to the extent that outsiders are now insiders. And insiders have the potential to do considerably more harm to an organisation. In fact, 55% of all cyber-attacks last year were carried out by people who had privileged access to an organisationโs IT system (IBMโs 2015 Cyber Security Index).
And in a cloud-computing environment, where is the perimeter? With so many privileged accounts not just being made available to administrators and super users but routinely toย external service providers too, how can these accounts be controlled and monitored in a truly effective way?ย Blaming the cloud service provider for โtheirโ lax security procedures may not cut any ice either. According to Gartnerโs โTop Predictions for IT Organisations and Users for 2016 and Beyondโ one prediction looked particularly chilling, โby 2020, 95 per cent of cloud security failures will be the customerโs faultโ, they wrote.
The problem โ asย I see it – falls into two main areas. (So fix those and youโve fixed the problem).
Problem number one concerns control. Being able to successfully manage users accessing the right resources at the right time dramatically reduces the risk of a breach.ย However the vast majority of firms are – for legacy reasons – reliant on directory services to control access and manage users of network infrastructure. The problem with that is itโs easy enough to grant access but hard to actively control or even revoke it.
[easy-tweet tweet=”It’s easy enough to grant access but hard to actively control or even revoke it” user=”wallixcom” hashtags=”security, cloud”]
Problem number two is around visibility. You may know that you have a set of privileged users who log into a critical infrastructure of systems containing highly sensitive data but do you know when, for how long and what theyโre doing during those sessions?
So, what can be done to get a better handle on this vital group of users? IT admins are the beating heart of an organisationโs IT infrastructure (even if they are made up of contractors and not employees, but thatโs a different topic) and so leadership teams are understandably daunted by the thought of disrupting โbusiness as usualโ. Iโve outlined five conditions that I believe must be met for the more efficient management of privileged users.
- Passwords:ย Those shared accounts have got to go. Organisations must have the ability to generate, hide, disclose, change or sustain passwords targets and secure them in a certified safe.
- Access control:ย Being able to define, award and easily revoke access to each system for each privileged user is a must.
- Monitoring: the ability to view and control the connections and user activity on systems, and generate alerts on events. This is not only a big help when it comes to compliance but also in the event of a breach.
- Seeing is believing: the ability to watch video recordings of user sessions privileges.
- Audit: the ability to create a reliable and enforceable audit trail of all activities of users privileges on the target systems.
Privileged accounts remain a weakness from both insider threats as well as a target for external attackers and with more systems in place and data being used, there are more privileged users than ever. Those tasked with securing these systems need to adopt and execute as efficient a privileged access management strategy as they can.
Privileged accounts remain a weakness from both insider threats as well as a target for external attackers
Bruce Jubb, Head of UK, Ireland and Nordics, Wallix
Bruce Jubb heads up Wallix in the UK, Ireland and Nordicsย and specialises in the field of identity and access management. With more than 15 yearsโ experience in IT security,ย Bruce has previously held leadership roles at Sophos, NTT Com and SecureAuth. His focus today is on raising awareness of the need for better management and auditing of privileged access for all organisations who recognise the risks to their own and their customers'ย data.