Discover PerformanceHP Software's community for IT leaders // March 2012
No Inside Jobs: Three steps to controlling privileged access
HP security expert Rafal Los warns that most organizations give employees too much privilege—leaving the enterprise vulnerable to abuse and attack.
Privilege is extremely difficult to manage in any size organization, and the more rapidly your business changes, the more difficult privilege is and the more likely you will devolve into a situation where, as everyone takes on more projects or responsibilities, everyone ends up with much more access than they should. This a dangerous, especially when privileged users report feeling entitled to abuse their access merely to satisfy their own curiosity—to say nothing of the possibility of more malicious intent.
A new study by the Ponemon institute, sponsored by HP Enterprise Security, asked a group of mostly supervisor-and-higher-level IT professionals about their privileges:
“According to 77 percent of respondents, privileged access rights are required to complete their current job assignment. However, 23 percent say the access rights they have are not necessary for their role."
You trust your employees and administrators with the most critical technical functions in your organization—but they're only human. You need controls over who has access—and how much access—to your critical intellectual property, company secrets, and other proprietary information. The Ponemon study suggests that many organizations don’t have a tight grip on privileged access.
It was surprising enough to see many users state that their excess of access was "for no apparent reason," but the most striking response was "everyone at my level has privileged access even if it is not required to perform a job assignment," which was cited by a mind-blowing 43 percent of respondents.
I suppose that if the organization fundamentally does not understand what your role is, and what you need to accomplish your job, everyone requires access to everything. That’s dangerous enough on its own, but compound it with this—64 percent of privileged users believe they are empowered to access all the information they can view—and we have a recipe for disaster. We’ve got organizations that misunderstand the concept of role-based access, and administrators with excessive senses of entitlement. That’s not going to end well.
There is a three-step process around privilege in any situation. The first critical step is understanding privilege. Once you've understood it, you can implement and ultimately govern and monitor privilege usage and distribution.
Step 1: Understanding privilege
Ground zero for a solid privilege model is understanding how your organization is built. Fundamentally, what are your critical processes, systems, applications, and data; who should have access to them; and in what capacity? You'll need to answer the what, the who, and the how to be successful in understanding privilege.
Step 2: Implementing privilege
Implementing privilege across the organization is done with a combination of manual processes and automated tools. Lots of great technologies can help you to script your way to managing privilege—just be careful of the ones that promise too much.
Step 3: Govern and manage privilege
Once you've got your organization understood and implemented, it's going to be time to monitor and carefully govern to ensure you don’t end up back in the mess you just fought your way out of. Modern organizations are so fluid that it's difficult not to fall back into privilege chaos, but you absolutely must keep a watchful eye on your systems, applications, and data to make sure that someone isn't trying to get into things they don't have rights to.
Access the report
The Ponemon study (registration required) is certainly interesting—moreso given all the recent talk of insider attacks. Check out the study and draw your own conclusions, and think about how much unnecessary access is floating around your organization.
Rafal Los is the Chief Security Evangelist with HP Software. A longer version of this article appeared at his security blog, Following the White Rabbit.
HP CEO Meg Whitman discusses how connected intelligence will drive IT operations, application development, IT security, marketing, compliance—and the bottom line. Register now.
Connect with nearly 1,500 security pros to learn how to better disrupt or mitigate threats. Learn to think like a bad guy. (Washington, D.C., Sept. 8 – 11)
The Heartbleed vulnerability set users and enterprises scrambling. How can we avoid or mitigate the next Heartbleed?
HP Software’s Paul Muller hosts a weekly video digging into the hottest IT issues. Check out the latest episode.
Preparing today for tomorrow’s threats.
Introduction to Enterprise 20/20
What will a successful enterprise look like in the future?
Challenges and opportunities for the CIO of the future.
Dev Center 20/20
How will we organize development centers for the apps that will power our enterprises?
Welcome to a new reality of split-second decisions and marketing by the numbers.
IT Operations 20/20
How can you achieve the data center of the future?
What the workforce of 2020 can expect from IT, and what IT can expect from the workforce.
Looking toward the era when everyone — and everything — is connected.
Data Center 20/20
The innovation and revenue engine of the enterprise.