Discover PerformanceHP Software's community for IT leaders // March 2012
No Inside Jobs: Three steps to controlling privileged access
HP security expert Rafal Los warns that most organizations give employees too much privilege—leaving the enterprise vulnerable to abuse and attack.
Privilege is extremely difficult to manage in any size organization, and the more rapidly your business changes, the more difficult privilege is and the more likely you will devolve into a situation where, as everyone takes on more projects or responsibilities, everyone ends up with much more access than they should. This a dangerous, especially when privileged users report feeling entitled to abuse their access merely to satisfy their own curiosity—to say nothing of the possibility of more malicious intent.
A new study by the Ponemon institute, sponsored by HP Enterprise Security, asked a group of mostly supervisor-and-higher-level IT professionals about their privileges:
“According to 77 percent of respondents, privileged access rights are required to complete their current job assignment. However, 23 percent say the access rights they have are not necessary for their role."
You trust your employees and administrators with the most critical technical functions in your organization—but they're only human. You need controls over who has access—and how much access—to your critical intellectual property, company secrets, and other proprietary information. The Ponemon study suggests that many organizations don’t have a tight grip on privileged access.
It was surprising enough to see many users state that their excess of access was "for no apparent reason," but the most striking response was "everyone at my level has privileged access even if it is not required to perform a job assignment," which was cited by a mind-blowing 43 percent of respondents.
I suppose that if the organization fundamentally does not understand what your role is, and what you need to accomplish your job, everyone requires access to everything. That’s dangerous enough on its own, but compound it with this—64 percent of privileged users believe they are empowered to access all the information they can view—and we have a recipe for disaster. We’ve got organizations that misunderstand the concept of role-based access, and administrators with excessive senses of entitlement. That’s not going to end well.
There is a three-step process around privilege in any situation. The first critical step is understanding privilege. Once you've understood it, you can implement and ultimately govern and monitor privilege usage and distribution.
Step 1: Understanding privilege
Ground zero for a solid privilege model is understanding how your organization is built. Fundamentally, what are your critical processes, systems, applications, and data; who should have access to them; and in what capacity? You'll need to answer the what, the who, and the how to be successful in understanding privilege.
Step 2: Implementing privilege
Implementing privilege across the organization is done with a combination of manual processes and automated tools. Lots of great technologies can help you to script your way to managing privilege—just be careful of the ones that promise too much.
Step 3: Govern and manage privilege
Once you've got your organization understood and implemented, it's going to be time to monitor and carefully govern to ensure you don’t end up back in the mess you just fought your way out of. Modern organizations are so fluid that it's difficult not to fall back into privilege chaos, but you absolutely must keep a watchful eye on your systems, applications, and data to make sure that someone isn't trying to get into things they don't have rights to.
Access the report
The Ponemon study (registration required) is certainly interesting—moreso given all the recent talk of insider attacks. Check out the study and draw your own conclusions, and think about how much unnecessary access is floating around your organization.
Rafal Los is the Chief Security Evangelist with HP Software. A longer version of this article appeared at his security blog, Following the White Rabbit.