Every company is undoubtedly concerned about keeping outside attackers away from its sensitive data, but understanding who has access to that data from within the organization can be an equally challenging task. The goal of every attacker is to gain privileged access. An excessively privileged user account can be used as a weapon of destruction in the enterprise, and if a powerful user account is compromised by a malicious attacker, all bets are off.
It is critical that organizations apply the principle of least privilege, by providing employees with just enough access to do their jobs, without handing them the keys to the entire kingdom. Without the correct systems in place, simple oversights can lead to excessive privileges for employees who may not require it, and open an organization up to crippling risk. Businesses must take the appropriate steps to understand each user and their roles and privileges to ensure every aspect remains protected.
As duties change, new employees join the organization and others leave, a regular evaluation of account privileges becomes even more important. Such an assessment should also identify unauthorized accounts or those with excessive privileges.
In order to protect the crown jewels, companies can take the following steps to identify users, audit privileges and ultimately gain visibility into their organization:
1. Understand who has access and identify excessively privileged accounts
The first step to establishing meaningful security controls is to understand who has been given access to what data and why they’ve been granted that access. For example, you might not be comfortable or even aware of the amount of employee and customer data your HR department’s summer intern is capable of accessing.
Every year, many financial services institutions deliver a document to each employee that lists out what information they have access to and requires them to make the case for why they need it. Employee self-auditing is a great first step to narrowing privileged access while also giving employees a better understanding and sense of responsibility of company security.
On top of working with individual employees, organizations must put formal procedures in place to audit access and pivot if necessary. When building the foundation of access auditing, companies must consider the following:
- How often should we review user access?
- How do we create a known benchmark to track and compare users’ privileges?
- What privileges are necessary to complete specific job functions?
- How can we limit excessive access without slowing productivity or functionality?
2. Create clear guidelines on the types of users within your organization
Once companies have a better understanding of their employees and their interaction with data, the common user accounts will fall into four primary categories: authorized users, privileged users, knowledge users and outsiders with insider access.
- Authorized users are employees such as clerks, accountants, finance staff, salespeople or anyone with access to the data or systems within a given enterprise.
- Privileged users are individuals with elevated privileges, broad access and extensive knowledge, such as developers, quality assurance staff, contractors and consultants.
- Knowledge users are personnel with access to and an understanding of internal systems or security protocols like IT operations, network operations or security and audit personnel.
- Outsiders with insider access may not have the same user rights as the others, but may still be capable of performing privileged activity.
Privileged users are a huge concern because of their broad access.Understanding which bucket individual users or job functions fall into is a critical step to addressing their data needs and correctly aligning their access privileges. In fact, many of the largest recent breaches resulted from lack of company oversight and insufficient security practices among contractors and third-party vendors. All it takes is one compromised privileged user account to allow an attacker to bypass all of your network defenses.
Since that final group of workers naturally has less oversight, keeping a closer eye on their activity and regulating their access is critical.
3. Audit privileged user behavior in real time with policy-based activity monitoring
Once a company has a firm grasp on its users and the data they have access to, it’s crucial to collect a forensic audit trail of activities in the network. Working in tandem with audit logging, organizations can then deploy activity monitoring systems to trigger alerts when a user’s activity violates company security and compliance policies.
For tailored and beneficial visibility, companies can adopt a policy-based monitoring methodology to track user behavior and flag suspicious activity. As with every security measure, it’s vital that a human element also be added into the equation. Once the monitoring technology is in place, there must be someone to sift through the triggers and ensure the flagged activity is indeed suspicious.
By implementing the human element to monitoring, companies can mitigate the risk of inadvertently stopping valid employee functions and incorrectly locking out users. A company can only be as effective as its best employees and a successful security program must balance data protection with access to ensure users have the ability to execute their necessary job functions.
Taking security to this next level of granularity will allow users to perform their assigned tasks while remaining confident they’re not putting their organization at risk. A holistic security program requires organizations to implement a process for identifying privileged accounts, demoting privileges if needed and then monitoring for privileged access misuse. Not only will applying these measures keep an organization safe in the long run, the knowledge alone that an employer uses auditing and monitoring technology is a huge deterrent against privileged user abuse.