Rockin’ Role-Based Security – Least Privilege

The “between a rock and a hard place” discussion at this year’s RSA Security Conference was the battle between Apple and the FBI to unlock an iPhone that was used by one of the San Bernardino shooters. But with over 40,000 attendees, 500 exhibitors, and hundreds of sessions, other topics were discussed as well.

RonLaPenisImage

According to a survey done at the conference by Bromium, 70% of a sampling of attendees stated that users are their biggest security headache. This jives with previous surveys; which means that users were, are, and probably will continue to be one of the biggest security holes that organizations face.

Whether the “user” is an actual employee (the insider threat) or a cyber criminal who’s appropriated the credentials of an employee (making a guest appearance as the insider threat) is immaterial. Employees are our biggest threat, not only because they can maliciously or unintentionally cause data breaches, but because they are not equipped to deal with the tactics of cybercriminals, who covet their credentials – especially those of insiders with privilege. In either case, your employee is still a threat to your organization. So how do you eliminate threats from your users? You can’t!

Just like you cannot stop a hurricane, you cannot eliminate cyber threats. But just as you can harden buildings and build surge barriers to protect against hurricane damage, you can use appropriate user management and access controls to prevent or mitigate a breach caused by a cyber threat.

Let me postulate that the best way to prevent a breach is to not allow the actor (or threat) to access the information that they are targeting. In plain English, this means least privilege. Rather than giving your employees access to everything and anything, use proper access controls and user management to lock down your employees so that they can only access the systems and information that they specifically need to perform their jobs. You are not eliminating the threat, but rather are trying to minimize it through compartmentalization. For example, marketing people don’t need access to your finances, so lock them out. Similarly, programmers should never be granted access to production systems except in extreme circumstances. And have you even considered time- or location- based access? When should your employees have access to key information and where should they be sitting when they are allowed to access it? Should I be able to download the plans for a new product after hours from a country different from my office?

When an employee changes roles, ensure that their access changes with them – without a time lag which could give them to attack. Using anIdentity Lifecycle Manager (ILM) tied to your HR database would be a good way to ensure proper initial provisioning along with ongoing access maintenance. An employee’s access lifecycle needs to stay congruent with their HR lifecycle. If your ILM also includes an analytics engine that can pop up nonsensical or out-of-the-ordinary access grants, so much the better.

But you cannot just buy an ILM and tell your board that your work is done. An ILM is useless unless you know what each role should be allowed to access. And that means working with your business units to define the roles within them.

Don’t accept that departments need dozens to hundreds of roles; that just means someone is being lazy. Nor do you want too few roles, forcing the system into a large number individual access grants. Like Goldilocks and her three bears, there is a “just right” which you will need to work out.

This is where access risk scoring might help you out. A risk score provides a means for determining or calculating risk for users, applications, business roles, or permissions. If the risk is low, perhaps you don’t need to create another role that manages access to a specific resource. But if the risk is high and you have to split the user population, then another role might be needed.

Finally, you want to combine least privilege with automated role changes, policy-based access, and change monitoring. This powerful combination can help to ensure that users don’t have access to what they shouldn’t and allow you to determine if someone is doing something out of the ordinary with something that they can access. By combining user activity and change monitoring you can watch how users (especially privileged userslike sysadmins) use the rights they’ve been granted. It helps you spot and address unauthorized activity with concise, easy-to-read alerts that provide the “who, what, when and where” of unauthorized activity.

Ron LaPedis
Share this post:
Tweet about this on TwitterShare on FacebookShare on LinkedInGoogle+

Leave a Reply

Your email address will not be published. Required fields are marked *