“Least privilege” – time for a security rethink?
Published 01:08, 27 July 10
The Ponemon Institute recently released a very interesting report (registration required), commissioned by our partners at Aveksa. Using data from interviews with over 700 IT pros, the report shows that access control problems are getting worse, not better.
In the Ponemon report, 87% of those surveyed believed users had more access than they needed to do their jobs, a number up substantially from the 2008 survey. The report goes on to say that “Inappropriate access is a key source of both compliance and business risk”.
Although the principle of least privilege is elegant (and has been since its first formulation in 1974), it seems to be elusive, if not unworkable, in a modern IT environment.
Whether due to lack of budget, resource and/or business focus, IT continues to struggle from a security provisioning perspective with the constant changes to information assets and user access requirements.
As companies continue to turn to contractors and cloud services, widely implemented identity management technologies and role managers are struggling to appropriately control, revoke and apportion access rights.
The consequences of this deterioration have been clear on the database side for some time. Inappropriate privileges, however they arise, can be exploited by both insiders and malware and are a key factor in the security breaches we see today.
Given that we have been doing user access control administration for decades, one has to question whether we will ever come close to achieving least privilege in practice. If we conclude that the goal will continue to remain elusive we should be looking at ways to put in place compensating controls to achieve the desired result.
Compensating controls are commonly used in many IT systems and are in-scope from a systems or security audit perspective. The Information Systems Audit and Control Association (ISACA) defines them as “any internal control that reduces the risk of an existing or potential control weakness resulting in errors or omissions”
I would argue that a logical compensating control in this case is user activity monitoring. User activity monitoring can help in a number of ways.
It allows you to see when core users are accessing systems or information they shouldn’t and this information can then be used to tighten up the identity management rules that are currently in place.
For other users where it isn’t always clear what level of access is needed, user activity monitoring can baseline “normal” behaviour and monitor for things that fall outside that norm.
In both cases, the addition of user activity monitoring can significantly enhance the defence against insider threat and compromised accounts.
If Ponemon’s 87% figure is accurate, most organisations need to take a fresh look at the user access problem space. Compensating controls such as user activity monitoring offer a way forward.