Vormetric Data Security recently
released an insider threat report, with research conducted by HarrisPoll and analyzed by Ovum. Based on the survey responses, it is apparent that there is still a great deal of insecurity over data. However, the results also show that there may be misplaced investments to address those insecurities. I will explain this position while reviewing the conclusions from the report, and identify some best practices to avoid becoming the next security breach headline.
First, let’s look at the data. When asked about who posed the biggest internal threat to corporate data, 55% of respondents to the Vormetric study said privileged users. Correspondingly, half of organizations have deployed privileged account management technology.
The survey results also indicated that 56% of respondents would be looking to increase their security spend to deal with insider threats next year. But here’s where things get weird. According to the results of the study, the leading categories where organizations plan to increase security spend during the next 12 months were: Network defenses (52%), Endpoint, Mobile device protection (50%), and so on.
Wait a sec. If we agree that preventing a data breach incident is a top security spending driver (and the report says it is), and we also agree that the biggest threat to corporate data is privileged users (and the report says it is), where in this list was investment in privileged account management? And why do only half of companies deploy privileged account management technology?
I would argue that to address the issue of insider threats to data companies are investing in the wrong areas. Here is a set of five best practices to get you on the road to better privileged account management to better protect access to data.
Secure the last mile without frustrating end users
Your user’s desktop and laptop systems are a significant attack surface, and generally the last mile of security. Start with
enforcing least privilege on endpoints. Removing local admin can help to reduce as many as
80% of system vulnerabilities. Look for critical capabilities around risk compliance, session and file integrity monitoring to protect access to data, and elevating privileges by application and not by user so you can better control who can do what with their rights.
Lock down access to tier 1 systems
I would guarantee that you have tier 1 business-critical systems running on
UNIX or Linux, and if you are like many companies there are few controls over privileged delegation to those systems. Traditional responses to this problem have been inefficient and incomplete (such as native OS options) or
not secure enough (such as sudo). Delegating UNIX, Linux and Mac privileges and authorization without disclosing passwords for root or other accounts is essential, as is recording all privileged sessions for audits, including keystroke information. To go the next step,
integrate UNIX, Linux and Mac systems into Active Directory for centralized authentication, single sign-on and Group Policy extensions for centralized configuration management.
Take control of passwords
The problem of shared credentials has significant scale and risks, from embedded or hardcoded passwords, application-to-application and application to database access, and inconsistent rotation. Where
privileged password management deployments often fail is in not considering all of these scenarios. Deploying a single, hardened, appliance-based solution with broad platform support and functionality, discovering and profiling to give greater control, monitoring sessions with full playback, and using standard desktop tools for session management are
best practices to achieving control and accountability over privileged passwords.
Establish a baseline and audit ongoing user activity
Can you answer the “who, what, when and where” behind changes to critical systems? If you haven’t established a permissions baseline and are not able to
centrally audit changes over time, you are missing a critical step in controlling privileged access.
Report on risk
Since a privilege problem tends to involve more than one department in the organization, how well are you able to satisfy the reporting, auditing and management needs of multiple stakeholders from operations to security to compliance? Providing security and IT operations teams a
single view of all assets and user activity reduces risks while helping to maximize the value of existing security investments.
Through a more programmatic approach to privileged account management – covering every scenario – providing deep analytics and extending insights out beyond privilege, you will have stronger controls in place to protect your most valuable asset – your data. Invest here first.
