The damage from the US federal government’s Office of Personnel Management data breach is only getting worse. First disclosed last month and affecting 4.2 million US federal employees, the number of compromised records now has reached 21.5 million people, including those who received government background checks for the past 15 years. Although the investigation is ongoing it was announced yesterday that the hacker in both cases gained access to the OPM computer systems “via a compromised credential of a contractor.” We’ve seen in the private sector Home Depot and Target breaches just how important it is to have strict control and accountability over third parties given access to sensitive systems. How do we overcome this perpetual vulnerability? In this blog I will summarize four (4) steps:
  • Setting up a secured enclave for sensitive systems to isolate management
  • Requiring third parties to go through a proxy
  • Recording all sessions with dual control capabilities to view, terminate, etc.
  • Applying dynamic workflow (i.e. do not allow third party to access these servers during production periods, or after hours depending on their management function, etc.) to further tighten access and embrace behavior modeling to detect suspect activity
Slipping through the cracks Third parties can “slip through the cracks.” How? In addition to not disabling terminated accounts or removing third party users from specific groups in the enterprise directory (like Active Directory), many times these solutions do not extend into the local system, application, database, and other accounts where privileged access may be granted. This is the benefit of an enterprise password and privilege management solution set. It may also be harder to detect when these third-party users are given excessive native permissions and access these resources using the same methods as internal employees. This is why a product that manages, controls and reports on third party access from a central location can help. Products like this drive accountability down to the specific users. Options for limiting third-party access Many customers choose to extend VPN access to third parties, but in some cases VPNs may only grant access to the enterprise password solution which will proxy all activities. At no time should these third parties have direct access to the managed assets. This is increasingly common in cloud management platforms and in virtual machines running in virtual and cloud environments. See the screenshot below for how we accomplish this. OPMBreach1 Even if a vendor has a set of credentials for the managed resource, you still need a gateway proxy capability in the same manner as providing access through a managed account. A common practice is to set up VPN access directly to interact with an appliance which is used to proxy activities to a secured sever. The server is completely isolated using firewalls to only allow access from the appliance. Workflow approvals can be set up to require employee verification and approval of the session. All current sessions can be viewed by an employee with options to view, manage or terminate the sessions. See a screenshot of how we do that below. OPMBreach2Recording and playing back sessions The ability to force third parties through a password appliance where all activities are recorded is standard practice. The ability to record and playback the sessions at a later date is also standard. The frequency of the playback can either be using a sampling of the recorded sessions or the playback of the specific sessions depending on the specific activity and criticality of the assets being managed. Don’t be the next victim Nothing these breach victims has done to this point was enough. A change in attitude must accompany a change in leadership. Defaulting to a least privilege model with automated password management and privileged session management is the only path forward. When millions of records – and potential victims – is at play you have to assume you’re under constant attack and behave thusly. If you are interested in taking the next step in maturing your privileged account management deployment, contact us today.