Controlling and managing access is how you win in security – and you can’t control what you don’t know you have.
A key component of controlling access and maintaining least privilege
is data discovery. Access is all about managing, controlling, and protecting critical information. However, if you don’t know what your critical information is and where it is located, how can you properly protect the information?
With endpoints, it’s all too easy to copy critical information, and consequently, key pieces of information will often exist in a large number of locations, which is unwieldy to control and manage. If a manager sends a critical customer proposal with sensitive information to their team to review, most people will save a local copy on their system. Now that information exists in many locations and control of the information has been lost.
Fortunately, there are still several ways of managing information sprawl, but it requires a change in mindset.
Limit the Amount of Data Stored on Endpoints
The first approach is to limit the information that is allowed to be stored on endpoints, either by buying systems with small hard drives, or by utilizing thin clients to reduce the amount of information and exposure that exists for a single system.
While this approach does work in some cases, it is not always scalable with regards to mobile laptops and the ability to be able to work and access information without an Internet connection. In those cases, endpoint-based access control software is critical to manage and control what information can be accessed and when it can be accessed. Just because information resides on a laptop does not mean it should be accessible at all times and in all locations.
Frequently, when a system gets compromised, there is a lot of extraneous data that the user has access to that was not required for them to do their job. This means that, for a large percentage of the information stolen, the user did not require it. If it had been properly maintained, the amount of damage from the attack would have been greatly reduced.
While performing data discovery, it is important to: 1) Understand where critical information is located, 2) Determine who needs access to the information, and 3) Control access to minimize potential damage.
The easiest way to think about data access is to consider that the more access a given user has, the more exposure is created when their account and/or credentials are compromised. In any given system, it’s only a matter of time before a certain number of user credentials become compromised. While multi-factor authentication can help, to a point, to prevent this from happening, controlling damage by minimizing exposure provides an optimal level of protection. Controlling and managing access is how you win in security.
Monitoring and Revoking Access
If controlling and managing access is the first step, then monitoring and revoking access is a close second. When an account becomes compromised, there is a distinct difference in behavior patterns that can be observed – assuming this information is being logged and monitored. With careful analysis, data breaches can be detected early, which aids in containing the damage.
Ultimately, the best way to stop access is by revoking access when it is no longer required. For example, if a user has privileged access to a system that has not been used in “n” days, why are they still granted access to that privilege? It is analogous, to setting the archive bit on a file and after a period of time, allowing the backup solution to archive the file since it is stale. This step sounds so simple, yet it is often overlooked. I have seen cases where employees have left the organization and their accounts remain active.
Managing Access for Dormant Accounts
In addition to revoking access of employees who left the organization, managing access for dormant accounts is just as important. Often, when organizations implement systems or new processes, they will set up accounts for everyone in the organization with a default account, requiring users to change the password after the first time they login.
However, in many cases employees never login in and/or never use the system. Yet, those accounts remain active and are sitting targets for hackers. The reason why hackers love dormant accounts is because, all too often, no one will notice if the account is being use for anomalous purposes.
Therefore, all accounts must be carefully monitored, any employees or contractors who left the organization must be removed, and any dormant accounts that have not been logged into for a certain period of time must be disabled. This is true for any local accounts, applications, cloud resources, and even partner systems that are outside of the management policies an organization maintains.
BeyondTrust Can Help
Eliminating excessive rights on user endpoints is a common starting point for many organizations to close avoidable security gaps, but legacy approaches to solving this problem are insufficient. Existing tools lack visibility into the security profile of applications targeted for elevation, and the risk-reducing effects of eliminating over-privileged users are negated if a vulnerable or exploited application is elevated for use. The traditional approach to solving these endpoint least privilege problems requires security and IT teams to cobble together point tools from multiple vendors resulting in unnecessary complexity and cost, and no visibility into user behavior throughout the enterprise.
BeyondTrust solves this problem by:
If you would like to learn more about how BeyondTrust can take these best practice recommendations and translate them into real use cases, download my white paper
, It’s All About the Endpoint: Protecting and Enabling End Users with Least Privilege