So you give someone privileged password access to all of Active Directory, or an Exchange server, or a SQL Server. Do you have any idea what they do when they log onto a server? Are they doing the job they’re supposed to, or are they focusing on something more malicious?
A recent survey by the Information Security community on LinkedIn found that 59% of organizations see privileged users as posing the greatest insider threat, with 62% believing insider attacks are far more difficult to detect and prevent than external attacks.
And they’re right.
You’ve handed the keys to some or all of the kingdom and, without standing over their shoulder as they work, you have little insight as to whether or not that SQL server admin exported a copy of the database containing credit cards and emailed it to himself via gmail while doing some routine database maintenance.
If you’re serious about protecting the organization (and you know you are), IT can no longer use trust as a security strategy. You already have some constraints around who has access to privileged passwords; it’s time to find appropriate levels of control and management around what someone does with the access.
There are a few aspects of this kind of watching that you need to consider:
- The Where – an account with local access rights on multiple Windows servers can log onto more than just the one server you intended. Do you want to limit access to a small number of servers or devices?
- The How – Sticking with the Windows example, do you want someone to be able to only log on when physically present at the server? Via MSTSC (or PuTTY in the case of Unix)? Or only use the credentials to remotely manage parts of a server, such as services?
- The What – This is the big one; what are they specifically doing while logged on? You should be thinking about whether you want to be able to shadow a session, pause and/or kill it, and even record it for later playback.
