Recently we've learned more than we ever expected about government surveillance. A single act by an IT systems administrator has launched thousands of headlines. In this case, the system administrator in question was a government contractor, but the concept applies to organizations of every size and industry who allow network access to "trusted insiders."
The act – an insider using elevated privileges to access, copy and remove sensitive data – demonstrates just how catastrophic a few keystrokes and clicks can be. Clearly the impact of this incident is amplified given the subject matter, however, all organizations, both commercial and government entities can look at this as a lesson in mitigating the damage that "trusted insiders" are capable of.
As a matter of definition, elevated privileges provide the level of access required to perform critical tasks across systems and applications. These tasks are often carried out by administrators, helpdesk, contractors and IT staff who, often unnoticed, are logging on to critical systems to keep the business running by performing such work as running maintenance routines, performing systems upgrades and improvements, as well as scheduling and verifying backups and recovery. End users may also have these privileges to perform similar functions or operate applications that require elevated privileges. However, as delegating and managing these elevated privileges requires time and effort, many organizations simply give users excess privileges, such as desktop administrator, which may ease the burden on IT in the short term, but raises significant risk to the business in today’s complex cyber-driven environment.
At the end of the day, a healthy portion of IT operations, security and compliance comes down to minimizing risk to those operations. This concept drives security strategies, remediation plans and usage guidelines. It also should drive how access and privileges are granted.
Every executive and engineer knows that if you can’t measure it, you can’t manage it. This is true about financials, sales, server performance, network latency, etc. But this is also true about elevated privileges granted within your IT infrastructure. Unless you have a complete view of the rights doled out to employees, partners, even contractors, and the risks in utilizing those permissions, there’s little chance of appeasing the auditors when it comes time to file compliance paperwork. Many organizations leverage their directory infrastructure to manage this at a corporate level, but local system accounts on critical servers, on network devices – especially those based on open source operating systems – and endpoints must also be accounted for.