Preventing the abuse of privileged rights in a cloud computing environment

There was a time when the lives of those tasked with managing an enterprise’s IT security was, well, simple. Firstly, there were employees; who you knew about and (largely) trusted. You knew who they were, where they sat, what jobs they did, (and so what systems they used). And crucially, when they left.

And then there was everyone else. Your job was to keep everyone else outside the perimeter and only let in those who were deemed important and who you trusted.

Well, life ain’t so simple these days and I suspect those now charged with IT security would read that first paragraph and silently weep. In a relatively short period of time, just about every aspect of corporate life had been turned upside down, from who is accessing the system, to where they’re sitting, to what systems they are using and, most crucially, what they are actually doing.

Many IT security professionals reading this might by now be wondering, ‘so now I have to keep tabs on what people are doing too?’ But before you accuse me of having Orwellian thoughts, let’s focus on a group of people who represent both the life-blood of an organisation and perhaps the greatest threat to it; privileged users.

If we can create a more robust, ie, more effective, privileged access management strategy (PAM) that addresses this particular group then we are both heading back towards those halcyon days and securing a less risky future for the organisation.

Let’s consider the risks attached to the current status quo and then look at the ways that a more effective PAM can help eradicate them.

Firstly – and most significantly – the greatest risk to the organisation is going to come from this group. In fact, 55 per cent of all cyber-attacks last year were carried out by people who had privileged access to an organisation’s IT system (IBM’s 2015 Cyber Security Index).

Secondly, current security systems are falling behind in their abilities to provide an effective deterrent. An example. According to a research study that my company commissioned last year, 50 per cent of the sample felt it would be either difficult or very difficult to identify whether any ex-employees still had access via accounts to resources on their network; the same percentage (50 per cent) thought the same about ex-third party providers accessing their network and an even bigger proportion (55 per cent) thought the same about ex-contractors accessing their networks.

Now we’re aware that most large enterprises have workforces that appear to be in a permanent state of flux and can, at any one time, comprise a large number of both staff (full time and part time) and contractors. (And that keeping security tabs on all these is a major headache for the IT department). But we were left with the view that these security lapses create notoriously ‘porous’ organisations that can, in turn, leave the company at considerable risk to a cyber-attack.

The two most significant challenges in this area, then, comprise Control and Visibility.

Being in control means being able to successfully manage users so they are accessing the right resources at the right time. This relatively simple step will dramatically reduce the risk of a security breach. However the vast majority of firms are - for legacy reasons - reliant on directory services to control access and manage the users on a network infrastructure. The problem with that is it’s easy enough to grant access but much (much) harder to actively control or even revoke it.

Problem number two is around visibility. You may know that you have a set of privileged users who log into a critical infrastructure of systems containing highly sensitive data but do you know when, for how long and what they are doing during those sessions?

Here are my recommended five steps that should support a more effective PAM:

  1. Those shared accounts have got to go. Organisations must have the ability to generate, hide, disclose, change or sustain passwords targets and secure them in a certified safe.
  2. Access control. Being able to define, award and easily revoke access to each system for each privileged user is a must.
  3. Monitoring: the ability to view and control the connections and user activity on systems, and generate alerts on events. This is not only a big help when it comes to compliance but also in the event of a breach.
  4. Seeing is believing: having the ability to watch video recordings of user sessions privileges.
  5. Audit: the ability to create a reliable and enforceable audit trail of all activities of users privileges on the target systems.

Bruce Jubb, Head of UK, Ireland and Nordics, Wallix

Image source: Shutterstock/Arcady