Authored by Robin Cohan, Offering Manager, IBM Security Identity Management.
Data breaches have become all too common in the news these days, almost to the point that we are growing to accept their inevitability and impact. But breaches are very costly to remediate after the fact. More importantly, it can be devastating to an organization’s reputation when such a breach is made public and trust is lost.
An Insider Threat Can Wreak Havoc
As it turns out, most of these breaches ultimately can be traced back to an insider threat. Most people associate insider threats with disgruntled employees or ex-employees, which is very common and difficult to anticipate on an enterprisewide scale. However, unintentional mistakes by underskilled privileged users can also wreak havoc.
Enterprises expose themselves to well-publicized damage when privileged credentials are hijacked by cybercriminals who are able to penetrate the network perimeter and then have unfettered access to sensitive data due to weak controls. This may include passwords written on desktop sticky notes or shared passwords maintained in undersecured spreadsheets.
It’s also important to note that privileged access controls are not just a security concern, but also a corporate governance concern. Many of the industry-specific regulations worldwide require strict access controls for privileged users.
The Right Approach to Risk Management
In thinking about how to address these risks, organizations need to take a balanced approach. To be sure, strict controls need to be placed on the most sensitive access credentials. The use of those credentials must be restricted and tracked when used. Details of privileged access use must be available for forensic investigations and audits.
However, there also needs to be a consideration for productivity. Those same privileged users will be responsible for restoration of application access in case of an outage or regular application maintenance within a tight maintenance window. Thus, the productivity of those users is a key consideration.
Another factor to keep in mind is the nature of those privileged users. They may be traditional IT administrator employees, but they could also be outsourced IT contractors. Or they might not be IT employees at all but rather line-of-business data administrators. In all cases, anyone with access to sensitive data needs to be tracked.
Even applications or scripts that require the use of elevated privileges to access databases and other applications need to be monitored. This category is often the least controlled and the most vulnerable. Cleartext passwords, which are typically never changed in these scripts and applications, can easily be compromised by a knowledgeable but disgruntled insider or an experienced cybercriminal.
The market has responded to the insider threat with many point solutions and an impressive array of security features to address these risks. However, given the increasing sophistication of today’s well-funded cybercriminals, no single solution is enough. Organizations need a layered approach using a cohesive set of well-integrated applications that each address a different aspect of the insider threat problem.