This blog is another small effort to touch across the risk relating to Privilege accounts. I am sure all those who work in the information security field agree that privilege accounts pose a serious risk within organizations. With tens of thousands of users working on applications in an organization, the risk that privileged accounts pose within organizations is beyond what we can think of. However, at a time when statistics points, “more than 50% threats to an organization are from insiders”, have we assessed the risk relating to this seriously?
Some of the questions haunting us on privileged accounts must be:
- How many such accounts exist within our organization?
- Who all have access to these accounts in our organization?
- Which systems hold these accounts?
- Was the account granted for a specific period?
- Are these accounts subject to logging, review or audit?
- Are these accounts left active once the user left the organization?
Information security policy enforces that each process, user or program must be able to access only those information or resource that are required for its legitimate purpose. However, the reality is that applications, administrators and technology experts in organizations cannot complete their day-to-day activities with such controlled privileges. Each one of us would have come across with technicians’ or administrators who have the right to use windows administrator account or hold root privileges in UNIX enterprise systems. Most of the core applications and routine scripts used within the technology space come embedded with privileged accounts. However, by knowing the risk associated with these accounts, we cannot just take out these accounts. Privileged accounts are required, but the larger question remains, whether we have assessed the risk related to these privilege accounts?
When a business request takes an upper hand above the technology constraints not often, a request for privileged accounts is questioned. Accounts are created without proper justification and approval workflow. In addition, after its intended use, accounts are not disabled. A more difficult situation is when multiple users share such critical accounts. Privileged accounts often have full access to almost everything on the system. Organisations are facing the challenge in identifying inappropriate privileged account usage, and cannot often guarantee that privilege accounts are used responsibly. Malware exploits like stuxnet make use of this gap in security, which is enough to compromise the overall security of an enterprise. This is why SOX, HIPPA regulations stress on this essential component for having complience. Careless usage of privileged accounts can result in huge reputations, financial and legal impact to organizations.
It is high time organisations take a strict and continues look into this gap. Many organizations do not want to invest heavily in Identity and Access control solutions, but considering the challenge and complexity, they do not have an option than brining in a solution to manage these critical accounts. Organisations must empower administrators with tools, which can:
- Determine the count of privileged accounts
- Identify the users who own these accounts
- Identify the systems which use these accounts
- Review the risk associated with those accounts
- Control the access granted to these accounts
- Log and audit these accounts
- Identify unauthorized usage of these accounts
- Showcase the principle of least privilege
A one-stop solution must be in place that can Authenticate, authorize and enforce Accountability. A review of the existing controls/process in place on privilege accounts. Separation of duties, Training and awareness is not enough to manage this risk. In this age while organizations invest heavily in technology products, focus must be given to review the insider threats and on technology & strategies relating to privileged in management.