Formulating and managing online identity and access control
A comprehensive collection of articles, videos and more, hand-picked by our editors
Prompted by the intense news coverage surrounding former NSA contractor Edward Snowden and the WikiLeaks website, enterprises are as concerned as ever about the threat of insiders leaking sensitive information. Despite that concern, newly released survey results indicate that many organizations lack fundamental controls for limiting and monitoring the activity of privileged users, a key step in mitigating the insider threat.
For its newly released report, "Privileged User Abuse and the Insider Threat," the Ponemon Institute surveyed nearly 700 users with in-depth knowledge of how their respective organizations manage privileged users. Out of those respondents, 88% signaled that they expect the risk stemming from privileged users to stay the same or grow in the coming years.
Michael CrouseDirector of Insider Threat Strategies, Raytheon
Unsurprisingly, the concern over privileged user abuse is directly connected to the increased fretting over insider threats, with 89% of those surveyed indicating that the Edward Snowden and WikiLeaks incidents caused their companies to worry more about insiders. Still, the Ponemon survey found that many enterprises continue to struggle to rein in privileged users.
For instance, 49% of respondents described the process for assigning user rights at their organizations as "ad hoc," only down slightly from the 51% of users that said the same in the 2011 iteration of the same report. Almost half of all users also indicated that manual processes involving emails and spreadsheets are used to review and certify privileged users. That statistic is likely linked to the lack of spending on privileged user controls and insider threat mitigation -- 88% of those surveyed said that an ample budget is required to have success managing user rights, while 30% indicated that monitoring privileged users is too expensive.
Michael Crouse, director of insider threat strategies for Raytheon Co., which sponsored the Ponemon Institute report, noted that the inability to monitor the activities of privileged users puts sensitive corporate data at risk, even in scenarios where the user doesn't harbor malicious intentions. Crouse pointed to a 2013 report from Carnegie Mellon's Software Engineering Institute which showed that 52% of insider threats were the result of an accident.
Respondents to the Ponemon survey seemingly confirmed Crouse's thinking, with only just over a quarter of them indicating an insider threat would most likely be carried out by a disgruntled user leaking data. Instead, those surveyed were more concerned by privileged users who work from home and those users who were not properly vetted before receiving access rights.
Crouse said enterprises must take a more active role in monitoring privileged users, much in the same way that a foreman at a car manufacturing plant in Detroit would monitor the employees working on an assembly line.
"In the digital age, you still need to be auditing your workforce. We're seeing people that have access to information that you've trusted over the years, but that are maybe doing something stupid with the data now, or maybe their view of your company has changed over the years," said Crouse. "Trust these employees, but verify that they're staying within their roles and not going outside their responsibilities."
Managing privileged users
As is often the case with security issues, Crouse said companies attempt to use technology to plug holes in processes -- more than seven out of 10 respondents currently use authentication and identity management tools, for example -- a move that causes as many problems as it solves.
Case in point: more than two-thirds of respondents said that security tools don't provide enough contextual information to determine whether an insider is taking threatening actions, while 56% decried the number of false positives created by those very same tools that only served to muddy the water. In fact, 42% of respondents indicated no confidence in their organizations' abilities to monitor user actions for policy violations.
Before worrying about picking the right technology, Crouse said that organizations should focus on implementing a number of basic provisions to better control the access rights being granted to users, many of which involve putting the right people in place to manage processes.
First, Crouse advised enterprises to establish a lead contact through which all access rights can be managed. Slightly more than half of Ponemon survey respondents said that business unit managers are responsible for granting privileged access to users, with IT operations and application owners also popular choices.
There is no right or wrong choice when it comes to picking that privilege management program lead, according to Crouse, but organizations must ensure that there is another, separate person in place to verify that changes to user rights are made when necessary. Just by implementing those simple processes, he said, organizations will be able to reduce much of the risk surface stemming from loose access control policies, including one of the most persistent issues: not revoking user rights when an employee leaves an organization or switches roles.
Once those key contacts are established, Crouse said organizations can then tackle the problem of privileged access rights being granted too liberally -- 54% of those surveyed by Ponemon said that users are granted rights that range beyond their job roles and responsibilities. To do so, the designated lead contacts should establish formal relationships with other key stakeholders when granting and revoking access rights.
"For example, I'm a business unit manager and I've got someone that comes in and request access to a certain database. Even though the business unit manager has the final say, they really need to get with the other stakeholders, whether its security, HR or even legal," said Crouse. "If they just blindly [issue access rights] without getting that double check from other stakeholders, that's where the process breaks down."