I'm faced with a challenge to create a policy for separate administrator accounts for all employees who require privileged access. I've implemented similar policies in other organizations, but in those situations the community of users with such access was fairly limited -- fewer than 20 people. In my current role, the community is in the 100s and their access includes Windows, Linux, Oracle and SAS. I've spent some time speaking with others in my company about creating separate admin accounts and received some pushback. Have you seen such policies implemented successfully in larger organizations? What are your thoughts on separate administrator accounts?
Pushback is a common problem faced by new employees and hired consultants tasked with improving information security. Existing network administrators can take new initiatives as criticism of the infrastructure and security environment they've created, or simply not be happy about changing polices that appear adequate and acceptable to them, particularly if it involves extra work. However, it is important that colleagues and senior management accept that this proposal is a sound one, based on industry best practices.
Users with system administrator or privileged access accounts should use a regular user account to perform routine, non-administrative tasks. This is an essential control in any information system as it helps enforce the key security principle of least privilege. It is considered industry best practice by US-CERT, SANS and the National Security Agency, and required in every information security and compliance standard. Limiting an account's privileges minimizes the impact of a compromise. For example, malware is typically introduced during routine tasks such as browsing the internet and reading email. Malware installed while a user has system administrator level privileged access has far greater potential to cause damage than those installed by someone using a regular user account. Having separate accounts also makes log analysis a lot easier as a great deal of irrelevant information is removed from any review of system administrator activities -- another important security control.
A presentation to colleagues referencing standards and publications such as ISO/IEC 27001:2013 (a specification for an information security management system), NIST Special Publication 800-14 (Generally Accepted Principles and Practices for Securing Information Technology Systems) and NIST Special Publication 800-53 (Security Controls and Assessment Procedures for Federal Information Systems and Organizations) should help convince them of the importance of separate administration accounts. Similar recommendations also appear in various publications by technology vendors, such as Microsoft's Best Practices: Using a Separate Account for Admin Tasks and Oracle's Database Vault Best Practices.
If management still can't see the importance of creating additional processes, roles and admin accounts to achieve least privilege, then some real-world stats may help. Privilege misuse is actually highlighted in Verizon's 2016 Data Breach Investigations Report. According to Verizon, privilege misuse accounted for over 15% of all incidents. In its 2015 report, 55% of insider misuse incidents involved access abuse, indicating a growing problem of employees having more privileges than they need to for performing their day-to-day tasks.
Having administrators change between accounts is a minor inconvenience compared to the time and money it could save in dealing with a compromised privileged access account. Once separate administration accounts for all employees who require privileged access have been implemented, ensure everyone understands the importance of not synchronizing passwords across their different accounts, as this reduces the benefit of separate accounts.
Ask the Expert: Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Find out how organizations can control and manage system privileges
Read how many companies are still failing to implement privileged user controls
Learn how to address the risks of unstructured content with IAM