Edward Snowden's revelations regarding the NSA's spying activities may have forced more IT security professionals to reconsider the issuance of administrator rights at their organizations, but a recent survey suggested those companies aren't necessarily taking action on those concerns.
Snowden, who worked as a systems administrator through defense contractor Booz Allen Hamilton at a National Security Agency (NSA) facility in Hawaii, gained notoriety after he released a slew of secret documents. His access to the documents, which exposed NSA programs such as PRISM, reportedly was gained through a file-sharing location on NSA networks. Due to his security clearance and the nature of his position, alarms were never raised when Snowden downloaded the sensitive documents that he later leaked. Among the security community, Snowden has come to be synonymous with the much-discussed risks of insider threats.
With Snowden's leaks serving as a backdrop, Manchester, U.K.-based privilege management vendor Avecto decided to explore just how many organizations were taking action with regard to administrative privileges. Avecto asked 348 security pros at the 2013 McAfee FOCUS event whether the Snowden news had made them reconsider how administrator rights are distributed at their own companies. Fifty-two percent of respondents said they had reassessed their privilege management policies, but only 27% of those surveyed had actually made any alterations to administrator rights policies since the NSA breach.
Even worse, half of respondents indicated server administrators posed at least a moderate security risk, yet 80% acknowledged they were unaware of how many server admins were running with administrator rights.
Avecto co-founder Paul Kenyon said Snowden's leaks had led to more discussion around reassessing privilege management policies, but he was left surprised by the survey results.
"We were acutely aware of the fact that this was a big problem," Kenyon said. "What we weren't aware of necessarily was that organizations also accept this is a problem, but they're not prepared at the moment to do much about it."
Kenyon said it's not difficult to understand where the problem with administrator rights originates. Simply put, users of all sorts need local admin rights to install and run applications, as well as to change many settings that would otherwise be locked down. The issue of scope creep is particularly problematic in larger organizations, where users will often be granted local admin rights for a particular project and never have it revoked, he said.
The idea of least privilege dates back to at least 1977 when the U.S. Department of Defense started its computer security initiative, but for most organizations, Kenyon said the concept has really only taken root in the last few years. The slow transition away from the soon-to-be unsupported Windows XP operating system to Windows 7 has actually served as a real moment of opportunity to reconsider privilege management policies, he noted. Unfortunately, many organizations continue to run into the same basic problems when attempting to rein in elevated privileges.
A willing organization could take a "sledgehammer approach" to administrator rights tomorrow, according to Kenyon, but then they would have to deal with a messy aftermath. First, there would be a deluge of calls to the help desk asking why certain applications or settings were no longer functional. Worse though, many users that require certain applications as part of their work roles would no longer have access, leaving them in the lurch unless admin rights are granted again.
"You're going to have a whole series of activities users will need to do that require admin rights that you may have to deal with on a case-by-case basis," he said. "There's no quick and easy way of understanding why it is that users have admin rights. You can kind of spot who has got them, but you might not necessarily understand why they've got them. And that's a deeper problem…"
The technology to enable organizations to take a more granular approach to privilege management exists, Kenyon claimed. For example, there are products that allow admin rights to be granted to users for individual applications, as opposed to the blanket access given by many companies. Many organizations are either unaware such technology exists or, when made aware, simply don't budget for privilege management controls unless mandated to do so by compliance regulations.
More than anything, Kenyon said these attitudes around privilege management need to change.
"Organizations need to accept this is part of their security defense in-depth approach to ensuring their organization is as protected as it possibly can be," Kenyon said. "We have to manage our privileges. We have to ensure people are getting the necessary set of privileges, not too few and not too many."