The problem with privileged user access is caused by “super” user accounts that are generally shared by IT staff members to perform their job.
Speaking at the Identity Management conference in London, Jitender Arora, information and security risk executive in the financial services industry, said that users often need access to do their job and this means full access for individual accounts. However, this problem is compounded by number of orphan and dormant accounts left in the environment due to lack of effective account management processes.
He claimed that users often need privileged access to production IT assets to do their job on daily basis, and applications also need privileged accounts on systems to run as service or connect to other systems or databases for machine to machine communication. But the problem is that the number of privileged accounts on systems have grown significantly, posing the challenge of effective management of “Keys to the Kingdom”.
“Every IT asset needs at least one privileged account to run and every application installed on that IT asset also need at least one privileged account to run as service,” he said. “Any typical global organisation would have approximately 20,000+ IT assets, which means 40,000+ accounts minimum. Now, there are human users who manage these environments and they also need access to these IT assets. If you add up the numbers it becomes a monster figure”.
He said that it is easy to give super-user access to every person who manages IT assets as it is simple that way, but it gets really complicated and difficult to implement if you want to give individual restricted access based on least privilege and segregation of duties principle.
Arora admitted organisations are finding it difficult to keep track of who is coming in, who is moving and who is leaving the organization, and modify access accordingly but said that the best action is not to change the access controls on systems too much because of movement in user space.
“The number of accounts are up and down, and when someone leaves you have potential of orphan and dormant accounts. The knowledge of passwords for such orphan and dormant privileged accounts adds on to this problem and complicates the issue.” he said.
He said that everybody joining the organisation is given a laptop or desktop with standard set of controls i.e. data leakage controls, proxy controls, email encryption and laptop encryption and these controls are fit for purpose for day to day work conducted by all users e.g. checking emails, attending meetings, creating documents etc., however, a subset of the user population needs to have privileged access to IT systems that are running business applications that earn money for the organisation.
“These standard controls are not adequate for such privileged access while accessing production systems,” he said.
“You need a flexible mechanism to elevate controls (based on risk) when a user needs to logon to the production system in the privileged capacity. These controls can be adapted based on the level of risk by creating a fine balance between convenience and security. It’s very difficult to control how and when users access production systems unless we take the knowledge of credentials away. The future of privileged access management is providing access on need to use basis with different level of controls based on risk associated with the type of access.”
Asked why privileged user access is still a problem in 2014, Arora said: “A lot of the problems a
re in that we need to make too many changes to the production systems due to movement of users in the IT organisation. We don’t need to be making so many changes just because someone joins, moves or leave the IT support organisation.
“We need standard set of privileged accounts with granular access on production systems that are well controlled and managed, and a mechanism to provide access to these accounts to privileged users on need to use basis. If we can achieve this, we have a better chance of managing ‘Keys to the Kingdom’.”
Hans Zandbelt, senior technical architect at the CTO office at Ping Identity, said that rather than see it as an ongoing problem, we should look at reversing the situation to realise how privileged user access can be seen as a benefit for the company.
In another presentation, David Higgins, professional services manager for UK and Ireland at Cyber Ark, said: “According to Mandiant, 100 per cent of breaches involved stolen credentials and they were typically privileged that allow you to do whatever you want to do. When it is privileged, it is access to more information and Edward Snowden accessed the agent roster, and privilege that he had was something they needed to focus on when a user gets access and when it is used.
“Everyone has got a good grasp on the end-user, but not on privileged accounts and what was created for a project may not be properly documented. Understand what out there and when passwords changed, they may be ten years old, but if you understand the scope you can understand what to remove and manage.”
