A large number of enterprises have not implemented automated server access controls, exposing themselves to risks ranging from insider fraud and corporate espionage to regulatory compliance issues and even nation-state sponsored attacks, according to a recent report by information security research firm Echelon One and enterprise access management specialist Fox Technologies.
When it comes to digital security, many organizations focus their efforts on securing the perimeter with border routers, firewalls, VPNs and so on. But while such solutions are an essential component of security, they do little to thwart an attacker that manages to breach the perimeter or to stop a malicious insider for that matter. The next step is to implement granular privileged user access controls that limit users' access to only the enterprise servers and data they need to do their work.
But while many organisations take some steps to restrict user access, the report found the majority of organisations rely on home-grown solutions (12 percent), sudo (10 percent) or manual enforcement of privileged user access and passwords (37 percent) to control access to their enterprise servers.
All of these methods, says Echelon One CEO Bob West, expose the organization to insider fraud, corporate espionage and nation-state-sponsored attacks. Enterprises responding to the survey also reported implementation of outdated access management technologies, which allows the theft and misuse of intellectual property and customer data once the network is compromised.
"When you manage things at scale, if you're not automating processes, it's not possible to protect information consistently," says West. "If you're depending on manual processes in terms of managing thousands of servers, it's close to impossible to manage things consistently."
Managing enforcement of privileged user passwords manually allows users to take administrative shortcuts - such as sharing privileged passwords - that result in IT's inability to track the actions of any specific user to an account. That, in turn, makes forensics next to impossible when a breach does happen, and can also make it extremely difficult to prove that sensitive information is properly safeguarded during a compliance audit.
Manual enforcement leads to access creep
Manual enforcement can also lead to "access creep" in which employees who have been with an organization for long periods of time accrue permissions, even though they may no longer be relevant to their current positions. Without automated access management and centralised access management policies it becomes next to impossible to ensure that rights are managed appropriately as employees shift roles within the organisation. And the report found that 76 percent of organisations are unable to automatically administer user accounts across multiple servers. Without that ability, IT is usually lacks the resources and staff to manually administer each individual user account within the organization, making access creep inevitable.
West points to Jérôme Kerviel, the rogue trader at French bank Société Générale, who in early 2008 was discovered to have executed fraudulent transactions that cost the bank more than $7 billion. Kerviel began his career in the bank's compliance department before moving to a research group and finally a trading group. He retained the access rights he had in each of his roles and was able to leverage that access to hide his fraudulent trades, West says.
The survey also found that 73 percent of organizations are unable to centrally define the access rules and policies necessary to map access to employee roles, creating the opportunity for user access controls to change from server to server. That, says West, is a recipe for data compromise.
Additionally, the survey found that 42 percent of organisations are unable to implement multi-factor authentication-like biometrics and smart cards - and 37 percent lack the capability to define and enforce granular authorisation rules. Subhash Tantry, CEO of FoxT, says the inability to automatically authorise and enforce who can access which servers, and the commands they can execute based on the context of the request, leaves enterprises open to the risk of a data breach.
"Enterprises lack the critical infrastructure to enforce server access," Tantry says. "A lot of people are focused on perimeter control, and rightfully so due to the large number of outside attack vectors. But they forget that if a breach does occur, what does it give you access to?"
The silver lining to all this, Tantry says, is that organisations are getting wise to the need for access controls. The survey found that more than two-thirds of respondents plan to invest in access management technologies in 2012 as part of their strategic IT initiatives. The survey found that 25 percent of respondents plan to invest in controlling access to virtual and cloud-based resources; 23 percent plan to invest in local Windows account-control on servers and desktops; 23 percent plan to invest in controlling access from mobile devices; 17 percent plan to invest in controlling access to business applications; and 12 percent plan to invest in attribute-based access management.
"They've invested in authentication," Tantry says. "Now they're looking at authorisation. It's really authorisation that is the next wave. Just because someone has been authenticated, that doesn't necessarily mean they should have access to everything."
Best practices for privileged access management remediation
To get your organisation's access management under control, Tantry says you should follow five best practices for remediation:
1. Automatically enforce privileged user access with proactive, granular authorisation and command controls
2. Add access management to Active Directory, Lightweight Directory Access Protocols (LDAP) and Identity Management solutions to automate creation and removal of user accounts
3. Deploy integrated, contextual, multifactor authentication that can prevent access to a particular server even if a user is authenticated
4. Use the richest tools possible to authenticate users (biometrics, encryption and others)
5. Centralise account administration and manage access accounts across all server environments (Windows, Unix/Linux and virtual)