Trust but Verify
“66% [of companies] say privileged users access sensitive or confidential data because of curiosity”1. Maybe I’m naive, but I find this quite shocking – two thirds of users with privileged access have looked at confidential data just because they can! And it’s not only insiders deliberately doing bad things, it can be simple error – I’ve come across a case where an IT admin was supposed to block an incoming email address, and accidentally BCCed the CEO’s incoming email to that address! For three days. Just pause on that for a second. The potential damage does not bear thinking about.
It’s also an external issue: attackers target privileged users to obtain their access rights (often, this is even internal attackers1). And if they succeed they can impersonate anyone, read anything, reconfigure anything. Ouch. Even legitimate privileged users have huge access and extraordinary control. That’s a lot of trust.
Many organisations are deploying privileged access management (PAM) solutions. These minimise the number of people who can access a privileged system, and they can allow only temporary access when action is needed. The better PAM platforms record every action taken – think of it as a video of the privileged user’s screen. As with all aspects of security, we want to minimise the attack vectors and shrink the window for attacks – therefore PAM platforms definitely tighten things up.
However, PAM systems have two, maybe three shortcomings.
- They restrict the convenience for accessing administration tools and managing the network. There’s no news here. We’ve been juggling security versus convenience since the first password was created. (PAM systems also cost money and time to implement – that’s the third shortcoming.)
- A key limitation is that PAM platforms typically don’t understand what actions are being taken by the admin. They may be recording the actions, but what if that admin quietly performs a malicious reconfiguration (e.g. adding an external forwarding rule for emails) while doing something legitimate? The PAM system may record this, but if that rule isn’t spotted for months or even years (have a look at this blog post for an example), it may be close to impossible to find the recording and prove who did it. Given that most admin platforms don’t timestamp configuration updates, it may not even be possible to find out when it happened.
I should emphasise: I have nothing against Privileged Access Management systems. Where you have to protect the crown jewels, you should of course deploy the best solutions available. But at the same time, we should recognise that they are not a cure all.
There is a second approach, which uses application aware monitoring. The idea is that the monitoring solution has sufficient understanding to recognise that an action being taken may not be legitimate. The action can then be proactively validated, or even temporarily blocked. In the example above, when the new external forwarding rule is created, the owner of the affected mailbox, or someone in the security team, could receive an immediate alert. If the rule is legitimate, no problem. If it is malicious or an error, it can be immediately prevented.
Critically, this model allows you to deploy a trust but verify approach to admin accounts. You don’t have to shackle admin users with additional restrictions for accessing their accounts, and you don’t have to worry that they may do something erroneous or malicious. Instead, you can allow people to get on with their jobs unhindered, confident in the knowledge that incorrect actions will be identified promptly. Given how many people have access to admin platforms – IT, sometimes outsourced IT, helpdesk, … – this approach will help you sleep a lot easier.
Looking more widely, as the opening sentence of this blog post noted, a lot of privileged users look at confidential information because they can. How can you tell when an Office 365 administrator uses their account to look at your OneDrive or SharePoint? Similarly for other collaboration platforms. The same application aware monitoring can identify this same issue. Whenever unusual access to a library occurs (or unusual sharing is configured), alert the owner of that library. Or alert someone in security or IT.
This concept of application aware monitoring requires detection and monitoring technology which is specific for each application protected – it is not possible to do this with generic pattern matching and AI. If you’d like to understand more about the IDECSI solution for this, please read about our Personal Security Guardian.
A few words about Ben Miller
Ben Miller is an experienced technologist and entrepreneur with a background in mathematics and software engineering. He is focused on bringing new technologies to market, which change conventional thinking. Within cyber security, we have long been used to complaining about users, and driving more work into the security team. Ben’s particular focus today is technologies which challenge this approach and instead make user empowerment a key part of the cyber discussion
