past few months, we’ve learned more than we ever expected about government
surveillance. A single act by IT systems administrator Edward Snowden
has launched thousands of headlines. In this case, the system
administrator in question was an government contractor, but the concept applies
to organizations of every size and industry who allow network access to “trusted insiders.”
The act – an insider using elevated
privileges to access, copy and remove sensitive data – demonstrates just how
catastrophic a few keystrokes and clicks can be. Clearly the impact of
the NSA incident is amplified given the subject matter, however, all
organizations, both commercial and government entities can look at this as
lesson in mitigating the damage that “trusted insiders” are capable of.
is a trusted insider not to be trusted?
parties to the Snowden leak knew how to answer that question, you wouldn’t
be reading this article today (well, you actually might, but the examples would
be different). The truth is trusted insiders will always be necessary as a core
part of IT operations.
privileges on systems allow for key tasks to be undertaken, the types of tasks
that keep the business running (such as maintenance and support, upgrades and
improvements, as well as backups and recovery). Systems administrators
must be given the tools to execute on these critical tasks to ensure
transactions process, records transmit and business flows.
At the end of the
day, a healthy portion of IT operations, security and compliance comes down to
minimizing risk to those operations. This concept drives security
strategies, remediation plans and usage guidelines. It also should drive
how access and privileges are granted.
probably thinking “this is what CIO/sCISOs get paid for.” Typically, I’d agree
with you. However, Edward Snowden renewed corporate interest in just how
much access insiders are granted, an interest that reaches all the way to the
According to a recent Cisco study, “thirty-nine percent of IT professionals worldwide were more concerned about the threat
from their own employees than the threat from outside hackers.” This is a
pretty compelling argument for the need for greater internal controls when it
comes to access to systems which house sensitive data.
CEO? Keep reading, this concept applies to anyone responsible for
security and risk avoidance in their organization, which is to say, everyone.
I break it down:
CEO needs to know about the insider threat
1. If you can’t measure it, you can’t manage it
knows this to be true about financials, sales, marketing measurement, etc. But
this is also true about elevated privileges granted within your IT
infrastructure. Unless you have a complete view of the rights doled out to
employees, partners, even contractors (see below), there’s little chance of
appeasing the auditors when it comes time to file compliance paperwork.
Many organizations leverage their directory infrastructure to manage this at a
corporate level, but local system accounts on critical servers – especially
those based on open source operating systems – and endpoints must also be accounted
are just like the Cloud – the risk is real
are great aren’t they? They don’t hit the budget like a regular full time
employee does and can be more cost effective for specific projects than
temporarily allocating an existing resource. In that way, they’re like
the cloud, a virtual asset, if you will. Just like a virtual server, the
risk of that asset must be accounted for, just as if it were sitting in your
The same is true when it comes to contractors and the rights they
are given. Steps need to be takes that they are given access and rights
just for the tasks at hand. If they are working on a system with
sensitive data, do they require access to the data itself? Being able to
granularly dole out access to complete tasks on critical systems is an absolute
must, as Ed Snowden has shown us all too well.
Brother can be a best friend
how customer service calls are often recorded for quality control and training,
the tracking and capture of activities being taken with elevated privileges is
a great training tool, especially when it comes to bringing on new resources
working on critical systems. It also serves as proof-positive control for
internal and external auditors. If there’s ever a question of who did
what, when and why – the audit trail exists and readily available. This
saves valuable time when determining what systems might have been breached and
what types of data have been accessed.
through the noise
organization with systems in the thousands (or hundreds of thousands), a
critical requirement for any risk-reduction exercise is the ability to boil
down information into actionable decisions. Without a comprehensive
reporting and analytics strategy to help identify and manage your elevated
privileges, critical gaps might be exploited, or worse, efforts could be
focused in the wrong areas, wasting time and money without any greater security
as a result.
Organizations should gravitate toward solutions which deliver
context about their insider risk, in conjunction with external threats and
vulnerabilities which can heighten the impact of a single act.
Imagine if Edward Snowden were your employee or contractor. Do you know
where in the enterprise is he operating and what applications he has access
Kevin Hickey is President and CEO of BeyondTrust, a global
provider of enterprise security and compliance solutions. Previously,
Kevin was CEO of eEye Digital Security, an early pioneer in Vulnerability
Management. Before that, he was CEO of NetPro, a leader in Active Directory
security and compliance.