How to trust your insiders

Edward Snowden's act--an insider using elevated privileges to access, copy and remove sensitive data--demonstrates just how catastrophic a few keystrokes and clicks can be.

In the past few months, we've learned more than we ever expected about government surveillance. A single act by IT systems administrator Edward Snowden has launched thousands of headlines. In this case,  the system administrator in question was an government contractor, but the concept applies to organizations of every size and industry who allow network access to "trusted insiders." 

The act –  an insider using elevated privileges to access, copy and remove sensitive data – demonstrates just how catastrophic a few keystrokes and clicks can be.  Clearly the impact of the NSA incident is amplified given the subject matter, however, all organizations, both commercial and government entities can look at this as lesson in mitigating the damage that "trusted insiders" are capable of. 

When is a trusted insider not to be trusted?

If the parties to the Snowden leak knew how to answer that question, you wouldn’t be reading this article today (well, you actually might, but the examples would be different). The truth is trusted insiders will always be necessary as a core part of IT operations. 

 Elevated privileges on systems allow for key tasks to be undertaken, the types of tasks that keep the business running (such as maintenance and support, upgrades and improvements, as well as backups and recovery).  Systems administrators must be given the tools to execute on these critical tasks to ensure transactions process, records transmit and business flows.

At the end of the day, a healthy portion of IT operations, security and compliance comes down to minimizing risk to those operations.  This concept drives security strategies, remediation plans and usage guidelines.  It also should drive how access and privileges are granted. 

You’re probably thinking "this is what CIO/sCISOs get paid for." Typically, I’d agree with you.  However, Edward Snowden renewed corporate interest in just how much access insiders are granted, an interest that reaches all the way to the boardroom.

According to a recent Cisco study, "thirty-nine percent of IT professionals worldwide were more concerned about the threat from their own employees than the threat from outside hackers." This is a pretty compelling argument for the need for greater internal controls when it comes to access to systems which house sensitive data. 

Not a CEO?  Keep reading, this concept applies to anyone responsible for security and risk avoidance in their organization, which is to say, everyone.

Here’s how I break it down: 

What every CEO  needs to know about the insider threat

1. If you can't measure it, you can't manage it

Every CEO knows this to be true about financials, sales, marketing measurement, etc. But this is also true about elevated privileges granted within your IT infrastructure. Unless you have a complete view of the rights doled out to employees, partners, even contractors (see below), there’s little chance of appeasing the auditors when it comes time to file compliance paperwork.  Many organizations leverage their directory infrastructure to manage this at a corporate level, but local system accounts on critical servers – especially those based on open source operating systems – and endpoints must also be accounted for. 

2. Contractors are just like the Cloud - the risk is real

Contractors are great aren’t they? They don’t hit the budget like a regular full time employee does and can be more cost effective for specific projects than temporarily allocating an existing resource.  In that way, they’re like the cloud, a virtual asset, if you will.  Just like a virtual server, the risk of that asset must be accounted for, just as if it were sitting in your data center.

The same is true when it comes to contractors and the rights they are given.  Steps need to be takes that they are given access and rights just for the tasks at hand.  If they are working on a system with sensitive data, do they require access to the data itself?  Being able to granularly dole out access to complete tasks on critical systems is an absolute must, as Ed  Snowden has shown us all too well. 

3. Big Brother can be a best friend

Similar to how customer service calls are often recorded for quality control and training, the tracking and capture of activities being taken with elevated privileges is a great training tool, especially when it comes to bringing on new resources working on critical systems.  It also serves as proof-positive control for internal and external auditors.  If there's ever a question of who did what, when and why – the audit trail exists and readily available.  This saves valuable time when determining what systems might have been breached and what types of data have been accessed. 

4. Cut through the noise

For any organization with systems in the thousands (or hundreds of thousands), a critical requirement for any risk-reduction exercise is the ability to boil down information into actionable decisions.  Without a comprehensive reporting and analytics strategy to help identify and manage your elevated privileges, critical gaps might be exploited, or worse, efforts could be focused in the wrong areas, wasting time and money without any greater security as a result.

Organizations should gravitate toward solutions which deliver context about their insider risk, in conjunction with external threats and vulnerabilities which can heighten the impact of a single act. 

Imagine if Edward Snowden were your employee or contractor. Do you know where in the enterprise is he operating and what applications he has access to?   

Kevin Hickey is President and CEO of BeyondTrust, a global provider of enterprise security and compliance solutions.  Previously, Kevin was CEO of eEye Digital Security, an early pioneer in Vulnerability Management. Before that, he was CEO of NetPro, a leader in Active Directory security and compliance.