“Privileged users” – the server administrators, root users (UNIX/Linux), etc. who run and manage IT systems – are given just that: privileges to access nearly any and all aspects of a company’s IT infrastructure. It’s a requirement for their job, but also presents a potential security risk. While these users control access and monitor authentication for everyone else, few companies take proactive steps to monitor the activity of privileged users. In essence there is no one policing the police.
Given the nature of their elevated access, regular access control mechanisms are not sufficient to monitor privileged users’ activity. However, there are a number of alternate ways to achieve the goal.
Principle of Need-to-Know and Separation of Duties
The principle of need-to-know is simple, yet effective. Access to particular data and/or systems is provided only to those employees who need it to perform their jobs. As an example, Human Resources data is very sensitive because it may contain social security numbers, salary and benefits information, bank accounts and so on. HR department employees need to know this data, the IT staff does not. However, because privileged users have access to servers where this data is stored, they automatically get access and potentially can misuse this data. Similarly database administrators have access to data stored in databases, although they don’t need to know customers’ or employees’ personal information to manage the database servers. Solutions like transparent encryption, where encryption keys are managed by non-privileged users are suitable to implement the principles of need-to-know and separation of duties.
IT Security Policy and Awareness
Any reasonable Information governance program includes a sound IT security policy. Ensuring that policies are well defined and are backed by standards, procedures, and training helps in making sure that employees understand where to store data and who has access to it. For example, if an organization implements the transparent encryption solution mentioned above, HR associates need to be aware of which file share should be used for storing HR data where it is safe. If they continue to use a non-encrypted storage location, the solution itself will not be of much use. Similarly, privileged users must be aware of the fact that their activity is monitored as a deterrent to misuse.
Policy Based Encryption
Encryption accompanied with access controls is an excellent way to provide access to data on a need-to-know basis. If data is saved on servers or in databases in encrypted form, administrators will not be able to abuse it, provided encryption keys are managed by a different group. The key to a successful encryption is to make sure that separation of duties is implemented such that if an administrator has access to encryption keys, then that person does not have access to data and vice versa. There are a number of encryption solutions available in the market that separate encryption management from system and database administrations. Companies providing these types of solutions include, Vormetric, SafeNet and Protegrity.
Centralized Logging and Monitoring
Using the principale of “trust-but-verify,” centralized log monitoring is another effective tool for limiting privileged user access. A well-designed centralized logging and monitoring system will help ensure that users don’t have access to logs or logs are stored in a read-only fashion. Setting alerts for log policy violations, un-authorized access to encrypted data, or encryption keys breaches assists in early detection of user abuse. Most of the SIEM (Security Information and Event Management) solutions currently available can be configured to alert on such activities.
Privileged users are needed for smooth running of IT systems and databases but also pose a major insider threat to sensitive data. A comprehensive approach towards privacy and security of data can be implemented to prevent, detect, and alert on misuse and abuse of elevated access. Since the human element is usually the weakest link in information security strategy, an awareness program is always necessary to augment the technical controls.