Data breaches are still happening so another approach is needed.
Unfortunately, most security measures add barriers to doing business. Bigger and better firewalls aren’t helping either.
The weakest link
Staff are the weakest link in your security chain. This leads to more rules constraining user behaviour, which leads to more users by-passing the system. It’s not just your employees you need to worry about either, it is those you outsource to as well.
Data is not necessarily where you left it. There are copies in different forms because people needed it quickly and IT couldn’t respond fast enough. Your data is in other places – in the cloud – because of shadow IT and because consumer grade applications are being used for business purposes.
The ‘least privileged’ model
The principle is that staff are given the minimum privileges required to fulfill their tasks. In reality it means that they get all the privileges they need for their most security related task.
Identity In – Role Out
Businesses instead need to understand that they can’t educate all the people all of the time, and instead take a pro-active approach based on privileged access. Businesses must map staff to identities and then into Roles. Known as Identity In – Role Out there are important security benefits to be had here.
Firstly, you can control which roles allow people access to systems, applications and devices. Secondly, people instinctively protect their identity. This can be even stronger where Privileged Access Management (PAM) is non-idempotent. By this we mean that only one instance of an identity is allowed; if you share your identity, you can’t get your work done.
This also deals with applications that only have one password, or a limited number of accounts. In particular it determines where you need to grant access to a vendor or third party. Simply map their identity to the administrative role of the required system and the associated task. Once the task is complete, you disable the connection.
By managing systems this way you’re not affecting anyone else’s access. You haven’t needed to change a password, or inform anyone else about password changes. You also have an audit trail.
Passwords (when mixed with humans) are not working
Privileged Access Management (PAM) is ultimately about controlling access to systems, devices and applications at administrative levels. This is thought of as a single sign on (SSO) mechanism, but more enlightened companies now see Privileged Task Automation as an important service, because the task can be delegated without the user needing access to a privileged account.
We need PAM because security based on human password knowledge isn’t working. At the 2017 PCI conference, for example, we learned that card data fraud has a split of roughly 26% internal and 74% external.
You’ll notice that we’ve dealt with people and key operational issues first. Now we can address the least privilege model. Allowing people only the privileges they need to do the job at the time they need access…
The ‘least privilege’ model in practice
For staff like SysAdmins and DevOps, PAM does most of what is needed. There are better ways to implement the least privilege model however. The key is not to allow direct login unless absolutely necessary.
The alternatives are:
Mapped Application – where only the window(s) of the required applications are mapped to the user’s workstation. There is a single sign on, and identity to role mapping is made on a virtual system. This means that the user doesn’t need to have the application or data available locally either. This has reduced the number of access routes to the data, and avoided data copying. It’s also a key tool in managing legacy applications with known security or dependency issues. These applications can be secured on known systems with known dependencies installed.
Privileged Task Automation – (also known as Robotic Process Automation). This is essentially where one delegates the task, not the privilege. It is the best way of implementing the least privileged model. Tasks can be controlled, as can the task inputs – a major advantage to reducing human error. This degree of automation is one of the rare times that security helps to save time and errors and get more business done. Automation also removes the chance for meddling in the system.
Input errors and folklore fixes – a customer case study
We worked with a customer with an extensive ‘follow the sun’ help desk model. Help desk operators seemed to develop a random folklore as to what would solve customer issues. At this point they had direct access to the application, which had over 288 data entry fields. Client services only used about 90 of these parameters, but not necessarily the same parameters for every client.
Time lost to input errors and folklore fixes could spiral out of control on some shifts. In some instances, this meant senior SysAdmins had to be woken in the middle of the night to restore critical services.
Using a combination of the available API and virtual browser driving techniques, we were able to template twenty or so of the most common tasks. The client parameters were then locked into the tasks. The issue rate dropped from ‘failures per shift’ to ‘failures per month’.
Yet that wasn’t the greatest benefit. Tasks running quickly and error free meant the help desk made significant improvements in ‘first call resolution’. The mobile nature of clients made returning calls difficult, and that meant that any incident requiring a callback was costly. Dealing with issues and changes at the point of the first call improved customer satisfaction. It also had a direct benefit to operating costs.
There were further benefits from the time savings too. The team were able to automate the more common billing queries so that the helpdesk could deal with other enquiries in any time zone.
Reducing the burden of audits
Audit should reveal who has accessed what and when. However, in reality they reveal which account was used. Most CISO’s know that the most worrying attack vectors are internal. They are hard to prevent and harder to spot since the attackers often use legitimate access methods. Privileged Task Automation solves the bulk of associated lower level issues.
This is also where Privileged Session Recording helps. This works by recording the windows and keystrokes of applications. The recordings are then checked which makes it very obvious if something has been changed, or is missing.
Knowing all actions are recorded is probably the best deterrent you can get. Return on investment does not end there; along with Privileged Access Management, it is a great tool for reducing the burden of audits.
If you can prove who has access to what, and in which role, you can be sure of when they accessed the system and what they did.
So, firewalls are required, but these days they are a smaller part of the security story.
Privileged Access Management, Privileged Task Automation and Session Recording all work beautifully in concert together. Overall, security is improved, business is done faster and more effectively, and SysAdmins get a good night’s sleep.
Osirium is a UK software development team that has pioneered the concept of a virtual air gap for privileged account access. Our team have delivered a virtual appliance that can recognise an incoming identity and create a connection to a system, device or application – perform single sign-on and enterprise class password lifecycle management, and then hand the pre-prepared session back to the incoming request ready for system management.