Watching the watchers

While most attention today is placed on containing complex malware and outside hacking threats, enterprises could significantly improve their risk posture by taking a look at how well they manage the access they give privileged insiders, such as network and database administrators and other IT professionals. What most organizations find is that they don’t have a firm enough grip on the access these users have.

To keep sensitive information safe and to maintain regulatory compliance, it’s crucial that privileged insider access be properly managed.

“If data is highly sensitive, then monitoring should occur for those with [privileged] access,” says Mark Lobel, a principal in the advisory services division of PwC.

However, in many organizations, who should be ultimately responsible with actually performing that privileged account monitoring is a tough call. In most organizations, many experts agree, the monitoring and auditing have to remain outside the IT department. “This is another reason why we are seeing more and more CISOs reporting outside of IT. It allows them to focus on policy, governance and compliance while being independent from the system administrators,” says Lobel.

Experts maintain that the secret to successfully managing privileged user access is, like many things, also part process and part technology. “This is why we invented separation of duties and auditing. IT needs to be monitored by some combination of audit with tools provided by IT security. The important thing to remember is that IT security isn’t supposed to be playing audit any more then they are supposed to be playing HR. Their role is to enable audit to do their jobs better just like any other business unit,” says David Mortman, an analyst at the IT security research firm Securosis.

To help enforce proper privileged user access, more enterprises are turning to a segment of the identity management market known as “privileged user management,” “privileged identity management,” “privileged access management,” or SuperUser Privilege Management tools. “SuperUser Privilege Management tools essentially allow a single trusted root administrator account to be created and then that account delegates out limited administrative privileges,” explains John Pescatore, an analyst with the research firm Gartner. “This way you only have to trust one person fully and the rest of the admins can have limited access and be fully audited.”

That privileged identity management market is expected to increase in coming years. Infiniti Research Analysts forecast the Global Privileged Identity Management market will grow at compound annual growth rate of 24.1 percent through 2014.

However, PwC’s Lobel says technology alone won’t get the job done adequately: These practices are crucial if organizations are to properly manage the risks associated with privileged users, he says:

Regular training: The vast majority of people will do the right thing if they know clearly what the right thing is.

Split knowledge: Encrypt databases and have someone else given the ability to decrypt. This will make it easy for the honest person to stay honest and difficult for the dishonest person.

Monitor: You need monitor and have the logs sent to a separate system to which the system administrator does not have access. When evaluating those logs, look for suspicious gaps.

Scott Crawford, an analyst with Enterprise Management Associates, says there is another aspect of privilege management that aims at managing endpoints with too high access levels set. Rather than managing the privileged user account, these tools manage the actual access privilege settings on end points. “One of the key factors here: restricting administrative access on target systems. Personal systems have historically been configured to give the user administrative privileges, so they can install software etc. at will. This, however, is a set of privileges attackers can use to install malware or perform other malicious actions under the user’s personal privilege set,” says Crawford.

Privilege management helps to rein this in, according to Crawford, by minimizing administrative privileges, discovering systems with accessible privilege exposures, and by auditing access privileges on systems so enterprises have a realistic view of those “privilege exposures.”

While enterprises can train, monitor, and segregate the duties of privileged users — and eliminate unnecessarily high access rights on end points, they’ll never fully eradicate the risk, experts say. But they’ll manage to mitigate these risks. “If someone with physical or administrative access wants to view information on a system, eventually they can gain access,” says Lobel. So the end game may actually start at the beginning — at least with new hires. “All employees with access to sensitive data get background checks before they are hired. No exceptions,” he says.

George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter at @georgevhulme.