The Do's and Don'ts of privileged user access control
By Ken Ammon
A number of high profile security incidents over the last year have proven, yet again, that privileged users -- administrators, contractors, and others with system-level access to IT infrastructure -- are a critical element of an organization's overall risk profile. The widely-publicized Edward Snowden incident, like Wikileaks before it, revealed the shear volume of data a dedicated insider with trusted access can extract. Within the commercial sector, the breach of retailer Target's point of sale system has impacted as many as 70 million Americans, one of the largest such incidents ever.
These breaches reinforce the criticality of a renewed focus on insider threats across the federal sector. Last year's update to the National Institute of Standards and Technology's Special Publication 800-53 included several additions addressing privileged user risks. Reports from the DHS indicate phase two of their $6 billion Continuous Monitoring cybersecurity program will expand focus to encompass insider threats. DoD instructions and reference architectures already incorporate multiple privileged user controls, and we can expect continued attention as that organization moves to create procurement controls for cloud-based IT services.
Privileged access control Do's and Don'ts
While a comprehensive set of insider threat controls can span volumes, it's possible to identify a focused set of "Do's and Don'ts" that will reap substantial returns in both risk reduction and enhanced compliance.
Do begin with passwords, and other privileged credentials like SSH keys. While credential management is its own unique discipline, passwords often serve as a proxy for access control. Obtaining the password is often the only limit established for accessing sensitive systems. And since credentials are often poorly managed and controlled, so is access control. Eliminate insecure storage methods like spreadsheets, and move to an encrypted vault with management capabilities to get credentials out of harm's way. Don't forget about credentials embedded in applications and systems, or those used in DevOps and other automated approaches to managing cloud-based infrastructure.
Don't combine authentication and authorization as a single activity. The federal government took an early leadership position in this area with directives such as HSPD-12 and OMB 11-11, requiring smart card-based multifactor authentication for administrative access. So, do ensure authentication and authorization are standalone activities. Authorization to access specific systems -- and even fine-grained permissions over specific commands on those systems -- should be based on an individual's roles and responsibilities. Those limits should only be established after a user has been positively authenticated.
Do ensure privileged access controls support full attribution of individual user activity. Failure to do so has lead to numerous POAM and audit findings. The issue is that shared administrative accounts, such as root, are common as a result of both convenience and system limitations. But shared accounts mask an individual user's activity. That complicates audits and forensic investigations and makes it easier for a malicious user to escape detection. Do make sure actions taken by an individual using a shared account are traceable to that specific person.
Do adopt real-time monitoring of administrative activity, with proactive protections for sensitive resources. Once established, limits on system access and authority must be enforced.
And finally, do provide for full logging and recording of administrative sessions of all types -- desktop, terminal or command shell, and management application programming interface. Ready access to such comprehensive records is crucial in supporting audit inquiries and incident response. And it can pay dividends in tasks like training and quality control.
The bottom line
While external attacks are more common, research has demonstrated attacks by insiders can be far more damaging to an organization and mission. And continuing incidents reveal that while trust is an essential element of privileged user access control, trust can be misplaced and abused. For those reasons, a sharp focus on privileged user access controls is essential -- and has the potential to pay big dividends in reducing risk and improving compliance. Attention to a straightforward set of activities and controls, like these, can move an organization far down the path to secure computing.
Ken Ammon is the chief strategy officer at Xceedium, a provider of next-generation privileged identity management. He specializes in security issues relating to the federal government and commercial industries.