April 2017 Digital Edition

Click Here

March 2017 Digital Edition

Click Here

Feb. 2017 Digital Edition

Click Here

January 2017 Digital Edition

Click Here

Nov/Dec 2016 Digital Edition

Click Here

Oct 2016 Digital Edition

Click Here

Technology Sectors

Market Sectors

The Do's and Don'ts of privileged user access control

By Ken Ammon

A number of high profile security incidents over the last year have proven, yet again, that privileged users -- administrators, contractors, and others with system-level access to IT infrastructure -- are a critical element of an organization's overall risk profile. The widely-publicized Edward Snowden incident, like Wikileaks before it, revealed the shear volume of data a dedicated insider with trusted access can extract. Within the commercial sector, the breach of retailer Target's point of sale system has impacted as many as 70 million Americans, one of the largest such incidents ever.

These breaches reinforce the criticality of a renewed focus on insider threats across the federal sector. Last year's update to the National Institute of Standards and Technology's Special Publication 800-53 included several additions addressing privileged user risks. Reports from the DHS indicate phase two of their $6 billion Continuous Monitoring cybersecurity program will expand focus to encompass insider threats. DoD instructions and reference architectures already incorporate multiple privileged user controls, and we can expect continued attention as that organization moves to create procurement controls for cloud-based IT services.

Privileged access control Do's and Don'ts

While a comprehensive set of insider threat controls can span volumes, it's possible to identify a focused set of "Do's and Don'ts" that will reap substantial returns in both risk reduction and enhanced compliance.

Do begin with passwords, and other privileged credentials like SSH keys. While credential management is its own unique discipline, passwords often serve as a proxy for access control. Obtaining the password is often the only limit established for accessing sensitive systems. And since credentials are often poorly managed and controlled, so is access control. Eliminate insecure storage methods like spreadsheets, and move to an encrypted vault with management capabilities to get credentials out of harm's way. Don't forget about credentials embedded in applications and systems, or those used in DevOps and other automated approaches to managing cloud-based infrastructure.

Don't combine authentication and authorization as a single activity. The federal government took an early leadership position in this area with directives such as HSPD-12 and OMB 11-11, requiring smart card-based multifactor authentication for administrative access. So, do ensure authentication and authorization are standalone activities. Authorization to access specific systems -- and even fine-grained permissions over specific commands on those systems -- should be based on an individual's roles and responsibilities. Those limits should only be established after a user has been positively authenticated.

Do ensure privileged access controls support full attribution of individual user activity. Failure to do so has lead to numerous POAM and audit findings. The issue is that shared administrative accounts, such as root, are common as a result of both convenience and system limitations. But shared accounts mask an individual user's activity. That complicates audits and forensic investigations and makes it easier for a malicious user to escape detection. Do make sure actions taken by an individual using a shared account are traceable to that specific person.

Do adopt real-time monitoring of administrative activity, with proactive protections for sensitive resources. Once established, limits on system access and authority must be enforced.

And finally, do provide for full logging and recording of administrative sessions of all types -- desktop, terminal or command shell, and management application programming interface. Ready access to such comprehensive records is crucial in supporting audit inquiries and incident response. And it can pay dividends in tasks like training and quality control.

The bottom line

While external attacks are more common, research has demonstrated attacks by insiders can be far more damaging to an organization and mission. And continuing incidents reveal that while trust is an essential element of privileged user access control, trust can be misplaced and abused. For those reasons, a sharp focus on privileged user access controls is essential -- and has the potential to pay big dividends in reducing risk and improving compliance. Attention to a straightforward set of activities and controls, like these, can move an organization far down the path to secure computing.

Ken Ammon is the chief strategy officer at Xceedium, a provider of next-generation privileged identity management. He specializes in security issues relating to the federal government and commercial industries.


Recent Videos

HID Global is opening the door to a new era of security and convenience.  Powered by Seos technology, the HID Mobile Access solution delivers a more secure and convenient way to open doors and gates, access networks and services, and make cashless payments using phones and other mobile devices. ...
Mobile device forensics can make a difference in many investigations, but you need training that teaches you how to get the most out of your mobile forensics hardware and software, and certifies you to testify in court. Read this white paper to learn how to evaluate mobile forensics training...
PureTech Systems is a software company that develops and markets PureActiv, its geospatial analytics solution designed to protect critical perimeters and infrastructure.  Its patented video analytics leverage thermal cameras, radars and other perimeter sensors to detect, geo-locate, classify, and...
PureTech Systems is a technology leader in the use of geospatial video, focusing on perimeter security.  When combining geospatial capabilities with video analytics and PTZ camera control, managers of critical facilities can benefit by allowing the video management system to aid them in the process...