Ensure Access Issues Don’t Come Back to Haunt Your Office with These 3 Access Management Best Practices
Government organizations protect the most important secrets in the world. Servers house data as benign as essential employment records and as dangerous as nuclear weapons placement. When this data is not adequately secured and managed, the consequences are more frightening than a horror movie. And a government data breach can have impacts across the globe.
Recent surveys of government organizations in the UK and the US have uncovered a disturbing number of poor security practices. According to Verizon’s latest Data Breach Investigations Report, 16% of breaches happened in the public sector, not counting healthcare. These surveys tell a story of fundamental data management failures that make any security professional want to scream. While the issues are substantial, malfeasance isn’t generally the reason they occur. The lack of proper security may be a sign of under-staffing or simply unsafe practices that grew exponentially over time.
As Cybersecurity Awareness Month comes to a close, government organizations should take a good look at their current security posture — before they become victims in the next cybersecurity horror tale. In this post, we explore three spooky security practices to look out for, and highlight ways you can ensure they don’t creep into your organization.
Excessive Access Issues Lurk in the Dark
Bulk access to privileged data is an insidious threat stalking many government orgs. Granting bulk data access leaves permissions hiding in the darkest caverns of government systems. Dangerous security practices like this are often a sign of lazy or inexperienced IT administrators. Instead of assigning permissions to individuals at a granular level as needed, IT teams often apply permissions en masse —allowing anyone in the organization to access resources and avoid future requests.
If you want an example of this in practice, look no farther than your company’s “shared drive.” While it may make collaboration easier, this practice leads to segregation of duties (SoD) issues that violate compliance regulations such as Sarbanes Oxley (SoX) or HIPAA.
According to the above survey, 36% of respondents said they did not need any privileged access to do their jobs. Yet they had it anyway. This level of overprovisioning is excessive and borderline absurd when you consider what’s at stake. To put things plainly, 1 out of every 3 government employees can access data they don’t need. This unbridled access increases the chances of data leaks — and even breaches — if accounts become compromised, or a user acts maliciously.
Access Creep is Real
Most people change jobs multiple times throughout their careers. When an employee moves within the organization, or leaves entirely, organizations need to pay closer attention to access privileges. When taking on a new role, they often don’t require the same access permissions. And if they leave the company, access should be terminated immediately.
Failing to do this can lead to “access creep”. Access creep occurs when individuals accumulate ever-increasing permissions due to leftover access from previous roles within the organization. In many cases, this can expand far beyond their role and responsibilities, violate the rule of least privilege, and widen the scope of damage should their credentials get stolen.
According to a recent poll, approximately 40% of respondents said they still had access rights after changing roles or leaving the organization. This is troubling because departing employees don’t always separate amicably. It also increases the risk of data being stolen, destroyed, or altered. Removing terminated employees is a must. To avoid access creep, ensure your organization periodically evaluates its access to help uncover employees who may retain previous permissions that are no longer necessary.
Beware of the Invisible Man
We fear most what we don’t know. Not knowing (with absolute certainty) who has data can be scarier than any horror movie. Unfortunately, this monster skulks through government agencies’ IT systems and gets fed by both access creep and bulk permissions. Too often, government administrators can’t identify who has access to privileged resources. Data could be sneaking out through the cracks and no one would be the wiser.
Almost 53% of users report needing a unified view of privileged user access across the enterprise or seeing privileged user account info but not their entitlement information. This blindspot leaves many organizations struggling to protect their data adequately. The government is likely to hemorrhage data without even being aware because it is slipping outside their perimeter through a hole they can’t even see.
Who You Gonna Call?
The good news is they don’t need an exorcist to scare away these security boogeymen. Government information security professionals can be the real ghostbusters with just a few changes. Fundamental steps such as in-depth asset inventory, eliminating shadow IT systems, implementing automation, and moving toward a Zero Trust model can significantly reduce the number of government agencies breached annually.
Step 1: Dig Up the Bones
The first step to solving your haunted IT system is to complete a full self-audit and an in-depth asset inventory. While tedious, this is one way to start purging excessive permissions. The process requires digging through all entitlements and verifying what access each user requires, then removing any lingering or excessive permissions. Next, end the common practice of interdepartmental shared drives and make departmental directories private. These steps are a good start and work well for known systems with confidential data. But they aren’t sufficient to completely fix an organization.
Step 2: Dispel The Shadows
Shadow IT emerges to ease daily tasks or reduce work on production systems. These shadow systems include anything from excel dumps of database tables to unnecessary “test” servers that mirror the live environment. Tracking and monitoring these shadow systems rarely occurs because their existence is often supposed to be temporary. The discovery of these resources requires automated scanning and inventory using specialized tools. Once they are exposed, they need to be evaluated and eliminated — or monitored to ensure compliance.
The fundamental failure that leads to shadow IT comes from government agencies not following their own policies. NIST for US government security is straightforward about managing privileged access and ensuring the least privilege principle is in place. Automated software to manage permissions such as a PAM (privilege access management) system also prevents these scenarios from happening. PAM software oversees privileged access assignments and utilization, which ensures adherence to internal governance and compliance requirements. Automation alleviates much of the manual burden required to assign and manage privileged access.
Step 3: Zero Trust Leads to Zero Ghosts
NIST has recently approved in publication 800-207 the use of Zero Trust as a security architecture. These new standards require the use of time-bound privileged and implementation of just-in-time (JIT) provisioning. When users require access, the solution evaluates their request, then monitors and logs how they utilize the privileged information. It uses complex monitoring and alerting to identify usage patterns that indicate bad actors. Catching an incident early reduces the scope of the damage.
Although government organizations in both the UK and the US are historically guilty of poor security practices, history doesn’t have to repeat itself. Standards such as NIST and programs such as FedRAMP are designed to improve government agencies’ security posture.
By combining these with the security best practices of in-depth asset inventory, eliminating shadow IT systems, and implementing automation, Governments can steadily move toward a Zero Trust model and ultimately reduce breaches. Fighting privileged access misuse can be challenging and time-consuming, but allowing these monsters to lurk is a greater danger.