Who You Gonna Call?
The good news is they don’t need an exorcist to scare away these security boogeymen. Government information security professionals can be the real ghostbusters with just a few changes. Fundamental steps such as in-depth asset inventory, eliminating shadow IT systems, implementing automation, and moving toward a Zero Trust model can significantly reduce the number of government agencies breached annually.
Step 1: Dig Up the Bones
The first step to solving your haunted IT system is to complete a full self-audit and an in-depth asset inventory. While tedious, this is one way to start purging excessive permissions. The process requires digging through all entitlements and verifying what access each user requires, then removing any lingering or excessive permissions. Next, end the common practice of interdepartmental shared drives and make departmental directories private. These steps are a good start and work well for known systems with confidential data. But they aren’t sufficient to completely fix an organization.
Step 2: Dispel The Shadows
Shadow IT emerges to ease daily tasks or reduce work on production systems. These shadow systems include anything from excel dumps of database tables to unnecessary “test” servers that mirror the live environment. Tracking and monitoring these shadow systems rarely occurs because their existence is often supposed to be temporary. The discovery of these resources requires automated scanning and inventory using specialized tools. Once they are exposed, they need to be evaluated and eliminated — or monitored to ensure compliance.
The fundamental failure that leads to shadow IT comes from government agencies not following their own policies. NIST for US government security is straightforward about managing privileged access and ensuring the least privilege principle is in place. Automated software to manage permissions such as a PAM (privilege access management) system also prevents these scenarios from happening. PAM software oversees privileged access assignments and utilization, which ensures adherence to internal governance and compliance requirements. Automation alleviates much of the manual burden required to assign and manage privileged access.
Step 3: Zero Trust Leads to Zero Ghosts
NIST has recently approved in publication 800-207 the use of Zero Trust as a security architecture. These new standards require the use of time-bound privileged and implementation of just-in-time (JIT) provisioning. When users require access, the solution evaluates their request, then monitors and logs how they utilize the privileged information. It uses complex monitoring and alerting to identify usage patterns that indicate bad actors. Catching an incident early reduces the scope of the damage.
Although government organizations in both the UK and the US are historically guilty of poor security practices, history doesn’t have to repeat itself. Standards such as NIST and programs such as FedRAMP are designed to improve government agencies’ security posture.
By combining these with the security best practices of in-depth asset inventory, eliminating shadow IT systems, and implementing automation, Governments can steadily move toward a Zero Trust model and ultimately reduce breaches. Fighting privileged access misuse can be challenging and time-consuming, but allowing these monsters to lurk is a greater danger.