February 25, 2020

Perpetual Risk – The Human Element

MJ Kaufmann

Security Specialist

Perpetual Risk - The Human Element

The most powerful tool to prevent cyber-attacks is the human actor. That is why the theme of RSA 2020 is the human element of security. Human creativity and knowledge play a huge role in protecting the digital world. Humanity applies its strength not only in the day to day protection but the design and implementation of security tools that act as a force multiplier for the security professional.

People, Process, and Technology for Security

Within the holy trinity of people, process, and technology, technology is often considered the cornerstone of organizational security since it provides automated controls to manage everything from file access to what websites employees surf at work. While it’s true that technology is an important piece of the security landscape, it is the human element that designs security in a mindful manner, relentlessly innovating to address the ever-evolving threat landscape, including addressing one of the greatest security risks, the human risk factor. Ironically, while humans are without a doubt the greatest asset of any organization’s security team, the greatest security challenge they face is not a technological one but an organic one. Human behavior is and has historically been the most enduring threat to any organization’s security. It is not the willfully malicious bad actor that is the greatest danger to an organization but the well-meaning, good intentions of an individual trying to get the job done. If security is the roadblock to getting the job done, employees will find ways to circumvent your security. Overly stringent controls or high friction processes frustrate workers who in turn sidestep security measures, rendering them less effective and in some cases completely useless. Effective security controls must be smarter, removing friction and enabling productivity. There are a number of areas where organizations need to focus on smarter security.

Thwarting Least Privileges

The Principle of Least Privilege is one of the core tenets of information security, ensuring that users are granted the minimal amount of privilege necessary to accomplish their responsibilities. It sounds perfect in theory, but proper implementation is fraught with challenges, the largest of which is often how to trim existing permissions to actually provide least privilege without being too restrictive. Narrowing the scope of permissions and entitlements to satisfy the principle of least privilege requires defining the specific permissions any given position “needs” to accomplish its assigned responsibilities. The human risk in trying to retrofit the principle of least privilege into an organization is that once permissions already exist, individuals have gotten comfortable with having them regardless of whether they need them. Because people by nature fear change, individuals rationalize that they “need” rights which in reality are superfluous and have no direct pertinence to their responsibilities.

Changing Roles and Excess Access

Organizations often set permissions via broad groupings of rights into roles, then assigning roles to groups and departments as a convenient way to add permissions and entitlements to accounts that need common access. For example, to add application accounts and access rights to everyone in accounting, an Accounting role is created. Everyone in Accounting is added to the role, and the role gives application accounts and assets. This helps keep access organized. However, employees aren’t static. Individuals are promoted, change departments, or move to new locations within the organization. In these instances, it is very common for new permissions to be appended to the old, creating the potential for excessive permissions due to a residual permission set remaining beyond its purposeful period. Excessive permissions is one of the more common violations of the Principle of Least Privilege.

Requesting Abundant Access

Even after all the hard work of configuring roles and permissions is complete, often individuals will try to get more access than required for their role. Excessive access requests are rarely malicious. Individuals submit broad access requests thinking, “Why take the time to determine the specific set of files you need or list the exact directories required when it’s easier and faster to ask for the entire drive? This logic isn’t necessarily incorrect, but it certainly increases risk. Overly stringent controls and/or high friction processes are frustrating, encouraging end-users or managers to include items that “might” be needed later. Unfortunately, seemingly benign excessive access requests often open unnecessary holes in security through which malicious users can exfiltrate the data resulting in a larger breach that is harder to isolate.

The Risk of Rubber Stamping

Approval processes are intended to prevent unnecessary access, yet there are a number of reasons approvals fail to prevent excessive access. Approvers have a limited amount of time and investigating the veracity of every request isn’t always viable. Approving access requests is a cumbersome manual process in most IT environments. Reviewing what group a requester belongs to, researching whether this individual should have access, and ensuring there is no Segregation of Duties violations are all time-consuming tasks for an approver. All of this places a heavy burden on the approver, reducing their productivity and leading to “rubber-stamping”. “Rubber Stamping” is when an approver doesn’t scrutinize the validity of the request, but simply approves it for efficiency. As noted above, this often occurs because it is easier to approve than to do research. If a user needs some of the access they requested then it’s easy for the approver to rationalize that they may have need of everything they requested. In the same vein, when an approver is overwhelmed with requests that are just for routine permissions, it’s easy to miss an excess access request amidst the noise. The more burdensome the access request process is, the more likely rubber stamping is to occur.

Collaboration Can Lead to TMI

One of the greatest productivity boosts to the modern enterprise is the ability to use collaborative software such as Microsoft Teams. Using these tools, individuals can share documents and resources as they are collaborating, in real-time, enabling far more efficient teamwork. Unfortunately, this indiscriminate sharing often occurs outside of normal governance processes; if an individual has the rights to view a resource, they can share it with anyone. This sharing usually lacks tracking and validation the individual should have rights to the resource. In a world demanding high-productivity, where synergy increases output, many collaboration tools include “If I can touch it, I can share it” permissions. This places the same onus on the person sharing the resource as our aforementioned approver. The person sharing the content is responsible for knowing what group a colleague belongs to, whether the individual should have access and any potential for Segregation of Duties (SoD) violations. Rarely will the average employee have all of this information either in their head or at their fingertips because it’s not in the scope of their job. This increases the risk of both SoD violations and the unintentional dissemination of sensitive or business-critical information.

Human Element Vs. Human Risk Factor

With all of these aspects of the human risk factor, it is no wonder that humans are the key component of security, both as a challenge and as the defense. As we consider the theme of RSA2020, it is important to think about these factors and how best leverage the human element of security to reduce the human risk factor by empowering the human element and facilitating their effectiveness, utilizing both technology and innovation. We’ll expand on this in our next post and look at how Saviynt is pioneering ways to make smarter security with intelligent identity. Saviynt’s deep visibility, frictionless access, intelligent analytics, and intuitive interfaces support the human element keep organizations secure.

Saviynt at RSA Conference 2020

The RSA Conference 2020 is in San Francisco and Saviynt is there. We’ invite you to stop by and see us at Booth #1747 in the South Hall to chat with us. Saviynt ranks in the top third of Inc. Magazine’s 5000 fastest growing companies in the US as well as Deloitte’s Top 500 fastest growing companies. As a leader in converging Identity Governance, Application GRC and Cloud Privileged Access Management solutions, Saviynt is committed to delivering outstanding customer service in a way that bolsters our customers’ cybersecurity risk posture and compliance. Saviynt’s third-generation IGA product (Identity 3.0) is a hyper-converged platform that brings together intelligent Identity Governance & Management, Application GRC, identity-centric cloud security and cloud Privileged Access Management (PAM). Saviynt enables organizations to leverage ‘identity as the true perimeter’ across a multi-cloud and hybrid IT environment and ensure appropriate access with its usage-driven identity intelligence and analytics. We hope to see you at RSA, you can book a demonstration here.