The Governance and Risk Horror Show Part 2
Have you ever noticed that most good horror movies have a sequel, or even many, many sequels? There are exceptions– Cabin in the Woods, anyone?– but with the recent and successful release of the umpteenth Halloween movie, I’m convinced few stories are done with one installment.
Ergo, we’re returning to the scene of our previous discussion about The Governance and Risk Horror Show to look at a good guy in your organization who may inadvertently be exposing you to peril.
This time I want to examine…the fright of a friendly admin!
When the pressure is on for agile productivity, the security procedures around access can fall aside as fast as the jump scares in a slasher movie. Someone needs access, and she needs it NOW! Who’s she gonna call? She calls the friendly admin!
The friendly admin is the person who will always help out in a situation where someone needs Domain Admin rights, root access to that one server in prod, or the password to the SA account IMMEDIATELY! The business relies upon this swift function, and there isn’t time to be bogged down with going through red tape. In a perfect world, the admin would balance security and access perfectly, but the need to get things done can eclipse the need to get things done safely. It’s rather like when the scientist decides to circumvent protocols just for one critical occasion, and abruptly, the world is dominated by intelligent apes… or worse. We’re failing audits, and someone is selling personally identifiable information (PII) gathered on the dark web.
Despite this horrific scenario, the friendly admin isn’t our enemy. He wants to see our business succeed, and he’s trying to meet the demands of someone with high title and urgency. How can we make certain that this faithful employee doesn’t inadvertently invite demons in the door? Does the admin mean to circumvent the careful circle of protection around the company’s house? Here’s a few ideas.
Lock up the dangerous artifact. You shouldn’t leave the Necronomicon just laying around. It needs to be locked up with some holy wards around it. Similarly, you shouldn’t let your privileged accounts be handled in a casual fashion. Whether an admin account, a dev account with access to a critical code base on a cloud hosted development platform, or a service account with administrative rights, these all must be carefully protected. It may take some cultural adjustment for those used to having all the power on their day-to-day user account, but limiting access to and requiring justification for administrative privilege is a significant factor in cutting down risk. You don’t have the perpetual excess of privileges when you use just-in-time access elevation rather than perpetually holding all that access. Better yet, make it time-bound and turn off the access when the work is done.
Even with that caution, administrative accounts are subject to digital attacks as much as Camp Crystal Lake is subject to violent attacks (which only makes sense if you’re a fan of Friday the 13th, but trust me, it’s attacked a lot). Require multi-factor authentication to protect administrative or privileged accounts by ensuring they are who they say they are.
Watch the watchers. If there’s a time and place to be paranoid, it’s when we’re trying to maintain security and prevent compromised credentials. I mentioned in a previous blog that using behavior analytics to find suspicious activity can continuously monitor for out-of-band access changes — usually enacted by our helpful and friendly admin– which could leave the door unlatched. When we’re watching for slips through the cracks, an effective measure is an automated response to alert a security admin. We could even shut down the unapproved access before it can even be used.
Avoid Keymaster/Gatekeeper combinations. Sometimes it’s as easy to identify what Segregation of Duty controls we need to enact as it was for Egon to know that the Keymaster and the Gatekeeper shouldn’t be allowed to meet… but, it’s often not obvious. There are challenges to tracking toxic combinations of rights across on-premises applications, cloud applications, systems and infrastructure. We have to surface entitlements across environments– even those from complex sources such as nested AD groups or sub-templates in Epic. Once surfaced, identify risky or even completely unacceptable entitlement combinations. Apply analytics to identify the outliers, and then develop business rules based on what we can infer. Once that baseline is in place, prevent drift by having continuous certification of the SoD definitions and requiring any new application to be wrapped into this process.
Don’t get swallowed by the cloud. Of course, if you’re dealing with cloud workloads, IaaS and cloud code repositories, the continuous certification mentioned above is even more of a challenge. Why? The sheer velocity of change and magnitude of entitlements when governing assets in your cloud environments can be staggering. Regular certifications of this teeming mass usually result in rubber stamping, because what manager can actually get through this fog? It’s a bit like trying to contain The Blob.
To deal with the nuance of the vapor, there is an important key: apply the dimension of risk. Use a system which can proactively scan the environment for risky configurations and prevent insecure workloads from being spun up by the friendly admin just helping someone out. Employ a system which can calculate the risk of an access request real-time and highlight for a manager when a request approval would give someone access that’s significantly different than his peers. Apply risk as a factor in certifications to filter out the noise so a manager can just focus on real risk– such as when the friendly admin tries to give someone access to both dev and prod.
You need brains even more than zombies do. It pays to seek out smarts to help you out. Saviynt has over 120 OOTB IT and business Segregation of Duty rules, and more than 150 IT security, risk and threat controls, all mapped to common business applications and usage. That’s an awful lot of experience to capitalize upon! When you’re trying to minimize risk and maintain compliance, Saviynt has already written enough material to keep all of the Michael Myers at bay, no matter which Halloween story-line he may be from and how generous your friendly admin may be. Look at an overview of our solutions here.
If you’re struggling with these challenges, come to Saviynt Converge ‘18, our complimentary event that is exclusive to Saviynt customers, partners and prospects. It’s just before the Gartner IAM Summit in Las Vegas. To learn more or to register, click here.