Who holds the keys to your organisation’s data?

Who holds the keys to your organisation’s data?
By Tim Dunn, vice-president of CA’s security business in the Emea region

Published: January 11 2010 12:47 | Last updated: January 11 2010 12:47

Organisations have a legal duty to protect their customers’ personal data – but should we really trust them?

Incidents such as unauthorised securities trading at Société Générale and hacking of the Pentagon’s system share a common thread – they were the work of people who gained access, legitimate or otherwise, to privileged user details, in other words, the security crown jewels.

Understanding privileged user management (PUM) requires knowledge on what a privileged user is. It might seem a simple question but it is often a hurdle at which organisations fall.

A privileged user is an individual who, by virtue of function, has significantly greater system access rights than most corporate users. They will include, for example, system administrators and those with emergency accounts.

But because a privileged user has access to various IT resources, they can make use of private and sensitive data within the organisation, create new user profiles as well as add to or amend the powers and access rights of existing users. All this can give them a higher level of access to sensitive date than any other employees in the business – the equivalent to the keys to the kingdom.

The ever-increasing wave of security threats and increasing regulatory burden means it is no surprise that IT managers tend to overlook the area of privileged access granted to themselves and others to carry out their job.

But mistakes made can have serious consequences for an organisation’s brand value, customer retention, revenue and support from investors and shareholders.

A growing list of compliance initiatives is aimed at protecting organisations from malicious or inadvertent abuses. The ISO27001 security standard that is commonly used around the world advocates that the allocation and use of privileges should be restricted and controlled. For example, access privileges associated with each system product – eg operating system, database management system and each application (and the users to which they need to be allocated) should be identified.

This means that organisations need an access control policy that allocates access on a need-to-use basis, plus an authorisation process and a record of all privileges allocated.

Corporate executives are pushing their organisations to comply with these regulations or face personal liability and the threat of criminal and civil penalties.

Almost all relevant legislation centres around the principle of “least privilege”. This requires that in a particular layer of a computing environment, every module – be it a process, a user or a program – must only be able to access such information and resources that are necessary for its legitimate purpose.

When applied to users, the terms “least user access” or “least privileged user account” (LUA) are also used, referring to the concept that all users at all times should run with as few privileges as possible, and also launch applications with as few privileges as possible.

The key step in addressing this challenge is first to look at the privileged user as a major business and risk management issue. Once understood at a strategic level an organisation is in a better position to deploy tools that control, monitor and measure its privileged users and make sure the solution helps the organisation move along a proven path or “maturity model” and one that adapts to the changing needs of the business.

An organisation must also adopt best practices throughout, including securing logged files, enforce segregation of duties and introduce individual accountability to ensure privileged accounts are not shared, privileges kept updated and user activity monitored.

Awareness of the issue is growing, although a recent study by software company CA and analysts Quocirca into the behaviour and management of privileged users, revealed that the security of European organisations and the trust placed in them is at risk because of non-compliance with industry standards, poor practice and manual error.

The study found that 41 per cent of 270 European organisations confirmed that while they had adopted the ISO27001 standard, non-compliant practices such as sharing privileged user account details and retaining default privileged account user names and passwords still prevail.

More than one third (36 per cent) stated they had implemented ISO27001 and had it certified by an external auditor.

The main problem highlighted by the study was awareness. Respondents admitted to overlooking risks associated with poor PUM because other security threats, such as malware, the internet and Web 2.0 tools, ranked higher in their priority list.

While the majority of privileged users are highly trustworthy, organisations face a growing problem of managing privileged users and their access rights. Abuse is often not intentional, which means there is a need not just to protect the business from its employees, but the employees from themselves.

Clearly, it is in the interest of individual IT managers, the IT department and the overall business to have measures in place to control and monitor privileged users.

Copyright The Financial Times Limited 2010. Print a single copy of this article for personal use. Contact us if you wish to print more to distribute to others.