Privileged Accounts: Locking The Back Door and Closing the Windows

The issue of managing, or, more to the point, not managing, privileged accounts, and why they too often end up as a low business priority, is a complex one. Not long ago, privileged account sprawl was the elephant in the room that organisations generally chose to ignore because it was perceived as simply too difficult, costly and disruptive to the business to remedy. While the perception of ‘cost to fix’ was high, the unmitigated risk that these ‘power’ accounts posed wasn’t fully understood or accepted. It didn’t take long for this strategy to prove foolhardy. A case in point of the damage a lack of privileged account controls can cause is that of Europe’s biggest bank, HSBC, when it had the data of up to 24,000 private clients passed to the French tax authorities by a former IT employee in March this year.

The key to understanding the potential business risk and potential business impact of privilege is that it is not about individuals and their user accounts, but also about the context in which we evaluate business accounts, information, applications and processes, and how they interact. Organisations historically have invested vast amounts of time and money managing the end users and too often forget (or ignore) the fact that there are alternative ways of gaining access to systems that are powerful, unsecured and anonymous. They are thus providing an ‘unlocked’ back door directly into the heart of the enterprise.

A recent example is that of Rodney Caverly, an ex-software chief executive officer (CEO)-turned Bank of America employee. In April 2010, he pleaded guilty to abusing his position within its IT department when he devised a scheme to deploy a computer code to the bank’s computers and ATMs allowing them to dispense cash without recording the transaction. Although the exact amount he stole is not known, it has been reported to be in the many thousands of dollars, with some cited claims in excess of US$300,000.

And while the insider threat is real and pervasive, it’s not always a person who poses the most significant threat to the organisation. Attacks are increasingly focused on exploiting unsecured and unmanaged legacy hardware and software vulnerabilities and accounts. According to an April 2010 report by Javelin Strategy & Research, ‘ATM and PIN Fraud’ skimming attacks on card transactions at ATMs are being replaced with assaults on the software inside the machine and the ATM networks themselves.

Taking Organisational Responsibility and Control Seriously

Ignoring the problem surrounding an organisation’s privileged assets doesn’t make the risk go away. Instead, organisations must acknowledge the business impact of privilege, accept the responsibility to manage and secure these assets, and implement programmes that identify and assess the level of risk these assets can pose, allowing these enterprises to prioritise its remediation and mitigation efforts accordingly.

Taking a holistic, privilege-based perspective allows organisations to set and manage policies at a high level, rather than reactively responding to breaches and audits. This empowers enterprises to understand the risks within a privilege context and proactively prioritise activities and measure to minimise and/or eliminate it.

Over the years every organisation has accumulated thousands of system, database, application and network accounts. These accounts and their credentials are often shared by users, past and new, and are embedded in thousands of applications across diverse platforms throughout the infrastructure. As a theoretical example, Jon was given a password to make some changes to a key system; he then shared this with Mary who was having difficulty accessing the application on another day. Jon and Mary have both since left the organisation, however no-one knows if they shared the password with anyone else and the password has remained unchanged. As this scenario demonstrates, organisations have long lost track of many of these accounts and who has access to them.

The other major impediment is the fear factor of ‘breaking’ critical systems and applications. In complex environments, the impact of attempting to change shared passwords to comply with best practice and regulatory requirements, or tampering with embedded application accounts and service accounts is never clear. They are, to put it mildly, reluctant to address the problem because they dare not risk bringing down, or even breaking, critical applications and systems.

Bringing the various business functions together is the beginning of identifying where all privilege identities reside. For example, the helpdesk may see using an administrator account to access desktops and/or laptops that they use as a potential issue if, by doing so, it allows access to the key systems that they use. For human resources, it could be someone accessing their network as an administrator and from here browsing through the personnel files. Credit card processing will have applications automatically reaching into databases and the risk here is of a real person mimicking the application’s privilege identity to peruse these card details. Once this process is complete it should be clear which are higher-risk, and therefore require immediate attention, and those that can be addressed in due course.

From here, an enterprise can either build on the shaky foundation of the past, adapting code with embedded accounts to new uses expanding operations while doing business in the same old way, or take the lesson of privilege to heart and find a better way. Policies need to be created and implemented that control how these privilege accounts are approved and managed in future, for example generating an emergency ID for Jon to allow him access to the system but restricting the data he can see. The ID is then revoked once the job is completed.

Even a good faith effort to control access according to need and based on the privilege quotient for the applicable accounts, assets and processes daunting, to say the least. Organisations will typically use spreadsheets or similar devices to control and track privileged access, but find it is impossible to keep up with demands for access so they quickly fall behind and lose track.

On the other hand, if an organisation tries to play hardball and enforce proper controls without automated tools, the spreadsheet approach quickly becomes a bottleneck, an impediment to timely provisioning and an invitation to circumvent procedure. It becomes, once again, impossible to track who has, and who needs, privileged access, and to which systems and applications.

Taking a holistic, privilege-based perspective allows organisations to set and manage policies at a high level, rather than taking a piecemeal approach. This allows enterprises to understand risk in its privilege context and prioritise activities to minimise and/or eliminate it.


Related reading