Welcome!

Web 2.0 Authors: Kevin Benedict, Liz McMillan, Esmeralda Swartz, Roger Strukhoff, Elizabeth White

Related Topics: Web 2.0

Web 2.0: Blog Post

With Great Power Comes Great Responsibility: Managing Privileged Users

How to Mitigate Negative Outcomes from Privileged User Access

Since the advent of the SuperUser, there has been a thorn in the side of Information Security. Administrators must be able to perform system management functions, but systems have been designed to grant them access far beyond what they actually need to do their jobs. As a result, IT has had to come up with crafty ways to help mitigate who has access to privileged accounts and the underlying data in those accounts. They have tried everything from password management, to keystroke logging, to change control procedures, to privileged user management (such as sudo, powerbroker, etc.).

However, all of these approaches have focused on either "who" can become a privileged user or "how" they can access sensitive data. In essence, they've been missing the point, which is much more about what the privileged user is able to do with data.

If you are wrestling with how to mitigate negative outcomes from privileged user access to data (and attackers who wish to exploit privileged users), here are a few different methods to consider:

  • Password Management - Create a process where privileged users must check out a password after going through an approval process, usually a change control system. (This mitigates an individual admin from just jumping into the system at will, but does not control what they can do, or if a vulnerability is abused in the system.)
  • Privileged User Management - Tools like sudo can be used to control who can run what commands as a privileged user (i.e. - jsmith can run mount as root to mount file systems). This controls individual admins to a limited set of commands, but the sudo configuration is still managed by a full root user, and doesn't control access to data, as root.
  • Keystroke Logging - Commonly used to watch what an individual does on a system, and is seen to be a very cumbersome method.
  • Data Firewalling - A tool like Vormetric Data Firewall is an effective last line of defense because it employs a separation of duties from data, all driven by policy. It uses transparent encryption (failsafe), integrated key management (no keys known to individuals), and a criteria-effects rule set to only allow approved users/processes to access data. This can be used to allow the business application to see its data, but the administrator to only see cyphertext, if anything at all. This means that admins can be monitored and limited from access to data, while still being able to perform needed tasks.

When looking to mitigate and control your privileged users so that you can keep your organization out of the media headlines around data breaches, the best method is almost always to address the problem at its root...the data itself. By taking an "inside-out" approach to security and focusing on the end-goal of data first, you can deliver a much more refined, and secure, solution.

More Stories By Sol Cates

Sol Cates (@solcates) was promoted to the role of CSO at Vormetric in February 2013. As CSO, he is responsible for ensuring Vormetric’s internal security profile remains robust while also understanding how security is perceived and used by IT/IS and how it drives technical decision making and buying behavior at the boardroom level. Cates partners with teams through the company to engage both customers and partners, and he speaks publicly to elevate industry understanding of data security best practices in today’s complex cyber threat landscape. The technical depth and understanding of the information security space Cates has developed over the last 17 years is rooted in the intelligence community, financial services industry and other large enterprise organizations. He originally joined Vormetric in 2003, when he spent four years as a systems engineer. After holding a similar role at SignaCert (acquired by Harris) for three years, Cates returned to Vormetric in November 2009 as director of field engineering and solutions architecture. In this role, he grew and led a world-class technical sales team to great success, by installing understanding of the business, not just the technology. As an active problem solver, he built the original prototype of Vormetric Toolkit, which enables enterprise and cloud service provider (CSP) customers to automate and accelerate their data security deployments. Cates’ career also includes technical sales, engineering and support leadership roles at Tripwire, Symantec and Spectra Physics. Cates has developed many real-world solutions for customers, including iPhone and Android applications as well as elastic SaaS platforms.