Don’t Underestimate the Risk of Privileged Users

A few weeks ago, I was out on the West Coast talking to companies about privileged user management and identity governance with our technology partner, Cyber-Ark. This is an area of real concern for lots of organizations – and rightfully so. During our meetings, we exchanged real-world “horror stories” about insider fraud and sabotage. One of the most interesting ones was a case that went to trial last year in Texas. This case clearly illustrates the challenge of putting in place appropriate controls over privileged user access.

The IT director of a nonprofit organ donor center for more than 200 hospitals in Texas was fired in November 2005. At the time of her termination, the employee was informed in writing that all her access rights had been revoked. The company also took steps to lock all administrator accounts to which she was known to have access. Despite such steps, the terminated employee still managed to access the company’s network from her home via a VPN account that she set up previously without anyone’s knowledge.

Once inside the network, she used an administrator account belonging to another employee to log into several servers, including the company’s organ donor database server and main accounting server. Over the next several hours, she then deleted donor records, accounting invoice files, database and software applications, backup files and the software tokens needed to run some applications. In a bid to cover her tracks, the ex-employee manually deleted all logs of her VPN sessions. She also disabled the activity logging functions on the database and accounting servers – making it impossible to identity the individual files and applications she deleted.

What makes this case really interesting is that the sabotage occurred even though the company took reasonable steps to handle the terminated employee. The company immediately revoked the employee’s access privileges after terminating her and disabled all administrator accounts to which she had had previous access. So what more could a company do to prevent incidents like this? Here are some ideas:

  • Formalize your approach to identity governance by building an authoritative repository of all users and their access privileges – mined from all critical systems. Without centralized visibility, there will always be blind spots, as the situation above illustrates. Statistics show that the average employee has 35% more privileges than they need – so mine the data to find out.
  • Once you’ve centralized your data, you can automatically scan it to detect anomalies and policy violations. For example, accounts that don’t map to an active employee in the HR system can be flagged as “orphans” and duplicate accounts (employee with more than one account on any system) can be flagged for immediate remediation.
  • Put in place consistent, repeatable processes for business-level oversight of access privileges. For instance, you can require that any change in employment status (termination, transfer, promotion, etc.) automatically triggers a review of all of that employee’s access privileges by his or her supervisor. In the case above, this would have resulted in a comprehensive report of all access privileges held by the fired IT director, with the ability to revoke these privileges at the click of a mouse.
  • Consider using privileged user management (PUM) tools like Cyber-Ark to deal with “shared” and administrative accounts. These accounts are particularly troublesome because they are anonymous (e.g., UNIX “root”) and don’t map to a specific employee. With PUM tools in place, organizations can tightly control access to privileged accounts and track, monitor, and log every activity performed by employees using privileged user credentials.

Additionally, consider integrating PUM tools with identity governance solutions to ensure complete visibility and control over all user access privileges. For example, privileged accounts under management by Cyber-Ark can be imported into SailPoint IdentityIQ, displayed in access reviews, and can be used to escalate an employee’s risk score based on his or her access to privileged accounts.

How do you manage the access rights of privileged users?