Don’t worry about your high-privileged users (AKA: Controlling actions, not people)

-

Image by FLY:D <https://unsplash.com/@flyd2069> via <https://unsplash.com/photos/OQptsc4P3NM>

In every organization, users will need access to different resources in order to be able to do their jobs. These might be data, applications, system-administration rights, approval capabilities for different processes, etc.

Most users will (or at least should) end up with a set of permissions which present a low risk to the company. In other words, if those users decided to harm the organization, or if their accounts were compromised or stolen by external attackers, the level of damage they could infringe is fairly under control.

However, it is inevitable that some other users will end up holding certain permissions that do pose a much larger risk. System administrators could disable all corporate accounts, preventing all employees from carrying out their functions. Data owners could disclose confidential information to the general public, causing a huge damage from a reputational, financial and legal perspective. The Chief Financial Officer could approve inappropriate payments resulting in big losses for the company and potentially even fraud.

These kinds of high-privileged users emerge in every organization. So, it stands to reason that they need to be monitored and properly controlled. It is important to understand the proper way to do this, though. I have often seen the following approach:

“You first need to identify who your high-privileged users are, so you can better control any concerning behavior”

But, do you? Consider the following video from a 1999 research by Daniel Simons and Christopher Chabris.

In the video (and a large number of similar ones that you can find online), the concept of “Selective Attention” is exposed. Reportedly, about 50% of the viewers failed the test. The way I would put it is: If you already know what you are looking for, you will miss what you are not.

Or, in other words: If you already know (or assume you know) who your high-privileged users are, you are not on the lookout about anyone else carrying out equally privileged actions. You won't even know until it's too late.

The reason for this is actually simple. These actions, and not the users, are the real concern.

Nowadays, with organizations being so dynamic, changing and hierarchically-flat, and with technology allowing anyone to perform any action from anywhere, a user can become privileged overnight with the press of a button, simply because “Mary is on holiday, so someone from her team needs to be approving these expense requests”. Therefore, it does not make sense to monitor the people that you assume will be privileged, but instead control whoever gets access to those actions that have been identified as critical, or privileged.

Bottom-line: control actions, not people.

Of course, that requires the organization to be able to do two things:

  1. Always know who has access to what. Avoid backdoors, and have the proper processes and controls for Access Management: access requests, delegations, etc.
  2. Properly identify which permissions are critical or privileged, and how much.

Those two points require a deeper discussion that we will cover in future articles, but we have for now laid the proper foundations for effective Access Management: we need to understand first what can be accessed, in order to then manage who can access.

Comments

Post a Comment

Popular posts from this blog

The importance of having a centralized Access Management system (AKA: Authorization-as-a-Service)

-
Image
In the domain of Information Security, Identity and Access Management (IAM) is the field that aims to ensure that the right users have appropriate access to different resources (data, applications, etc.). In other words, it guarantees that these users can only access what they have been authorized for, in line with risk-based decisions made by the owners of those resources. This is the principle, anyway. But that principle can be implemented in different ways: If your organization uses (or offers) multiple applications, you can simply have each application independently managing user access (that is:  who can do what ). Or you can manage that level of access  centrally , in what is known as an Access Management (AM) system. This way, your applications will just ask that system whether a specific user can carry out a given action or not. This AM system becomes the brain for Authorization decisions, a single solution where access is defined and maintained, and exposes its capabi...
Read more

Understanding IAM Governance (AKA: How we monitor, control and decide)

-
Image
I remember when I first heard about Corporate Governance as a young engineer fresh out of college. I simply could not make sense of the concept and what it meant. It seemed to me like empty words which ultimately meant "ensure we do the right thing". Pffff. Useless! Of course we will do the right thing! Every employee and every organization makes plans to do the right thing! Anything else would be ridiculous, right? Right now, many of my readers are shaking their heads in pity for the naivety of my younger self. Because we now know that "doing the right thing" does not happen magically, and it certainly does not persist magically. It needs to be carefully defined, planned, communicated, enforced, controlled, monitored, and reviewed. However, I'd ask for a little bit of compassion for this younger (and dumber) version of me because, in my current experience, I have seen that so many people fail to grasp the meaning of Corporate Governance and, in our current conc...
Read more

Of Entities, Identities and User Accounts (AKA: I need to know who IAM)

-
Image
I often see that the concepts of Entity , Identity and Form of Identity are assumed as understood by all parties, and yet rarely with the same definition for all. These are not specific to the realm of IAM, with the first two being universal and the latter being simply derived from their physical-world counterparts. The problem is, as we will see, that not having a clear understanding of what they mean and their importance, will lead us to make design mistakes which will have an impact in our security and governance. Let's go step by step and try to understand each of these terms, in the physical world, to map them later to the digital one. Entity An Entity is defined as "something that exists independently, not as part of a whole". This is the foremost node in the identity chain. John Smith  is an entity (a car is also an entity, as is a service or an application , in the digital world, but let's stay with John as a simpler example, for now). John can't be mor...
Read more