Don’t worry about your high-privileged users (AKA: Controlling actions, not people)
In every organization, users will need access to different resources in order to be able to do their jobs. These might be data, applications, system-administration rights, approval capabilities for different processes, etc.
Most users will (or at least should) end up with a set of permissions which present a low risk to the company. In other words, if those users decided to harm the organization, or if their accounts were compromised or stolen by external attackers, the level of damage they could infringe is fairly under control.
However, it is inevitable that some other users will end up holding certain permissions that do pose a much larger risk. System administrators could disable all corporate accounts, preventing all employees from carrying out their functions. Data owners could disclose confidential information to the general public, causing a huge damage from a reputational, financial and legal perspective. The Chief Financial Officer could approve inappropriate payments resulting in big losses for the company and potentially even fraud.
These kinds of high-privileged users emerge in every organization. So, it stands to reason that they need to be monitored and properly controlled. It is important to understand the proper way to do this, though. I have often seen the following approach:
“You first need to identify who your high-privileged users are, so you can better control any concerning behavior”
But, do you? Consider the following video from a 1999 research by Daniel Simons and Christopher Chabris.
In the video (and a large number of similar ones that you can find online), the concept of “Selective Attention” is exposed. Reportedly, about 50% of the viewers failed the test. The way I would put it is: If you already know what you are looking for, you will miss what you are not.
Or, in other words: If you already know (or assume you know) who your high-privileged users are, you are not on the lookout about anyone else carrying out equally privileged actions. You won't even know until it's too late.
The reason for this is actually simple. These actions, and not the users, are the real concern.
Nowadays, with organizations being so dynamic, changing and hierarchically-flat, and with technology allowing anyone to perform any action from anywhere, a user can become privileged overnight with the press of a button, simply because “Mary is on holiday, so someone from her team needs to be approving these expense requests”. Therefore, it does not make sense to monitor the people that you assume will be privileged, but instead control whoever gets access to those actions that have been identified as critical, or privileged.
Bottom-line: control actions, not people.
Of course, that requires the organization to be able to do two things:
- Always know who has access to what. Avoid backdoors, and have the proper processes and controls for Access Management: access requests, delegations, etc.
- Properly identify which permissions are critical or privileged, and how much.
Those two points require a deeper discussion that we will cover in future articles, but we have for now laid the proper foundations for effective Access Management: we need to understand first what can be accessed, in order to then manage who can access.