Don’t worry about your high-privileged users (AKA: Controlling actions, not people)

-

Image by FLY:D <https://unsplash.com/@flyd2069> via <https://unsplash.com/photos/OQptsc4P3NM>

In every organization, users will need access to different resources in order to be able to do their jobs. These might be data, applications, system-administration rights, approval capabilities for different processes, etc.

Most users will (or at least should) end up with a set of permissions which present a low risk to the company. In other words, if those users decided to harm the organization, or if their accounts were compromised or stolen by external attackers, the level of damage they could infringe is fairly under control.

However, it is inevitable that some other users will end up holding certain permissions that do pose a much larger risk. System administrators could disable all corporate accounts, preventing all employees from carrying out their functions. Data owners could disclose confidential information to the general public, causing a huge damage from a reputational, financial and legal perspective. The Chief Financial Officer could approve inappropriate payments resulting in big losses for the company and potentially even fraud.

These kinds of high-privileged users emerge in every organization. So, it stands to reason that they need to be monitored and properly controlled. It is important to understand the proper way to do this, though. I have often seen the following approach:

“You first need to identify who your high-privileged users are, so you can better control any concerning behavior”

But, do you? Consider the following video from a 1999 research by Daniel Simons and Christopher Chabris.

In the video (and a large number of similar ones that you can find online), the concept of “Selective Attention” is exposed. Reportedly, about 50% of the viewers failed the test. The way I would put it is: If you already know what you are looking for, you will miss what you are not.

Or, in other words: If you already know (or assume you know) who your high-privileged users are, you are not on the lookout about anyone else carrying out equally privileged actions. You won't even know until it's too late.

The reason for this is actually simple. These actions, and not the users, are the real concern.

Nowadays, with organizations being so dynamic, changing and hierarchically-flat, and with technology allowing anyone to perform any action from anywhere, a user can become privileged overnight with the press of a button, simply because “Mary is on holiday, so someone from her team needs to be approving these expense requests”. Therefore, it does not make sense to monitor the people that you assume will be privileged, but instead control whoever gets access to those actions that have been identified as critical, or privileged.

Bottom-line: control actions, not people.

Of course, that requires the organization to be able to do two things:

  1. Always know who has access to what. Avoid backdoors, and have the proper processes and controls for Access Management: access requests, delegations, etc.
  2. Properly identify which permissions are critical or privileged, and how much.

Those two points require a deeper discussion that we will cover in future articles, but we have for now laid the proper foundations for effective Access Management: we need to understand first what can be accessed, in order to then manage who can access.

Comments

Post a Comment

Popular posts from this blog

Understanding IAM Governance (AKA: How we monitor, control and decide)

-
Image
I remember when I first heard about Corporate Governance as a young engineer fresh out of college. I simply could not make sense of the concept and what it meant. It seemed to me like empty words which ultimately meant "ensure we do the right thing". Pffff. Useless! Of course we will do the right thing! Every employee and every organization makes plans to do the right thing! Anything else would be ridiculous, right? Right now, many of my readers are shaking their heads in pity for the naivety of my younger self. Because we now know that "doing the right thing" does not happen magically, and it certainly does not persist magically. It needs to be carefully defined, planned, communicated, enforced, controlled, monitored, and reviewed. However, I'd ask for a little bit of compassion for this younger (and dumber) version of me because, in my current experience, I have seen that so many people fail to grasp the meaning of Corporate Governance and, in our current conc
Read more

Of Entities, Identities and User Accounts (AKA: I need to know who IAM)

-
Image
I often see that the concepts of Entity , Identity and Form of Identity are assumed as understood by all parties, and yet rarely with the same definition for all. These are not specific to the realm of IAM, with the first two being universal and the latter being simply derived from their physical-world counterparts. The problem is, as we will see, that not having a clear understanding of what they mean and their importance, will lead us to make design mistakes which will have an impact in our security and governance. Let's go step by step and try to understand each of these terms, in the physical world, to map them later to the digital one. Entity An Entity is defined as "something that exists independently, not as part of a whole". This is the foremost node in the identity chain. John Smith  is an entity (a car is also an entity, as is a service or an application , in the digital world, but let's stay with John as a simpler example, for now). John can't be mor
Read more

How to establish a trust anchor (AKA: Digital onboarding of remote employees)

-
Image
The following scenario should sound familiar for most of the readers who had to work from home during the recent pandemic. Your day starts and you sit down in front of your workstation. You turn it on and you are prompted for your credentials. Some form of more-or-less sophisticated multi-factor authentication (MFA) helps ensure that you indeed are who you're claiming to be. That way, your organization makes sure that only the right people can access its resources. Putting aside the many challenges that this scenario presents under the hood, the truth is that we know quite well how to solve them. We know what methods, technologies and practices can be employed, and which can't or shouldn't. However, the recent pandemic has uncovered a fundamental weakness, common to most organizations. Before 2020, the typical process would go as follows. I want to work from home, so I'll need to have access to the company network or systems from my home office. But wait! In order to do
Read more