The Principle of Least Privilege – Using IT to take Control of People and Processes

1611

Ashley Madison, TalkTalk, Sony and Morrisons. Big brands. Big hacks. BIG losses. Along with its good name, data is one of the most valuable assets a business can own. Whether it’s secret information on a proprietary technology, sensitive confidential customer information, or access to critical infrastructure, data and its access are valuable and a compromise in the security can spell disaster.

It is therefore great news that, this week, MEPs and ministers from 28 EU countries have reached agreement on the Network and Information Security Directive. It is the first time Europe has created EU-wide rules on cyber-security and aims to establish minimum standards of cybersecurity for both providers of a consumer services -banks, amazon, ebay, – and critical infrastructure – energy and water firms. It also compels technology firms and those running critical services to report cyber-breaches. However, cyber security is far more complex than a man and his computer hacking through firewalls to get secret information.

A report by IBM Security states early on, “Phishing, malware, hacking, Distributed Denial of Service (DDoS) and the like are often the focus of security professionals’ efforts, but they aren’t the whole threat equation. Insiders also cause significant damage and financial loss.” Between 2005 and 2014, in the US alone, nearly 736 million records were reported compromised according to IBM Security. A high number, but what’s even more shocking is that, according to the 2015 IBM Cyber Security Intelligence Index, “55 percent of attackers are insiders, and of those, nearly half are inadvertent actors.”

The Privacy Rights Clearinghouse (PRC) reports there have been over 29 million records compromised by “unintended disclosure” breaches during the past ten years (2005-2014) in the United States and 32 million records intentionally by insiders with legitimate access to sensitive information.

Tackling this problem presents its own set of challenges. While an outside attack is hard to stop, with correct protocols and systems in place, they can be defended against. Like a king in his castle, walls are built to defend an outside attacker. However a spy inside the walls can still wreak havoc, or a sleeping sentry could spell disaster if they unwittingly allow the enemy to gain access through their post. The same goes for an ‘insider’ data breach; intentional or otherwise. Carelessness and malpractice can both have significant repercussions on an organisation and its directors.

There are a whole host of motives for an employee to maliciously steal data, from industrial-espionage to simple financial gain or a disgruntled ex-employee out for revenge. These individuals are harder to thwart because they have typically already have access, and are unconcerned with corporate policies or the potential consequences of their actions. Sensitive information yields high return on the black market and more victims means more money. The same goes for the targeted company – the more victims, the greater the financial loss.

There are ways to reduce the risk of this occurrence, however. Enforcing the ‘principle of least privilege’ is a good first step. Number six on the UK Government’s 10 steps to cybersecurity states, “All users of your ICT systems should only be provided with the user privileges that they need to do their job.” In cases where staff will be dealing with sensitive information, monitoring user activity is a must.

For larger organisations, enforcing the principle of least privilege without the right tools is not easy. Business today is complex and staff need access to an increasing volume of data and applications. Knowing the validity and nature of everyone’s access is almost impossible without the right technology and typically falls to line managers in the much demonised quarterly entitlement review. However conducting effective entitlement reviews in this environment is a considerable burden for line managers already tackling a regular day job.

Solutions are starting to appear from the world of machine learning and data analytics, and algorithms have proved highly effective at identifying entitlements that do not pose a threat. This can be up to 90% of all entitlements. With only 10% of access privileges left for managers to review and with added contextual information about those remaining entitlements, managers have the space and context they need to do an effective job.

The threat of a cyber attack is omnipresent and vigilance is key to reducing the risk of a successful breach. The worst hacks come from failure or deliberate sabotage on the inside of a company’s defences so it pays to be inward- as well as outward-looking when continually assessing potential points of vulnerability to the security of your data.

About Mark Rodbert
Mark RodbertMark Rodbert is CEO of idax. He is passionate about analytics and the way it applies to business technology. Mark developed idax software to change the way that business leaders understand, quantify and mitigate identity risk.

With 20 years of experience holding senior positions as an operational risk professional, Mark understands the challenges facing large organisations. A leading authority on the subject of governance, compliance and identity management, he is also an Honorary Visiting Professor in the department of computer science at the University of York.

In this article