As children, our television shows featured cars that could drive themselves. We were awed by the likes of Knight Rider, Speed Racer and James Bond, which demonstrated future tech that gave the illusion that the future was not so far away. Unfortunately, many organizations take a childish approach to dealing with the insider threat.
Mature organizations realize that it takes more than technology to deal with insiders. While few would deny that insiders pose an information protection threat, much of the focus in security is on architecture, identifying vulnerabilities and responding to attacks. These are all necessary, but when it comes to protecting against insider threat, there can be an over-reliance on policy and automated enforcement. Organizations, for example, define policies for least privilege, separation of duties and passwords to protect insider credentials.
Yet the NSA has Snowden, Target has their HVAC contractor and Twitter has their executive assistant. Many modern attacks rely on insiders, whether they are malicious administrators with access often beyond their needs, or external attackers appropriating credentials without the user’s knowledge.
If people are today’s weakest security link, then many organizations are being childish by being in denial about how adequately they are addressing the risk.
Can’t we just get rid of the people?
If you are a security professional, you probably have had dreams of eliminating the weak links. The likelihood of that happening is no better than getting robot cars in the very near future. Still, throwing technology at the problem is tempting, just like it’s tempting to believe that driverless cars are just around the corner.
Professionals are cautious of over-reliance on automation
The fantasy of driverless robot cars reached a pinnacle at the recent International Consumer Electronics Show in Las Vegas. Driven by Google’s rather cartoonish-looking entry into this technology, other vehicle manufacturers have come forward to offer their alternative visions of automation that relieves the driver of responsibility for piloting their vehicles.
Unlike Google’s approach that goes so far as to eliminate a steering wheel, the more traditional manufacturers are stopping short of declaring fully-automated, self-driving cars. Their approach is to augment safety, rather than permit drivers to occupy their time on something other than driving. And for good reason – just like we can’t fully remove the insider threat through automation, they realize that the technology and infrastructure required to completely remove the need for a human driver is nowhere close to being delivered. What happens when a situation arises that automation can’t handle? Is that the time to hand control back to a distracted passenger?
Expecting that policies coupled with incomplete automated enforcement will sufficiently mitigate the insider risk is just as foolish as enabling the diversion of driver attention with inadequate automobile automation.
Strengthening inadequate policy enforcement
Just like we shouldn’t expect cars to operate independently of drivers any time soon, we can’t expect adequate policy enforcement without the regular input of qualified people in the driver’s seat.
But we can support those qualified drivers with tools to make their job easier. Today, one of the primary tools for enforcing policies related to least privilege and separation of duties is Access Governance. It maps out who has access to what, identifies whether that access is within policy, and enforces that policy through automated deprovisioning of accounts.
But yes, people are still the problem
The key element of Access Governance is the access certification process. On a regular basis (usually every 6-12 months), business managers are required to acknowledge whether their employees have an appropriate level of access to applications or not.
This is a helpful detective control for access privileges that have outlived their necessity. The problem with this approach is that it relies heavily on those business managers taking their certifications seriously. That is like expecting the average car owner to meticulously document every maintenance service at every correct mileage interval.
So we are back to people being the weak link, because business managers have better things to do than check yes or no for each of their employees against each of their access privileges. They will rubber-stamp the certifications.
“Driverless” Access Governance?
Like the car with no steering wheel representing a dot out on the horizon, fully automated certifications are not going to replace manual certifications any time soon. But there are enhancements that can be made to augment certifications with information that will reduce the insider threat.
The future approach needs to take into account two deficiencies:
1. Business managers have limited bandwidth and attention for certifications.
2. Even perfect certifications cannot account for rogue administrators or privileges that have been stolen by outsiders.
To address these deficiencies, the future of Access Governance must provide two key capabilities:
1. Better prioritization of access certifications informed by risk. If a business manager is asked only to review in-depth a few high-risk entitlements, they are more likely to take the action seriously.
2. The 6-12 month certification mindset must be changed. Monitoring how insiders use their access, and alerting on abnormal behavior to trigger an ad-hoc certification, can result in better control.
Perhaps one day we will be able to use our commute time for work or leisure while our cars drive themselves. For the immediate future, automation can be incrementally useful for discrete tasks such as parking. Similarly, Access Governance is a powerful tool to reduce the insider threat, but it needs to mature to the point where it is more responsive and more automated before relying on it completely. With cars, the easier thing would be to just use Uber. With enterprise security, there is no such luxury.