The data breach at UK accounting software company Sage has brought the insider threat facing businesses into focus and, according to security experts Hypersocket Software, highlights the need for more stringent access control.
The Sage breach, which may have compromised the personal information of employees at 280 businesses, is thought to have resulted from unauthorised access from an internal computer log-in.
In contrast to the popular image of evil hackers trying to steal data using brute force and denial of service attacks, this latest incident emphasises that the danger for organisations can just as easily come from inside. In addition to the threat of malicious activity from otherwise legitimate insiders or employee errors, there also is a risk that the user credentials can be compromised and that the ID authentication process can be exploited to let malicious outsiders into the system.
But according to Lee Painter CEO of Hypersocket Software many businesses are not properly addressing the risk from within their business and do not fully follow the principle of least privilege access.
Lee explains: “Many organisations already use identity management as a key weapon in their security arsenal. This allows a network or system to authenticate the identity of a user through credentials ranging from a simple user name and password to digital certificates, physical tokens, biometric factors or a combination of these. But is authenticating identity really the first step organisations should be taking? The fact that someone has established his or her identity as an employee should not result in unfettered access. So access control and more specifically least privilege access, should be the very first consideration in any organisation’s approach to Identity and Access Management.”
Least privilege access means that every user is granted access only to the resources necessary to accomplish the job at hand. A low-level clerk does not need administrative privileges on IT systems; a worker in sales does not need access to sensitive financial information.
While the concept is simple Lee believes least privilege can be difficult for organisations to properly implement and two common errors are often made.
Firstly, users are frequently assigned access privileges based on their role in an organisation, despite the fact that individuals seldom fit neatly into single roles.
Says Lee: “Employees may need special one-time access, and each person fulfilling the same role might need slightly different types of access. Effectively managing least privilege access here requires not only authentication and secure connections, but granular controls for each user and the ability to monitor their activities.”
The solution here is a system where every action requires a permission, and business domains must be defined by specific resources for the system being developed. Users can then be placed in roles that are associated with a specific set of permissions by assigning resources to each role. All actions should then generate events, which allows detailed reporting and analysis of the system by the applications using it.
Secondly, many organisations fail to extend the concept of least privilege access right across the organisation even to those classified as privileged users such as systems administrators. Here organisations should be looking to enterprise IAM solutions that can provide real-time, continuous risk analysis on users, detailing who has access to what, who has access to privileged resources, their activity and summarising their behaviour and access rights with a risk score per user.
Lee concludes: “The insider threat to business is real and shouldn’t be underestimated. Businesses should be constantly monitoring and if necessary limiting who has access to what. Putting least privilege access at the heart of a robust identity management and access control strategy is an organisation’s best defence against an internal hack.”