Excess privilege makes companies and data insecure

Excess privilege makes companies and data insecure

Summary: A survey confirms that most companies do a poor job of managing the permissions and privileges of users on their computers and the network.

SHARE:
TOPICS: Security
4

One of the most important principles of good computer security is the principle of least privilege: A user should have no more access to data and systems than is necessary for their task. Too often, security problems result from users having excessive privileges and excessive access to data. For a good example of just how bad things can go for the organization from giving users more access than they need, look no further than the story of Edward Snowden, NSA contractor.

If even the NSA, where "Security" is their middle name, doesn't take it seriously enough, how much effort is the average private company putting into privilege management? Not much. A new survey from BeyondTrust, which makes software to assist companies in limiting user privilege, demonstrates that bad privilege habits run rampant.  I spoke with BeyondTrust CTO Marc Maiffret, an old pro in the security field.

Some of the highlights of the survey:

  • 44 percent of employees have access rights that are not necessary to their current role

     

  • 80 percent of respondents believe that it’s at least somewhat likely that employees access sensitive or confidential data out of curiosity

      

  • Over three-quarters of respondents say the risk to their organization caused by the insecurity of privileged users will increase over the next few years

      

  • Customer information is considered most likely at risk if there’s a lack of proper access controls over privileged users

Windows and other operating systems have improved over the years at making good privilege management easier to implement, but in a large organization it can still be difficult. For instance, Maiffret says businesses are much better at setting users to run as a Standard User in Windows 7 than they were with Windows XP. This is because you couldn't get a lot done running as Standard User on Windows XP.

But there are still many applications, especially older custom applications, which require permissions greater than the default Standard User permissions.  In those cases, you can hand-tweak permissions or you can use a tool like BeyondTrust's PowerBroker to manage it on with a broader approach. It integrates with Active Directory, puts all administration in a single console and delivers recurring reports so you can see if permissions have gotten out of date.

Operating systems are continuing to get better  at this. Modern UI apps in Windows 8 run, by default, in a sandbox and with lower privilege. You have to deliberately elevate permissions.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • Endemic problem

    Proper security takes thought and work to maintain and sysadmins generally don't like to be yelled at by managers because someone can't do his job, or people are inconvenienced (I don't think there are a lot of sysadmins who like to be Mordac). And if managers try to cut costs by overworking their techies, security tends to be one of the things that gets compromised (since productivity is normally a higher priority than is security).
    John L. Ries
    • With that in mind

      I think it likely that the "best" time to hack a corporate or government network is a month or two after a major layoff. I would also expect networks to be especially vulnerable if there's a long term hiring freeze.
      John L. Ries
  • what about BYOD?

    Seems to me a greater threat to corporate/company data is the rush to BYOD. If you're using your personal device for work, and that device is also loaded with personal/family/children apps, you're asking for trouble. It seems that there is little concern for app 'permissions' .. people want the app so they don't care what *it* wants in the way of access to your device. And it seems that those permissions are becoming more and more intrusive.

    Just a thought.
    eaglewolf
  • A tug of war

    In any organization that requires the storage and use of sensitive data for operational functions, there will always be a tug of war between access and security. In some cases, there may be difficulties in being unable to tell what information would be required to perform specific job functions, or being afraid of not giving employees enough information to do their jobs. While some operating systems such as Windows or Linux now provide simpler privilege management for access controls, they are not an ideal overall solution for large, complicated organization structures. The “all-or-nothing” security of access controls can create numerous problems in day to day operations, including roadblocks to benign data that happens to be stored next to highly sensitive data. In many cases, this approach leads to granting unnecessary privileges beyond what the user actually needs to do their job.

    But obviously, there needs to be some sort of security. The old adage, “it’s better to have it and not need it, then need it and not have it” applies well, in the sense that you are better off securing your data beyond requirements and adjusting if needed, than applying too little and being compromised before you can do anything about it. The damage is limited when one person needs to request privileges to get at data, but could be massive if someone is abusing data without limitation.

    One solution to this problem is utilizing fine-grained data security, such as encryption, masking, or tokenization. Applying security to the data fields themselves allows for a wider range of authority options and levels than typical access controls. Users without privileges to access sensitive data can still access non-sensitive data to perform job functions, even in files or tables that contain a mixture of both. More flexible options, such as some forms of masking or tokenization, can also provide different levels of security that either generalize the data or expose certain parts of sensitive data without revealing it completely.

    However, these fine-grained data security options also require proper privilege management. Step one in this process is usually assigning a security-specific role or team in the organization, if they don’t already have one. Isolating security policy administration to a security team can provide a separation of duties between users or system administrators from security privilege assignments. The security team must develop a comprehensive data security policy, preferably one that can be centrally managed and administrated across the enterprise, in line with the needs and expectations of the operations of the business, and the roles contained therein. Often the simpler way of assigning policy privileges, or authority to access sensitive data, is by specifying the few people who have access, rather than those who don’t. Finding a data security vendor that can provide easy policy management with push-button configuration can go a long way to assisting you in implementing this process.

    While access controls remain an integral function in data security and privilege management, organizations now need to get down to the data level in order to avoid either inhibiting business processes or opening the door to a data breach.

    Ulf Mattsson, CTO Protegrity
    ulf.mattsson