Privileged Users – Not Malicious But Still a Threat
One of challenges security architects face is finding the right balance between security and end user convenience. This conflict is typified by the example of password policies. A too stringent policy drives users to write down their passwords on sticky notes (thus defeating the security objective) and a too weak policy leaves passwords exposed to cracking tools.
We have been talking to a lot of customers about policy enforcement in the world of privileged users. This can be especially challenging because many system admins are experts in using technology to circumvent security policies. These are not malicious insiders – they just want to take some shortcuts so they can do their jobs more easily. Here are some of the concerns we hear from customers:
- Tunneling. Admins use Secure Shell to set up their own personal VPNs, giving themselves easy access into and out of the network without having to go through established company-wide firewall/VPN policies. That is all well and good until someone’s system gets infected with malware or the admin manager made a serious hiring error.
- Ad hoc Secure Shell key authorizations. Sometimes (often for test or debugging purposes) it is just easier and quicker to set up a key based trust relationship to a target account instead of going through formal channels. Problem is: does that key ever get removed?
Most admins see nothing wrong with this “rule bending” because in many cases they think the rules are really aimed at the average user and not themselves. They also may be unaware of the potential consequences or think that the chances of a bad outcome are remote.
So how to address this problem? First of all, security works best when it is transparent to the user. Second, make sure the policy does not interfere with users getting their jobs done. We take the following approach:
- Use transparent, inline session monitoring plus enforcement of some basic rules – such as no unauthorized Secure Shell tunneling. If users need tunneling give them a VPN but monitor and control where they go and what they do inside the tunnel.
- Continuous system monitoring. Regularly scan servers to verify no backdoor authorizations have been added.
Make sure your policies allow privileged users the flexibility they need to do their jobs. But at the same time, make sure you have full visibility and protect users from themselves by shutting down technical workarounds to security policy. Using transparent enforcement and continuous monitoring, security architects can gain the assurance they need without getting in the way of legitimate work.