Apr 27 2014

Privileged Users – Not Malicious But Still a Threat

One of challenges security architects face is finding the right balance between security and end user convenience. This conflict is typified by the example of password policies. A too stringent policy drives users to write down their passwords on sticky notes (thus defeating the security objective) and a too weak policy leaves passwords exposed to cracking tools.

We have been talking to a lot of customers about policy enforcement in the world of privileged users. This can be especially challenging because many system admins are experts in using technology to circumvent security policies. These are not malicious insiders – they just want to take some shortcuts so they can do their jobs more easily. Here are some of the concerns we hear from customers:

  1. Tunneling. Admins use Secure Shell to set up their own personal VPNs, giving themselves easy access into and out of the network without having to go through established company-wide firewall/VPN policies. That is all well and good until someone’s system gets infected with malware or the admin manager made a serious hiring error.
  2. Ad hoc Secure Shell key authorizations. Sometimes (often for test or debugging purposes) it is just easier and quicker to set up a key based trust relationship to a target account instead of going through formal channels. Problem is: does that key ever get removed?

Most admins see nothing wrong with this “rule bending” because in many cases they think the rules are really aimed at the average user and not themselves. They also may be unaware of the potential consequences or think that the chances of a bad outcome are remote.

So how to address this problem? First of all, security works best when it is transparent to the user. Second, make sure the policy does not interfere with users getting their jobs done. We take the following approach:

  1. Use transparent, inline session monitoring plus enforcement of some basic rules – such as no unauthorized Secure Shell tunneling. If users need tunneling give them a VPN but monitor and control where they go and what they do inside the tunnel.
  2. Continuous system monitoring. Regularly scan servers to verify no backdoor authorizations have been added.

Make sure your policies allow privileged users the flexibility they need to do their jobs. But at the same time, make sure you have full visibility  and protect users from themselves by shutting down technical workarounds to security policy. Using transparent enforcement and continuous monitoring, security architects can gain the assurance they need without getting in the way of legitimate work.

Jonathan Lewis by Jonathan Lewis Director of Product Marketing
Jonathan Lewis serves as director of product marketing at SSH Communications Security where he is focused on raising industry awareness of risk and compliance issues of unmanaged Secure Shell identities. Jonathan has over 15 years of experience in the IT security industry, having held product management and product marketing positions at Nortel, Arbor Networks, Compaq and Digital Equipment Corporation. He has led the launch of numerous security products including IPsec and SSL VPNs, end point security products and firewalls. Jonathan holds a BS and MS from McGill University as well as an MBA from Bentley University.