IT Compliance Institute, August 15, 2006:

Best Practices

A Sense of Entitlement: Security, Privilege, and the Need to Know

Up to 60 percent of fraud is perpetrated by employees of the victim company, often because the wrong people have access to tempting data. Here are four tips for limiting access to sensitive data and thereby limiting the potential for misuse.

What do Bank of America, Commerce Bancorp, Fastrack—a California electronic toll bridge transponder system, General Motors, the Georgia Department of Motor Vehicles, PNC Financial Services Group, the Universities of Hawaii and Chicago, and Wachovia have in common? In the past two years, all suffered attacks perpetrated by insiders, leading to a total of almost 1.3 million potentially compromised personal identities.

Such attacks underscore how hackers aren’t the only ones aiming to steal private information. “Outsider risks are real, but there’s still the issue of needing to have controls that have accountability for your privileged users—your insiders,” says Murray Maazer, co-founder and vice president of corporate development for data auditing software vendor Lumigent Technologies Inc., based in Acton, Massachusetts. In fact, “most fraud occurs on the inside, from the users who have privileged access and misuse it.”

To guard against attacks by insiders, as well as to comply with regulations requiring companies to safeguard private data and disclose whether that information may have been inappropriately accessed or exposed, companies are increasingly turning to controls which restrict access to sensitive information based on a user’s log-in credentials. “To sum it up in a nutshell, companies are being asked to institute the principle of least privilege, which means only give people who should have access to the data, access to the data or systems,” says Kris Lovejoy, chief technology officer of Consul Risk Management, a security audit and compliance provider.

Yet determining who should have access to sensitive information can be difficult, especially in large companies with many users, numerous identity management roles, and many databases full of sensitive information. How can companies determine entitlement? Here are four tips:

1. Avoid Theoretical Access Controls

Many companies have difficulty determining entitlement, yet their problems may stem less from the scope of the project than their approach. “The reason why customers are saying to us this is hard is because they’re seeking a theoretical, top-down approach to the problem,” says Lovejoy. Yet “what they believe should be, what they want to be, is not consistent with the way things really are.”

For example, in many identity management rollouts companies ask data owners—business owners of databases, applications, or enterprise applications such as ERP software—to supply entitlement lists, then restrict access accordingly, perhaps by roles or individual usernames.

Data owners, however, typically don’t have definitive knowledge of which individual users or identity management roles need access to their sensitive information, and that makes a top-down approach dangerous. “What typically happens in these identity management rollouts is you implement the controls, then the next day you have people screaming because they can’t do their jobs,” says Lovejoy. Thus while taking a theoretical approach might sound good, it often leads to push-back from employees, and results in canceled access-control projects.

Simply put, access controls “need to work not only on a need-to-know basis, but also on a need-to-do-your-job basis,” notes Ellen Libenson, vice president of product marketing management for Symark Software International, an access control and identity management software vendor.

2. Study Current Data Flows

The problem of controlling access to data is like shaping how automotive traffic flows, says Lovejoy. “You don’t want to put up a tollbooth if you don’t know what the effect will be.” So before restricting access to data, start by “looking at data flows, understanding who’s touching the data in the system, how they’re touching data in the databases, and then implement controls based on reality. In other words, not taking a blue-sky approach, which on paper sounds really good, but in reality doesn’t work so effectively.”

This bottoms-up type of approach will require patience, extensive data-gathering, and subsequent analysis, possibly through the use of automated data-auditing tools. Yet a little real-world information often makes the next steps obvious. “Log the network for a month, see what’s going on, who’s really accessing stuff, and how often, and it will surface things like, the correct permissions are not in place,” says Libenson. “Maybe there’s no segregation of duties—you see the same person doing tasks that should really be different, such as writing and approving invoices above a certain dollar amount. Or maybe programmers shouldn’t have access to production servers.”

Jeff Westphal, IS network specialist for The Village at Manor Park, which provides living, healthcare, and hospice facilities for seniors, used just such an approach to begin addressing users’ access permissions. The Village must comply with HIPAA, and less than a year ago, its CIO and new HIPAA compliance officer were anxious to know employees’ access capabilities.

Using a tool from ScriptLogic, Westphal—then a recent hire—studied how employees could and did access the Village’s 30 servers, and their directories. “We wanted to see who had access to what, because our whole schema of permissions and things was beyond fixing,” he says, due to past IT practices. “Instead of doing it the right way, adding a person to a group, they’d just throw them administrative rights.” Thankfully, only a handful of people had improper access capabilities, yet sorting that out took substantial time. Westphal still runs a monthly access-analysis report to tackle any outstanding problems. “We’re not compliant yet, but we’re close.”

3. Remember, Entitlement Takes a Village

Broadly speaking, access control projects have three owners: a systems administrator, who owns the IT aspects of the project; a security administrator, who manages controls and audit trails; and a person on the business side who actually owns the data.

If a company wants to translate information about how people currently use sensitive data into access-control policies, talk to the people who own the data. “IT shouldn’t have to know where sensitive information is,” says Libenson. “The business stakeholders have to share this information with them, and guide them through it as well.”

First, however, the security group needs to present each business owner with a list of users currently accessing the business owner’s sensitive data. “You give them the opportunity to normalize that, and also to query the manager of that particular individual [seeking data access] to figure out if that access is necessary, or to yank the access off the bat,” says Lovejoy. “The ‘should that person be touching the data’ question can only be answered by the person or persons who own that data or system.”

Business owners must take their data-access decisions seriously, since there may be legal repercussions. “In fact there’s some concern, from a legalistic perspective, about whether or not that data owner has some legal liability, personally,” she says. So far, however, the extent of any liability is untested. “Today, other than in Sarbanes-Oxley, that really hasn’t been approached as an issue.”

4. Watch Technology and Technologists

When studying how users access data, don’t exempt system administrators or security personnel from scrutiny, since they’re also insiders with high levels of access. “IT staff have the skill set, technical knowledge, and the ability to access data and sabotage it,” notes Libenson.

Also don’t forget that technically speaking, users are not the only ones accessing sensitive data. “Access control also refers to the ability to permit or deny an object, system, or file, by a program or process,” she says. Access controls must be used for all these things, to prevent sensitive information from ending up in insecure or inappropriate systems. Furthermore, such controls can block attackers from building applications designed to exploit poor object-level controls to steal information.

Finally, the access control settings themselves—for users, objects, systems, and files—are also sensitive information, since they list which security measures are in place. Having such information would make it easier to defeat controls.

Today, however, many companies just store their policies and working documents unencrypted, “in Excel spreadsheets or in Word documents,” notes Libenson, and that’s a security risk. “Once these policies are created and saved somewhere, it’s extremely critical to encrypt these policy files, to ensure integrity—especially of the log-in policies—is always maintained.”

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.