« Tough Security Questions for SaaS Providers - Part 2 | Main | Log Management Project - Day One »

The many faces of privileged users

Privileged users are users who have legitimate access or administration rights to sensitive information or mission-critical systems.  87% of insider incidents are caused by privileged users.  Most are inadvertent violations of change management process or acceptable use policy.  Others are deliberate, mostly by disgruntled employees.

There are more “privileged users” in your organization than you might think:

Database administrators: Responsibilities include keeping the system available as well as performance optimized.  Continuously configure and re-configure the system as well as adding, removing, or updating user account information and privileges.

Identity and access management system administrators: May need powers to create new user profiles, add or change the privileges and access rights of existing users.

Server administrators:  Sysadmins are installing, supporting, and maintaining new servers and new software, including adding, removing, or updating user account information, resetting passwords, etc.

Storage administrators:  Access to granular information on file systems.  Responsible for backup and recovery schedules.  Allocating storage resources to applications.

Help desk employees: Many people in the help desk area have admin privileges on thousands of PCs for legitimate support purposes.  This gives them access to executive PCs and sensitive information.

Privileged users are really inevitable. Operating system and applications are limited in the granularity of providing specific administrator access rights. For example, in order to perform password resets on Windows the user requires administrator rights that provide much more than just reset password. Any time users have broad access rights, they can potentially abuse the trust we give in them and potentially abuse those access rights. This gives rise to an enterprise-wide methodology and system to manage and monitor access rights and privileges, rather than leaving this function to the individual systems and departments.

Privileged user management combines role management and privileged user monitoring. Role management and user provisioning systems can help to audit and design user privileges, and to centrally assign control user privileges. Privileged user monitoring is the “surveillance camera” logging all privileged user activity and allow alerting on suspicious actions and on-going review of all actions. In many cases just the fact that the activity is monitored is a good way to motivate people not to abuse their access rights. A log management system can help to establish a baseline of user activity, from which you can evaluate whether privileges are assigned on a “least privilege basis” and to perform enterprise-wide monitoring of privileged user activity.

Ultimately, privileged user management answers 3 critical questions about your privileged users:

1. Do I really need that many privileged users?

Get a clear view of who was doing what to the network and what information they were accessing.  Are there privileges which can be taken away without hurting productivity?  Log management systems can give you a baseline of user activity.

2. Do my privileged users really need that many privileges?

Are there users who have privileges that go beyond normal privileges for their job function?  Compared this to their job functions and then began paring down access.  Role management systems can give you a baseline of user roles and privileges.

3. Do I know what privileged users are doing with their access rights?

Do you check for abuse of privileges on a regular basis?  Do you know who are accessing critical information or making critical changes?  Log management systems can monitor and audit user activity.

Posted July 09, 2008 in | Permalink

---

Visit loglogic.com

Subscribe to this blog’s feed

• July 2008
• June 2008
• May 2008
• April 2008
• March 2008
• February 2008
• January 2008
• December 2007
• November 2007
• October 2007
• September 2007
• August 2007
• July 2007
• June 2007
• May 2007
• April 2007
• March 2007
• February 2007
• January 2007
• December 2006
• November 2006
• October 2006
• September 2006
• August 2006
• July 2006
• June 2006
• May 2006
• April 2006
• March 2006
• February 2006
• January 2006
• December 2005
• November 2005
• October 2005
• September 2005

Blogroll

• CynergisTek
• Bruce Schneier
• InfoSecDaily

Compliance

• Continuity Central
• Compliance Pipeline
• SOX Compliance Journal
• Sarbanes-Oxley 101

Good Reading

• Log Management ROI
• Log Management Best Practices
• SANS Institute Log Management White Paper

LogLogic

• O’Reilly
• Anton Chuvakin
• LogLogic.Com
• Jian Zhen

LogLogic Partners

• Juniper Networks
• ONStor
• Counterpane
• Bluecoat

Sites We Watch

• The Merc
• CRN
• IT Architect
• The Reg
• Security Focus
• Slashdot
• TechWeb
• SANS
• C/Net
• CIO Insight
• InformationWeek
• Jamie Lewis - Burton Group
• eWeek
• IT Manager's Journal
• MIT Magazine
• VNU