The process of securing accounts includes a variety of factors, one of the most important being ensuring employees have the minimum access necessary to target platforms. In addition, employees' job functions and related access should be reviewed to ensure there are no separation of duties issues. Case in point: A person who creates a vendor account should not be able to approve payment to that vendor.
The access-review process includes understanding workflow: A baseline of access policies must be reviewed and approved by application owners. Additionally, subsequent changes to access rights should be reviewed and approved. Access certification tools, including those embedded in identity management provisioning systems from various vendors, can assist with the review process.
In some cases, a third-party security tool like CA Inc.'s Access Control or Symark International Inc.'s PowerBroker is required to limit privileged user access. For example, rather than giving the UNIX database administrator access to the root account for the purpose of restarting the server, the security tool can delegate the privilege of system restart to a real user.
Assuming you have locked down privileged user access, you should be all set, right? Not quite; you need to ensure privileged users do not abuse their access rights. One common use case concerns the customer support supervisor who appropriately has access to confidential customer data. If the supervisor accesses an excessive number of customer records on a given day, it may be an indication of a problem. A security information management (SIM) system would not likely detect this anomaly. Increasingly, enterprises are looking to deploy risk-based consumer authentication techniques to detect this level of access, but for the most part, these risk-based tools aren't ready for enterprise use because they are oriented toward financial transactions. Consumer authentication vendors with risk-based authentication include Hagel Technologies Ltd.'s AdmitOne, Arcot Systems Inc., Entrust, Oracle Corp., RSA Security and VeriSign Inc.
Some organizations consider the use of two separate accounts to address excessive user privilege. The first one is the "everyday" account for use in routine activities such as logging onto Windows workstations and checking email. The second account is only used for administrative tasks that require high privilege, including working with high-risk production systems. The high privilege account is not used during everyday tasks, which limits exposure to malware. However, the use of two accounts will not address the issue of excessive privileges granted to the user.
Balancing user access between the too lenient and the overly strict can be a challenge, but with these best practices, it can be a bit less daunting.
About the author:
Mark Diodati, CPA, CISA, CISSP, MCP, CISM, has more than 18 years of experience in the development and deployment of information security technologies. He has served as vice president of worldwide IAM for CA Inc., as well as senior product manager for RSA Security's smart card, SSO, UNIX security, mobile PKI and file encryption products. He has had extensive experience implementing information security systems for the financial services industry since starting his career at Arthur Andersen & Co. He is a frequent speaker at information security conferences, a contributor to numerous publications, and has been referenced as an authority on IAM in a number of academic and industry research publications.
