You are here

You are here

Access control: Pandemic forces rethink of IT’s trust model

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings Industry analyst and editor, RJAssociates
 

Worrying results from recent survey: Far too many knowledge workers are being given access to far too much data. It’s especially worrying given the huge rise in home working—what with … y’know … one thing and another.

Almost half of workers say they can see things they shouldn’t see. Managing access seems to fall through the cracks when people change jobs, for example. I’m not even joking.

It’s almost as if it’s time for a whole new trust paradigm. In this week’s Security Blogwatch, we say “hello” to Jason Isaacs.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: How to panic a little less.

Zero trustification

What’s the craic? Gareth Corfield reports—Too many staff have privileged work accounts for no good reason:

Around 40 percent of staff … have access to sensitive data that they don't need to complete their jobs, according to recent research. … Carried out by the US Ponemon Institute … the survey also found that about 23 percent of IT pros across the board reckoned that privileged access to data and systems was handed out willy-nilly.

In a finding bound to shore up frontline workers' opinions of each other, fully half of respondents … expressed the view that users with elevated access privs would browse through data "because of their curiosity." … The survey took responses from 755 UK and 1,128 American workers in the public and private sectors.

Do dig deeper. That’s Ian Murphy’s law—Do too many users have privileged access at your organisation?

Shockingly, this is not a new issue. … One of the biggest causes is the failure of IT to revoke privileged access when a user changes roles [e.g.,] to allow a reasonable handover to a successor.

Another reason for having excess privileged access is that “everyone at my level has it.” It’s more a schoolyard complaint than an operational excuse, but 38% used it.

42% of organisations … are not confident they have enterprise-wide visibility of privileged access. … 44% say that access to sensitive or confidential information is not really controlled. … 40% say that privileged user who leave continue to have privileged access rights for some time after. … 39% claim that privileged users become disgruntled and leak data or damage equipment.

IT admins and IT security each have a level of responsibility. … However, there is another group who are often overlooked – Human Resources. …Identity and Access Management (IAM) solutions are increasingly popular [but] if the right rules are not in place, then the effectiveness of these solutions is … neutered.

Yeah, but this is nothing new. How come we’re talking about it now? Here’s Nick Farell—Security experts say riff-raff should not have access to all that sensitive data:

Access management is a critical topic for IT security … especially as COVID-19–induced remote working introduces challenges for the monitoring of data access and intra-org flows.

Who sponsored the survey? Carolyn Ford is the director of government and critical infrastructure at Forcepoint:

While data breaches have many causes, privileged credential abuse is a common one. [But] “privileged” access is a bit of a misnomer—such access is in fact relatively widespread.

Many IT teams are struggling to keep up with the sheer volume of access change requests—particularly when they are relying on old-school systems like spreadsheets. … A whopping 85 percent of survey respondents said the risk will either remain the same or increase in coming years.

In an IT setting, privilege can mean many things: access to a particular application or data set; permission to shut down or configure systems; authority to bypass certain security measures. … The sheer number of privileged users makes, to some extent, abuse inevitable.

All this doom and gloom. There is another side to the story, as SuperKendall explains:

I don't think I've ever worked for a company with any size of IT department, that was not way over-zealous in locking things down—to the point where work probably took 20% longer than it should have because of security constraints. … IT departments are way too much a silo that is not really integrated with the people they are supposed to assist and protect.

They never have good understanding of what is important to lock down vs. what could easily be kept more accessible so that people could get work done. … Meanwhile I can't get a document I need to get work done for three days.

Passionately put. But does this Anonymous Coward sound a touch naïve to you?

In the real world … locking everything down is rarely a good idea. People often do need more access than you might expect in order to do their jobs efficiently.

Rather than trying to lock down everything and constrain your employees into narrowly defined processes of what management thinks is their job; hire competent people, give them all the access they ask for, and trust them to use that access appropriately. That is how you get work done.

And what if someone pulls rank? ArhcAngel has BeneThere; DoenThat: [You’re fired—Ed.]

An executive asks you why they don't have access to XYZ. You inform them they do not need access. They become enraged and demand access. You tell them you are not authorized to grant them access. They contact your superior. Your manager immediately demands you grant them access.

Rinse, lather, repeat.

Tales from the DevOps coalface? Drew Scriver’s got ’em:

Years ago we had a developer who needed a lot of code releases to Prod to get things right. … Then one day he happily submitted a change and said that this would be the last one for sure.

Suspicions duly awakened, I scrutinized his code even more than usual and discovered that he had cleverly changed his code to include a reference to an external file that resided in a repository that he had write-access to. … If we had promoted his "last and final version" he would have been able to self-deploy future changes.

And Developers wonder why Production Engineers don't trust them.

Meanwhile, got root? bbsguru’s access is turned up to eleventy-stupid:

Yes, I have more access than I usually need. … Full administrative access is safe in my hands … it's all those other people that worry the **** out of me.

The moral of the story?

Do you know who has what privs in your shop? Is it time for a zero-trust approach?

And finally

DON’T PANIC

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30. The Shouty Woman.

This week’s zomgsauce: George Hodan (cc:0)

Keep learning