According to the movies, all cyberattacks are committed by a mysterious hooded figure, stealing data from thousands of miles away. However, the Verizon Data Breach Report (2018) reveals the truth: Over a quarter of attacks are perpetrated by insiders.
All industries have faced insider threats, from the government to private manufacturing. Most recently, healthcare has been particularly vulnerable, with over half of their threats coming from the inside. Insider threats are notoriously tough to spot, since it’s difficult to determine an employee’s incentive when using their approved credentials to access an organization’s data. Since the leading motivator behind attacks is financial, no business is safe.
An employee’s motives can be completely benign and still be considered an insider threat. One in five cybercrimes occur due to an error committed by an employee. Of those surveyed for the Ponemon Institute’s Study on Global Trends in Cybersecurity (2018), 31% considered negligent employees to be the greatest risk to cybersecurity.
A simple click can cause devastating consequences. Data loss, sensitive data theft, and often permanent damage to an organization’s reputation are only some of the costs of a data breach.
Insider threats are not only difficult to detect, but they pose significant challenges to IT professionals trying to mitigate these attacks. The most critical challenge is maintaining the balance of proper security and access controls without impeding productivity. Unlike external threats, the solution is not as simple as closing all gateways to data – employees need to be able to have the right amount of access in order to get their jobs done. Privileged Access Management (PAM) solutions are particularly effective in defending against insider threats for this very reason.
PAM solutions not only protect against insider threats by granting employees the appropriate level of access to do their jobs, they also help organizations detect potential insider threats and provide a complete audit trail of user activity. Moreover, best-in-class PAM solutions help organizations remove the friction between security and productivity by offering granular access controls that consider not only who, but how, what, when, and from where data is being accessed. This allows your organization to remain secure while still carrying on business as usual.
How PAM prevents insider threats
There are a variety of ways PAM solutions help to detect and protect against insider threats. Specifically, they can:
- Manage accounts and roles, ensuring staff are connected enough to carry out their job.
- Control and enforce access to systems and software. Staff and contractors can be allowed to carry out their work but are automatically denied access to systems that make no sense for their job role.
- Control transitions to privileged accounts, like “root” on Linux and UNIX systems. The traditional UNIX security model is quite simplistic and updating configuration files on each machine is easily prone to IT staff fraud.
- Centralize security log data to a secure and protected database, like a SIEM or SOA solution. Logs may be tampered with by your staff or hackers when on a single production system, but centrally collected logs cannot be abused.
- Support compliance reporting with automation, in conjunction with your auditor’s reporting solution of choice.
This guide will provide an in-depth overview of each of the above functions of a PAM solution.
1. Managing Accounts and Roles
User account and role management is especially important in respect to the staff that must access a system. Each administrator or operator of a system must have unique user accounts; this provides traceability and accountability for actions performed and will allow you to pass compliance audits. This rule does not apply to just administrators of the operating system, but to anyone who accesses a system to work on an application or data. For some organizations, this could result in an overwhelming number of accounts to manage across many groups of servers. A PAM solution will significantly simplify this task by assigning support teams to their own clearly defined roles.
For example, PAM solutions can automatically handle account transitions. As staff change their role within the HR organizational tree and corporate directories, their IT access and technical role morphs automatically to match their new responsibilities, requiring zero manual intervention.
Accounts of your staff or authorized contractors typically live in “corporate directories” like LDAP and Microsoft Active Directory. It takes significantly less time to connect and integrate such directories with a PAM solution, allowing for IT specific roles and technical privileges to be assigned to user accounts based on HR job titles and functions that live in the directory instead of subscribing on an individual user basis. This saves IT teams from a tedious job that would otherwise take an incredible amount of effort.
These are just a few examples of how organizations can streamline account management with the right PAM solution in place. Our customers have initially saved 40-50% of IT administration overhead with this directory integration, and as the solution matures with business operations, this can improve to over 75% savings.
2. Controlling and Enforcing Access
Letting your staff decide for themselves the most convenient way to navigate around your IT infrastructure is dangerously insecure, leaving you incredibly vulnerable to intentional or accidental insider breaches. Your organization is responsible for the health and accuracy of the data on its systems, and control decisions shouldn’t be left unclear or solely to those in IT who administer access to the systems. Data owners should consider the advantages of pre-built “Granular” controls that PAM solutions provide.
What do we mean by Granular?
- Making sure access to a system uses an encrypted channel, like Secure Shell (SSH).
- Banning legacy access controls that have no security, like Telnet FTP or the Berkley “R Commands.”
- Making sensible choices about how the user signs in. For example, on a high-risk server access may be authorized only by multi-factor-authentication. On a low risk server password access may be allowed, or Kerberos authentication inherited from an Active Directory login when the user started their shift.
- Freezing uncontrolled “hopping” session to session on systems with different risk levels or data owners.
- Managing authorization and reporting of necessary privileged escalation to system (“root”) or database application accounts with little business interruption.
Well-crafted granular controls can enforce access requests in real time. This prevents both unintentional admin errors and malicious hackers from wandering around your infrastructure. Instead of waiting months to find out if you have been breached, the attempts are foiled in real time and alerts are sent to the appropriate level instantly.
3. Controlling Transitions to Privileged Accounts
Who accesses what host, when, from where, and how, are all important data points, whether on-site or living in the Cloud. However, knowing if that account is then elevated to be granted privilege to execute additional commands can prevent insider threats.
Not every user, application, or system account is equal; not every account available to a Linux/UNIX system needs to be able to access it over the network. If you have properly implemented privilege control, then nobody will ever log in as Linux or UNIX “root” when they SSH to the system over the network to perform maintenance. However, admin users will still need to be able to log in at the console as "root", for that rare occasion that something has gone terribly wrong and an administrator needs to work directly from the datacenter to regain control.
Extending your access controls to handle privileged account access and privileged command execution on Linux and UNIX platforms is now a mandatory part of all our compliance controls. They must be defined in a secure, central policy that cannot be subverted by manipulating text files on individual operating systems.
4. Centralized Security Log Data
Log changes. Log access. Log privilege. Log failures. It all takes time and resources to store and evaluate these messages, which can be hundreds of thousands of messages each day. PAM solutions interface with secure log vaults at various technical capabilities and price points suitable for your organization.
SIEM or SOA solutions take chains of PAM generated centralized logs and create co-related events that can demand instant action and attention from the business. For example, a SIEM solution would send a report the moment a security policy setting had been modified. Using a PAM solution, an administrator would be able to see how this action occurred. Perhaps an employee purposefully altered the settings for malicious purposes, or they accidentally changed the settings when they only intended to view them. The precise logging of a quality PAM solution would help determine not only the employee’s impetus, but could also expose holes in security that need to be patched. By pairing PAM’s audit trail with a SIEM or SOA solution, an insider threat can be detected and neutralized quickly.
5. Support Compliance Reporting
Auditing used to be something that happened once per year. Businesses were willing to sacrifice staff periodically to assist with internal and external audits. While this may be achievable for annual or even quarterly audit cycles, it soon becomes impossible with non-stop compliance requirements from the numerous protection regulations issued by countries around the world. Without the right solutions in place that constantly provide audit data for reporting, compliance becomes an unsustainable burden on IT teams.
With security logs from your infrastructure now resident and concentrated in a SIEM or SAO database, it makes it easy for auditors to run audit and compliance reports without impacting production systems or IT operations efficiency. This leaves IT operations free to prioritize activities that ensure security, instead of getting bogged down in reporting on it.
Insider attacks can take months to catch, and years to recover from. However, locking up systems too strongly prevents employees from accomplishing their jobs, frustrating all involved. With a PAM solution, your business can confidently walk the fine line between dangerous vulnerability, and unproductively tight security.
Powertech Identity & Access Manager (BoKS) provides centralized control over accounts and privileged access, streamlining administration of user accounts all while satisfying compliance requirements. Using the principle of least privilege, Powertech Identity & Access Manager successfully protects your organization’s data, but still gives users the credentials they need to get their work done. Best of all, it can effectively and securely scale, allowing for safe and efficient growth of your business.