Entitlement creep. Orphan accounts. Separation of duty. As much as those sound like terms from a Charles Dickens novel, they're actually parts of a very modern problem for public CIOs. Each is an issue that contributes to the biggest IT security weak spot in any public or private organization: internal users.
For all the attention spent on external hackers, employees and contractors with legitimate access to applications and databases are by far the most serious threat to information security. Nearly half of inside IT users "exhibited some inappropriate or concerning behavior" prior to an incident, according to the January 2008 report Insider Threat Study: Illicit Cyber Activity In the Government Sector by the U.S. Secret Service and Carnegie Mellon University. More than 85 percent of incidents were committed by staff with authorized access to IT systems, and 69 percent of the time access control gaps helped the insider abuse the system.
From a logical standpoint, it shouldn't come as a great surprise that authorized IT users cause more damage than hackers. Staff and contractors need access to IT resources to do their jobs, and inevitably some of them will abuse that access. Joseph Thomas Colon had legal access to the FBI's internal network in 2004 and 2005 when he stole 38,000 employee passwords, including that of Director Robert Mueller. The FBI spent millions of dollars to determine whether the theft compromised any information.
IRS subcontractor Claude Carpenter accessed an agency server to log on to two other servers and insert code to wipe out the data on all of them. Carpenter hid his tracks by turning off system logs, removing history files and overwriting the destructive code after execution to make it impossible for system administrators to determine why the data was deleted. It was only his suspicious behavior after he was terminated that tipped off management.
Public CIOs can severely restrict access privileges, of course, but that curbs productivity. The nature of government business demands that employees and contractors have access to strategic applications and data. Locking down systems disrupts workflows, which ultimately results in less responsive service for the public.
But the alternatives are the status quo or trying to more closely watch every individual with access to an application or database. The former approach is already failing. The latter is difficult in small organizations and nearly impossible in large ones without adding layers of overhead that governments can't afford.
Despite these conflicting realities, risk-based identity management strategies offer a balance between access and governance needs without the large, added costs. Risk management is based on identifying employee populations most able to do damage by abusing their access privileges. It lets organizations prioritize and limit the focus of internal controls and audits. It's key for reducing compliance costs and the burdens on IT staff. More importantly, by assessing and measuring risk over time, organizations can demonstrate that identity controls are working and effectively reducing corporate exposure and liability.
CIOs who want to implement a risk-based identity management strategy can divide the task into two broad areas: evaluating their current performance in the four main areas of risk exposure, and deploying technology tools and business practices to strengthen internal controls and improve oversight.
What to Look out for
The first step a CIO should take in a risk-based approach to identity management is determining how the organization performs in the four most common areas of risk exposure: orphan accounts, contractor access levels, entitlement creep and separation of duties. Answering one question in each area will give CIOs the basic knowledge to plan their risk management strategy:
1. Are you at risk from orphan accounts? Orphan accounts occur when managers fail to remove access privileges when workers are terminated. A security incident in 2007 at Cox Communications - a terminated employee remotely shut down part of the company's telecommunications network account - demonstrates the business risk represented by orphan accounts. During an economic downturn, when layoffs or rumors of layoffs are an everyday occurrence, promptly removing user access is critical. Having the right controls in place to promptly detect and remove orphan accounts is a vital compensating control.
2. Do you know the access level of your contractors and temporary workers? Today's corporations and government agencies rely heavily on contractors. For example, the U.S. Department of Defense does more than $100 billion worth of business with its top five contractors every year. Contractors and subcontractors often have access to sensitive systems and data, but in many cases don't have their "active" status tracked in an HR or centralized system the same way as permanent employees. As contractors move on and off projects, proper access control can be a difficult challenge.
3. Are you a victim of entitlement creep? Entitlement creep occurs as workers accrue access privileges over time through transfers, promotions or simply through the normal course of business. They collect "entitlements" beyond what they actually need to do their job. In companies or agencies where workers have long tenures, entitlement creep is a very real business risk. Prompt removal of excess privileges can significantly lower the risk of access abuse.
4. Do you enforce separation of duty policies? Separation of duty (SoD) policies are designed to prevent fraud by ensuring that no one has excessive control over critical business transactions. The risk around SoD arises not from failure to document SoD policies; most companies have these types of rules captured in spreadsheets or a control grid. The real challenge arises from the complexity and effort required to enforce the policy across dozens or even hundreds of applications and systems. SoD can apply to more than just financial conflicts of interest. How many programmers who are working on developing critical applications also have backdoor access to those same systems in production? The key is to eliminate these types of potential risk by limiting access and preventing "toxic combinations" that enable fraud.
The answers to these four questions will help CIOs focus their security policies and procedures before they move to the next phase, which is implementing technology systems to support risk-based identity and access management.
The Risk Management Infrastructure
Once the policy landscape is defined, the CIO can create the procedures and technology infrastructure to support identity risk management as a regular business process. This entails:
- centralizing identity data;
- performing regular access reviews;
- automating SoD policy enforcement; and
- identifying high-risk users.
Building an integrated database of identity data across mission-critical applications gives public CIOs enterprisewide visibility into who has access to what. A centralized view enables better management decision-making, fosters transparency and more effectively meets the reporting requirements of auditors and compliance staff. It minimizes redundant efforts and streamlines compliance processes across departments and business units.
Performing regular access reviews provides a critical control to detect and eliminate orphan accounts and entitlement creep. A central access database makes it easier to conduct regular reviews, allowing automated workflow to route user access reports to the appropriate managers for sign off. The database also expedites automated policy enforcement. An automated solution enables IT and business staff to centrally define SoD policies and monitor hundreds of thousands of users by identifying violations and alerting managers to the need for removal of access privileges. Automation also helps make policy enforcement a regular, predictable part of business rather than a time-consuming and less-reliable manual effort.
Identifying high-risk users can be as simple as using rules to "tag" contractors and privileged users so they are more visible; identifying users with policy violations; or pointing out who hasn't had their access reviewed recently. The goal is to simplify oversight by focusing management on potential risk areas. Combinations of factors, such as a privileged user with policy violations who hasn't had his access reviewed in the last year, represent a much higher risk to the organization and must be immediately identified. Analytical applications running on top of the central access database can make it fast and easy to spot these patterns.
Risk is implicit in almost every area of business and government. The challenge is to minimize it without breaking the budget. Risk-based management is a realistic approach to the challenge that uses existing IT and business management organizational structures, supplemented by identity management tools, to provide the combination of security and access that public agencies need to meet the challenges of conducting business in today's rapidly evolving electronic world.