Subscribe

Great walls, lousy controls

Contractors and privileged users still roam much more freely in companies' IT infrastructures than most will admit.

Therese van Wyk
By Therese van Wyk
Johannesburg, 18 Apr 2011

It is said the Great Wall of China, built to keep invaders out of the kingdom, was effective until the invaders bribed the gate-keepers. These days, the biggest risk for insider fraud also emanates from those supposedly guarding a territory - the system administrators and other privileged users who wield the keys to a company's IT.

Making matters even more interesting is the fact that privileged users with sweeping IT access are often third-party contractors, called in at busy times to relieve operational overload, or engaged to provide expertise the company needs for a limited period.

To mitigate this, companies need to allow the right individuals, for the right reasons, to access only the information they need, for only as long as is needed, across the diverse IT landscape, while automating these identity provisioning processes, along with monitoring and management reporting. Or identity and access management (IAM), for short.

Managing contractors and privileged users remains an enduring IAM challenge, even in companies with mature IAM.

Often, the root of contractor IAM risk is a different way of managing access, says Rudi Opperman, security consulting lead at Accenture.

“The first thing that jumps out for me is: why are temporary employees, contractors and privileged users the greatest insider business threat?” asks Opperman. “It's not like they are bad people, it's that the company processes for managing employees and the processes for managing third parties tend to be different, and a lot less formalised.”

If only a handful of contractors are involved, the risk may be acceptable. But in some companies, there are as many contractors as permanent salaried employees, says Andrew Whittaker, senior security, identity and access management consultant, Ubusha.

“We have a client with 9 000 active contractors, at least half of which require access to IT resources. About 100 new contractors are registered every month, and around 100 leave.”

You should be identifying the contractor more strongly than an employee, because the contractor is going to be floating between all the organisations in your vertical.

Samresh Ramjith, CTO of security solutions, Dimension Data

When contractors leave, their IT access should not leave with them, but should be revoked by someone who knows the person is no longer around.

“I don't know why there seems to be this distinction between contractors and full-time employees in corporate SA,” comments Samresh Ramjith, CTO of security solutions at Dimension Data.

“If the contractor has the same level of access to the organisation's data as a full-time employee, the risk posed is the same, if not greater.

“In fact, you should be identifying the contractor more strongly than an employee, because the contractor is going to be floating between all the organisations in your vertical, and has the ability to broker information and sell stuff on the side. You want to be 100% certain that this contractor has access only to the information he needs. The only difference between a contractor and an employee is how you pay the person.”

Human resources, in charge of paying people, may not be interested in getting involved in the contractor security problem, however.

“Historically, HR departments have looked after employees, while they treated long-term contractors like employees and allocated positions to them in the company hierarchy,” explains Opperman. “These days, HR does not keep up with the changing business environment, but there is a big reliance on third-party contractors.

In some companies, there are as many contractors as permanent salaried employees.

Andrew Whittaker, senior security, identity and access management consultant, Ubusha

“In an integrated supply chain, for example, your service providers are part of the organisation. HR capability is not there to service these people, but they are required, so their access is done on the side.”

While HR may not be interested in contractors, the line managers who need contractors in a hurry are not interested in HR's lengthy processes to bring someone on board either. Managers tend to circumvent HR, engage contractors directly, and worsen the problem.

Most companies would do much better by managing contractors within the same business policies and approval workflow as employees, says Connie Grobler, identity and security management technical specialist at Novell. This applies even when contractor information is stored on a different source, because contractors are often paid by the hour, with no fixed salary and no pension fund.

Who has the keys now?

While companies struggle to manage the IAM for contractors that arrive suddenly and depart within days or weeks, IAM can unravel seriously with privileged users.

“It makes me shake my head in disbelief,” says Alan Rhebock, sales and marketing director at Magix Security. “Some companies actually put the administrative passwords, those privileged passwords, on a spreadsheet on a publicly visible share. Some of the things we discover in industry are really amazing.”

Adds Ugan Naidoo, head of the security business unit at CA South Africa: “We know the biggest risk in some of the larger organisations is the privileged user, the person who has the keys to the kingdom, who can do pretty much what they wish to do whenever they wish to do it. There are lots of ways these people can subvert controls, whether they are built-in, or business processes.”

Privileged users come from three main camps in a company's IT landscape: the business users who have access to secret and confidential information or to information across business units; the IT users (often contractors) who keep systems running properly; and the project users (often contractors) who install or extend systems.

Yet, the management maturity one would expect for accounts like these may be missing, making fraud a likely outcome.

“It happens so often in companies,” says Rhebock. “Someone will buy a piece of equipment, stick it in a corner, tell the auditors 'that is the access management system', and hope they go away. Much later, if fraud is discovered, it's nearly impossible to say who committed it using a privileged account, despite database and transaction logs.”

Some companies actually put the administrative passwords on a spreadsheet on a publicly visible share.

Alan Rhebock, sales and marketing director, Magix Security

Even security information and event management reporting may not help much by then.

Worse still, fraudulent tracks are more easily covered in some systems than others.

“Some systems contain inherent control inefficiencies,” adds Naidoo. “As an example, a privileged user may create a fictitious account, perform fraudulent transactions using that account, and then delete or disable the account. The person may also delete all audit trails and logs associated with those transactions. After a few months, when the organisation realises that something happened, there is no proof of who did it.”

While most companies do not manage privileged accounts properly, some, in industries like banking, insurance and telecommunications, have made much progress.

Control of privileged accounts depends on the maturity of the organisation, and the legislation and guidelines with which they comply, says Grobler.

“At the banks, I know they have a good handle on the privileged user accounts, manage them efficiently, and keep track of who's doing what with change control processes. In a less mature organisation, you find they often don't know what's going on.

“There are software solutions available, but you have to have your policy and procedures in place before you throw software at the problem.”

Locking it down

Firstly, better control means only creating privileged accounts within business policy, and improving password security.

“Often, the proper controls to create privileged accounts are not in place,” says Grobler. “For a privileged user, it should be an access request through a centralised management system with an associated approval process. The account should be tracked for the lifetime of the person, and taken away when he or she leaves the organisation.”

If you more strictly control and automate password integrity for privileged access, the company's resistance to fraud also improves, adds Rhebock.

Secondly, segregation of duties is even more important for privileged users than ordinary ones.

“No single privileged user needs or should have access to all administrative rights,” maintains Grobler. “But what people do is they give the full rights to that person, for example the ability to add users or format a drive, if all he needs to do is backups.”

But the nature of what privileged user contractors do can make segregation of duties particularly difficult to enforce for them. These people often need unique access facilities because of a merger or acquisition, a project, or another temporary requirement. And if the unique access can be provided, there may be a graver concern still.

Often, says Opperman, the organisation may not have the capability to assess if the privileged access for a contractor complies with segregation of duty requirements.

Auditors can track down fraudsters after the fact if forensically searchable IAM reporting is available. But to be aware of suspicious activities as they occur, user behaviour monitoring may be necessary.

“We monitor employee behaviours in one of the big banks,” says Rhebock. “If an employee accesses dormant accounts regularly, or regularly looks at the policy number of a high-profile individual, someone has to ask why. Our solution flags that and we begin a forensic investigation.”

There are lots of ways privileged users can subvert controls, whether they are built-in or business processes.

Ugan Naidoo, CA South Africa

In companies with mature IAM, managers may even have business-friendly reporting to help them along, rather than inscrutable forensic or IT-focused logs.

“When you automatically combine the identity, the access given to a person, the activities they do on the system, and the permitted access they were given in the approval process, you get a picture of what your users can actually do,” states Opperman.

“With this data, you get feedback when you make changes, and you can incrementally improve control. The financial director can see the nature of the transactions, and who's doing them, from a business view. It also enables you to define the controls you want in one place.

“For example, stopping people adding the wrong access by checking for violations before they give the users access. Or stopping someone being given access to a transaction if they sit in the wrong business unit.

Managing contractors and privileged users with robust IAM is overdue for most companies with commercially valuable information, despite the fact that insider fraud is one of the top business risks.

IAM maturity is determined by business maturity, however.

Now what?

Small and medium-sized companies can benefit from recording user access, integrated into a service desk that manually provisions user identities, says Whittaker.

This approach does not need elaborate system integration, and does not have a major impact on existing business processes.

Companies that have already implemented a base IAM framework should extend it across the organisation, he continues, focusing on automated and ad-hoc identity provisioning into business systems.

These days, HR does not keep up with the changing business environment, but there is a big reliance on third-party contractors.

Rudi Opperman, Accenture

Periodically checking that users are still valid through attestation processes is also a good idea. This will create business demand for improved IAM reporting and auditing, even for security and information event management technologies capable of alerting managers to exceptions.

Companies starting out on IAM solutions should focus first on data quality, while implementing a base IAM infrastructure in parallel. An IAM programme can start in two places. A company can either focus on automating the provisioning and user accounts through identity management technologies, or on access

request management tools and processes for regular access attestation.

No matter which side a company starts from, both paths will ultimately be required.

For large companies, with IAM established to some extent, the next evolutionary step is towards controlling who can do what on business systems with role-based management, says Whittaker.

Here, defining rules that automatically provision or de-provision user accounts is no longer sufficient when complying with good governance or legislation involving identity management principles. Managing user access within an enterprise's business systems is now essential.

Where policy for privileged and contractor access does not exist, companies face even more effort in dealing with fraud long after it happened, and attempting to comply with ever stricter legislation. The IT walls are still only as good as the watchful eyes on its gatekeepers.

Share