As a board member, you’d be shocked to discover that one of your ex-employees still has access to the company email if she had left the company already a few months ago. You’d be even more shaken if you heard that the individual could also still access the company intranet.
And now I’m asking you to stop thinking about emails and company intranets.
Put your focus on your operations. Think about the employees who can access some of the most valuable information any company has. This is information, such as: software product releases, production environments, company network infrastructure, critical databases, credit card data, blueprints, stock exchange release drafts etc. Failure to handle this type of data properly might cripple the operations of any company or tarnish its reputation beyond repair. Yet, the unfortunate reality is that managing what is known as privileged access is often the neglected part of IT security governance.
“How is your critical access management?” asked the auditor
Just recently I attended a session where a high-profile auditor put this topic into the spotlight. He said that if there is one question that board members should ask their operational management, it is:
“Are you able to keep the access rights of your company up to date? When someone leaves or changes his/her role, are you sure that your processes and tools ensure that his/her access rights are amended accordingly?”
The examples given included the immediate revocation of access for a database administrator upon her departure from the company.
And there’s more. Think about all the 3rd parties, external contractors and temporary workers that, for all intents and purposes, are outside your control. With internal employees, you at least have an idea if they use access software, if the company’s security policies are specific enough and if you have been flagged for some compliance issues. However, when you are dealing with the supply chain, your ability to have control over their processes and actions is much more limited. When third parties have remote access to your critical systems and data, their processes must meet your regulatory requirements. The risk is a nightmare scenario like that of the Swedish Transport Agency’s supplier data breach.
The board is obliged to ensure that the internal audit and assurance is properly organized at the company in question. When the topic of cybersecurity is brought up at board level, it is not enough to discuss whether security systems are updated regularly, how the company takes action against hacking attempts or what other measures are there in place to mitigate external risk. It also not enough to focus is on the perimeter (which is broken), incident response, intruder detection and secure identity management. It is equally important to understand how the company manages and updates privileged access to its core data.
Ungoverned access has been and will be exploited
Ex-employees boast how they still have access to various systems within the company they have already left. These stories might sound funny until you realize that it could happen to your company! And they are not myths. The infamous Edward Snowden leak; the Citibank case, where an infuriated ex-employee decided to bring the bank’s operations to a grinding halt; and the Marriot case, where hackers went undetected for four years (!), are some of the prime examples of the devastating results of poorly managed privileged access.
The common thread with many of these major breaches is that they enabled by unmanaged SSH (Secure Shell) keys. SSH keys are the standard, in use in every corporate network for privileged access to servers and data. Snowden was able to simply create his own SSH keys as there was no governance, processes or systems in place to obstruct him
Regulations demand proper governance
Identity and access governance is on the radar in major organizations. However, Secure Shell governance and the importance of a balanced risk profile on privileged access enabled by SSH keys is typically missing. The bottom line is that proper governance is not a choice. You simply cannot ignore insider privileged access and the potential for unmanaged access methods to be exploited. It’s mandated by regulatory bodies.
Your organization is likely required by law to be able to demonstrate who can access what type of information. If that information is particularly sensitive or personally identifiable, you have to be able to justify every access and know exactly why that access was granted. You must have clear segregation of duties. You need to be able to explain that only those that need access have it: that application developers cannot access credit card data, that technicians cannot access patient data, that subcontractors are not accessing and storing the wrong data.
You are also required to show that no one outside your trusted group of privileged users ever tries to gain entry to the wrong places. Even then, there needs to be a proper audit trail.
A more structured approach to identity and access governance makes business sense
This is – or at least should be – an obvious point. If your organization is in control of why, when and by whom critical data is accessed, you will not only make your business more secure, but improve the flow of information when you need to comply with regulations or grant/revoke such access. We’ve come back to the thorny subject of offboarding. To succeed in business, you must be able to onboard and offboard staff and subcontractors securely and keep your risk surface minimal.
Now is the time to act so you can successfully manage your IT risk inventory in this fast-paced business environment, as the trends of distributed cloud computing and the growing webs of distributed organizations take hold.
Both active and passive actions are essential
Internal audit and assurance measures can be categorized as active and passive. Active refers to audits and concrete actions carried out by the organization. One significant action is to acknowledge accountability. GDPR (which is awesome, by the way) is a mandate to chart the people who are the controllers and processors of data. As a consequence, risk management and legal have driven the appointment of Data Protection Officers. Companies with the best IT risk governance have a named responsible for SSH (Secure Shell) as recommended by ISACA.
Here, passive means the right automated tools for privileged access designed to solve this governance conundrum on a practical level. As with all risk management, it’s all about balance and a proportionate response to the factors that are specific to your business and your industry.
IT risk governance is a complex and evolving area and solving the challenge of governance for privileged users requires rock solid expertise. This is a topic my colleagues and I at SSH.COM are always happy to discuss.
Kaisa Olkkonen, CEO, SSH.COM
PS I highly recommend the ISACA guide on Secure Shell governance