Data Loss Prevention: Step 2 - Manage Privileges

Tuesday, December 13, 2011

Rafal Los

0a8cae998f9c51e3b3c0ccbaddf521aa

I'm writing a series of posts to follow up on my blog post titled "Data Loss Prevention - Without the New Blinky Boxes" which addressed some of the silliness that comes with believing that DLP comes in a box, or is a product you can buy to solve your DLP needs. Welcome to part 2 (part 1 here)...

In this series I'm addressing how to do true Data Loss Prevention without the typical need to buy more blinking boxes that sit in a closet and accumulate logs and require humans to operate -and let's be totally honest, they really add very little value with a much bigger budgetary spend anyway.

If your enterprise is serious about Data Loss Prevention one of the most important things to do is maintain and manage privilege properly across your enterprise.  In most enterprises, where privileged access belongs to large, and often poorly-kept groups, all the blinking boxes on the wires won't really help you. 

Getting back to basics is critical, and one of the most basic of basics is managing the rights to your data, your systems, and your critical operations. Let's take a critical, step-by-step look at how managing privileges can greatly decrease your likelihood of leaking data.

Understanding Privilege

Many administrators of mission-critical systems are often frustrated because of the "too many cooks in the kitchen" complaint.  When you have too many administrators who can (and often do) make changes or move things around it becomes difficult to maintain a stable environment. 

The level of control over your organization's technology change (i. e. change management or ITIL) will directly impact how well the systems, networks, and applications are secured.  Trust me on this one.

Privilege, in many large organizations as well as small, means the ability to access or change something critical.  Privilege only matters when something important is on the line. 

Understanding your population's ability to make critical changes, or access critical components or data is one of the most important things you can do it you want to truly get a handle on data loss prevention. 

Let's look at some examples of privilege that's critical to keeping your organization from leaking data:

  • local rights - How much privilege does each employee get on their corporate laptop?  What about on their corporate mobile phone?  What about on that tablet that's personal, but used for business email some of the time?  These are tricky issues but require serious consideration... but the good news is that they can often be solved by thinking critically and getting the right types of foundational strategies in place.  Yes, you'll likely need to buy some software to help you ...
  • application 'developer' admin access - Often times, developers get access to an application because they're doing development, debugging and troubleshooting, but when the project ends of the application goes live those privileges don't get revoked
  • employee mobility - As employees move within teams, within your organization their rights to administer systems tend to add up, rather than change appropriately with their roles.  Role-appropriate access should be reviewed as part of an employee's HR change within an organization
  • partner access - Do your partners have access to your systems?  Often times when organizations create partnerships they open up access to their systems - but rather than taking the time to understand the specific system and roles needed, a general 'firewall hole' is opened and general access is granted - this of course is then forgotten about when the partnership goes away.
  • access granularity - An unfortunate byproduct of how fast organizations have been forced to move is the inability to take the time needed to fully understand a new (or existing) employee's role within the organization and the rights they will need.  Creating, maintaining, and revoking accurate privileges is critical, and often times requires complex identity mangement solutions (IDM).  The issue with identity management is that it's very tricky, extremely complex, and takes resources and planning.

Enforcing Privilege Without Shelling Out

It's worth repeating that one of the most important things to do when thinking about preventing data leakage and loss is to manage privilege appropriately.  I'll let you in on a little secret to how I've seen this done really well - in an organization that was already in deep trouble and had been run poorly for years.

First, form a small task force that's comprised of a member of each of the following operational teams: user management, human resources, applications, networking and obviously security. 

In a minute I'll lay out a plan of attack for how you'll want to go through and vet out the who, what, where, how, and why of privilege.  This small tiger team should focus on identifying roles within the organization, users who fill them, and fluidity of change. 

Getting a handle on change is critical, did I meantion that already?

Now, here's what you're going to do in order:

  • Set up privilege monitoring on critical applications - first and foremost set up monitoring of who accesses your critical applications, when, and how; you'll need a good understanding of how these systems really work
  • Audit access to critical data-space - you should probably already know where your critical information lies (if you don't go back and read my previous post on the topic) so turn on auditing of who accesses that information, when, and by what means for analysis
  • Audit access to systems and networks - just like in the previous item, spend a few weeks auditing who access your systems and networks, from where, when and how - this will be critical for review
  • Build access models - take auditing data and build access models then present them to the data custodians (people who actually own these assets in your organization) for verification that these are the absolute least privileges needed to conduct business- you'll likely raise some eyebrows when the data custodians realize who's accessing information, and how much
  • Coordinate in-place privilege change - create new roles, groups, rules, policies based on item #4 above, then start to implement them (disable but don't remove the old items just yet!) starting with the least important systems and working your way to the most important... don't start with ERP or customer service apps, always get to those last when you know your system is working
  • Create strong change-control for user management - once you've got sanity in your existing critical environment, dig into the change control processes and make sure that everything from HR changes (hire/fire) to role changes (customer service for group A, to customer service for group B) go through proper role and access review to commission and de-commission privileges appropriately.

I hope this helps you.  Much of this strategy won't require you buying anything, but admittedly some of it will. 

The most important thing you can do here is get a handle on your own environment... and know that the critical information you know about is being accessed with the least privilege possible but only the necessary individuals or systems. 

You won't be able to keep all the bad guys out - but you'll have a sane handle on exactly what is happening, and what your users are doing.

Look for part 3 of the series coming soon!

Cross-posted from Following the White Rabbit

Possibly Related Articles:
14666
Network->General
Information Security
Enterprise Security Access Control Data Loss Prevention Security Audits Controls DLP SysAdmin Privileges
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.