A recent SolarWinds survey indicates the days of “trust but verify” are long gone. Respondents displayed heightened cybersecurity concerns exacerbated by an expanded attack surface created in large part by remote work.
As such, many have moved on from trust but verify to a zero-trust approach highlighted by adherence to the principle of least privilege (PoLP). With PoLP, users are granted access to the tools, technologies, and data they need to do their jobs and no more. Seventy percent of survey respondents indicated they’re already implementing PoLP or will implement it within the next year.
The question then becomes how to effectively enforce it.
Maintaining appropriate levels of access and control isn’t an easy task and can’t be accomplished manually. After all, people’s jobs change regularly, new employees enter the workforce, and security policies are continually being updated.
Plus, the sheer number of remote workers is helping to increase the potential attack surface. This includes the federal government, where the General Accounting Office estimates 80% of work has been done remotely over the past couple of years.
To better manage the situation, administrators should consider employing three strategies:
Automatically Monitor and Control User Access Rights
Tracking who has access to what data, who’s attempted to access certain files, or when said files were accessed is a full-time job. A better approach is to control access via an access rights management (ARM) system allowing for automated user account creation, modification, or deletion and designed to assign access rights based on users’ roles.
An ARM system can also automatically notify administrators when an individual attempts to access information they’re not privy to. This helps prevent unauthorized access from the inside and helps detect malicious accounts that aren’t part of the access rights list.
Monitor and Audit Administrative Changes
Permission rights changes aren’t always authorized, so it’s important for administrators to continually monitor and audit all administrative changes based on a set of security policies.
For example, a team might establish policies around who’s authorized to change files or permissions or when those changes can occur. These correlation rules are benchmarks and tell a system when something is amiss.
If a system is equipped with automated file integrity monitoring (FIM), it can compare network activity to those benchmarks. Anomalous or inappropriate activity can be flagged, leading to the system automatically blocking access and issuing an alert to allow administrators to respond to suspicious activity quickly and appropriately.
Administrators should also routinely audit privileged account log data. Running a report post-event helps forensically decipher what happened, and running reports every few weeks can help ensure users’ privileges are correct and up-to-date.
Continually Evaluate User Privileges
People’s jobs change all the time. Employees leave organizations, new employees are onboarded, and many people shift roles or get promoted. In each case, access privileges must be adjusted if an agency is to maintain a strong security posture.
Consider what could happen if a person leaves their position at an agency, but their user credentials remain active long after their departure. They could share those files with others, perhaps individuals willing to pay enormous sums of money for classified information. Or, if they’re disgruntled, they could create havoc by simply manipulating or deleting information.
Whatever the case, it’s prudent for administrators to regularly evaluate who has access to what. They must remove users who no longer need access to data and adjust permissions so those who have been promoted have access to information and can do their jobs effectively. Doing so allows for better security and unimpeded productivity—a winning combination in the post “trust but verify” world.
See how the privileged account management tool SolarWinds offers can help you enforce user access management, and sign up for a free demo.