Access all areas? Tracking and managing the privileged users

An organisation’s privileged users pose a very particular set of security challenges. These are the users with more authority to access systems and data than general users; and the greater the privileges, the greater the security risk.

They hold the keys to a wealth of valuable information and, in the wrong hands, these privileges mean they have the power to inflict massive damage to a company. Readers only have to look back to the latest wave of Wikileaks revelations to see the repercussions of the unsanctioned disclosure of confidential documents.

But do organisations really know who these privileged users are? Here, this article explores the importance of managing privileged access rights; from those who are administrating SAP to those with the highest privileges, the so-called ‘super-users’.

>See also: Mistakes that lead to loss of corporate data in the cloud

In today’s fast moving corporate world, it’s more important than ever to keep a handle on policies and rights that govern access to systems, files and databases.

A hierarchy of privileges

Privileged users can be defined as those users who have more authority and access to an information system than a general user. This straightforward definition, however, belies a more complex reality where ‘privileged’ status now encompasses a broad range of users across different functions, and at different levels of an organisation.

At the top of the privileged rights hierarchy are the organisation’s ‘super users’ who have unrestricted access rights to operating systems, databases and applications. This includes the administrator on Microsoft Windows, the root user on UNIX/Linux, or those who are using Microsoft Azure based virtual machines.

These are often shared among IT staff such as system administrators or network administrators. Whilst they may not be at the top of the managerial hierarchy, in access terms, these users wield considerable power.

Those with privileged status also include business or IT managers using privileged personal accounts, or those users given ‘emergency’ access to fix a specific issue, such as IT operators and help desk personnel.

At most organisations, this status is not confined to IT roles; it can also include users with elevated privileges that have access to sensitive data stored in key applications such as SAP or financial systems, CRM or payroll.

Again, these users can be at varying levels of the organisation’s hierarchy from HR and customer service employees, to accountants and board level Executives – the CFO or CEO.

Beyond those personnel on the organisation’s payroll, third parties – whether it’s service providers, independent consultants or contractors, who are essential to business and IT operations – are also, by the nature of the work that they’re doing, able to access an organisation’s critical systems and sensitive data. Given this, these outsiders will be in a position of enormous trust.

>See also: Why organisations are getting cyber security so wrong

All these responsibilities come with heightened risks. These users are an obvious and attractive target for professional hackers, APTs and ever more sophisticated social engineering techniques targeting those with access to networks, systems and data.

However, it’s not only external hackers that are the cause of security incidents involving privileged accounts. Serious breaches can occur as a result of insider activity whether malicious or accidental – from human error to employees seeking shortcuts and breaking security policies, or breaches of sensitive data as a result of a rogue insider. And the fact is, no organisation is immune.

Know your rights

Managing these high-risk users is about developing a set of best practices so that user rights and user behaviour can be monitored. It’s also important to remember that these are rights which don’t remain static.

As organisations evolve, personnel join and leave and individuals’ roles change, security departments need to keep tight control on privileged access.

The starting point for this is to audit your current user access management rights, based on formal policies and processes. When developing access control and management systems, legal regulations and standards should be taken into consideration and it is often worth treating users with privileged access separately.

Each user, including privileged users, should only be granted the rights necessary to perform their job role and which is aligned to their duties. Often there are levels of access which are not necessary for a person to do their job.

Even system administrators should only have access to those systems they absolutely need for business and operational reasons.

>See also: Best practices for optimising SIEM environments

To further protect against misuse, use named accounts properly for personal accountability. Should there be technical reasons to justify the use of shared user accounts, it’s then important to investigate which solutions can help mitigate the associated risks.

Access to these accounts should be restricted, and use of these accounts should be strictly controlled.

Don’t rely on log management to prevent attacks. Organisations need additional checks in place and it is only by monitoring behaviour in real time that they can address what has happened after a user has gained access to an account.

This is where a privileged user monitoring (PUM) solutions can fill the gap and provide detailed and traceable records of actions.

Machine learning algorithms can be applied to compare activities against the typical user behaviour and analyse anomalies in real time to prevent the execution of unwanted commands or actions.

If activity is detected that deviates from the typical behaviour of the user, the security team is alerted, to prevent breaches before they happen. This approach of ‘continuous authentication’, is needed to verify privileged users and to prevent attacks from within the perimeter.

Preventing privileged account misuse is one of the toughest challenges for security teams and insider threats can be the hardest to detect, taking months or even years to come to light.

However, there are ways that teams can take control and this starts with knowing who the ‘risky’ users are, and putting tools and policies in place to protect your company’s most important digital assets.


Sourced by Csaba Krasznay, product manager, Balabit

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics