Guarding Against the Risks Posed by Privileged Users and Compromised Credentials
Over the course of the past few decades, computing architectures, security approaches, and security threats have all changed radically. However, over that time, a common security gap has persisted: the risks posed by administrative access privileges.
In order to carry out their responsibilities, administrators need the permissions required to execute such tasks as software installation, system configuration, user permission management, resource allocation, and more. Through this access, administrators virtually always also have access to the data and services that run on the systems they manage. Further, teams of administrators have often shared their administrative credentials. While this facilitated easier distribution of workloads, it also made it difficult to assign specific activities to a specific individual—and so to hold anyone accountable for a policy violation or breach.
While this security gap is nothing new, it is one that has grown increasingly critical to address. In recent years, virtually all servers and equipment an organization relies on have grown increasingly interconnected, both with other internally managed systems as well as external networks and equipment. With the increasing adoption of virtualization, cloud services, and big data implementations, new layers of administration—and of administrative privileges—also are added that potentially expand the risk.
Administrative privileges have left many organizations exposed to these threats:
- Insider abuse. It is often easy for malicious insiders to abuse their privileges, whether to make money or sabotage the business. These risks are exacerbated in the cloud, where organizations may be exposed to the threat of their own administrators, as well as those of the cloud provider.
- External attacks. Administrative privileges represent a vital asset, and one that is increasingly targeted by external attackers. For example, an advanced persistent threat (APT) attack may use social engineering tactics to gain one administrator’s credentials, and use that as a launching point to access and exploit other systems and services.
The Solution: The Vormetric Data Security Platform
With the Vormetric Data Security Platform, organizations can gain the comprehensive, robust, and granular controls they need to guard against the abuse of privileged user access. The Vormetric Data Security Platform consists of several product offerings that share a common, extensible infrastructure. The solution features capabilities for data-at-rest encryption, key management, privileged user access control, and security intelligence. Through the platform’s centralized policy and key management, customers can address security policies and compliance mandates across databases, files, and big data nodes—whether they’re located in the cloud or in virtual or traditional infrastructures.
The Vormetric Data Security Platform delivers a range of critical capabilities that protect against the abuse of privileged access controls:
- Separation of privileged users and sensitive user data. With the Vormetric Data Security Platform, administrators can create a strong separation of duties between privileged administrators and data owners. The Vormetric Data Security Platform encrypts files, while leaving their metadata in the clear. In this way, IT administrators—including hypervisor, cloud, storage, and server administrators—can perform their system administration tasks, without being able to gain access to the sensitive data residing on the systems they manage.
- Separation of administrative duties. Strong separation-of-duties policies can be enforced to ensure that one administrator does not have complete control over data security activities, encryption keys, or administration. In addition, the Vormetric Data Security Manager supports two-factor authentication for administrative access.
- Granular access controls. In addition to encryption and key management, the solution can enforce very granular, least-privileged user access policies, enabling protection of data from misuse by privileged users and APT attacks. Granular policies can be applied by user, process, file type, time of day, and other parameters. Enforcement options are very granular; they can be used to control not only permission to access clear-text data, but what file-system commands are available to a user.
- Secure, reliable, and auditable key management. The solution provides extensive audit capabilities that can be used to report on all activities relating to key usage, including key generation, rotation, destruction, import, expiration, and export.
- Detailed security intelligence. The Vormetric Data Security Platform provides detailed logs that specify which processes and users have accessed protected data. The detailed logs specify when users and processes accessed data, under which policies, and if access requests were allowed or denied. The logs will even expose when a privileged user submits a command like “switch user” in order to attempt to imitate, and potentially exploit, the credentials of another user. Sharing these logs with a security information and event management (SIEM) platform helps uncover anomalous patterns in processes and user access, which can prompt further investigation. For example, an administrator or process may suddenly access much larger volumes of data than normal, or attempt to do an unauthorized download of files. These events could point to an APT attack or malicious insider activities.