Simple question: who in your organization has the most entitlements in your organization and is that dangerous?
This entry is in response to a new tactic one of our competitors is using to convince prospective customers that the way to detect what employees are the most dangerous is to scan through all of entitlements and count who has the most entitlements. That will point to users who have too many entitlements, so they must be abusing the system. ”Mary has 54 Active Directory Groups tied to her userid, so she must be up to no good”. The competition says this is the person you need to vet and keep under strict survellance.
Too bad the client bought it. They are going to spend a lot of time tracking the wrong people.
So I ask the question, if you treat entitlements like keys on a keychain, who has the most keys on their keychain (save the security guards)? According to this bent logic, the one with the most keys is the one most likely to be up to no good.
The answer is quite simple: the cleaning staff.
Have keys (or security Java card) that allows them to wander throughout your building pretty much anywhere. The data center. The backup generator room. The CEO’s office.
So lets clamp down on the janitor and get approvals/certifications for every key they have on their key chain.
Too bad you would miss the administrative assistant to the CEO who only has three keys, but one is to the backup server room.
You see, its not the number of keys you have on your keychain, but why you have a particular key on the key chain at all. If you scan Active Directory, you will probably find Mary in our example does have 54 groups assigned to her, but her role is managing user group meetings for the company and 46 of these AD groups are old distribution lists (email lists) from old shows past that are no longer of much use and were not considered a security risk even when they were in play.
Congratulations. You have found Mary is not a security risk, just lazy about deleting old meeting email aliases at the company.
So its not the number of entitlements, but what the entitlement is in context. Its entirely proper for the cleaning staff to have a key to the backup server room; they have to enter to clean the room.
However, what you would find suspicious is doing a role scan and finding all administrative assistants to directors, AVP’s, and higher in the finance department all have the same 5 entitlements (keys) but one admin assistant has a sixth key the others in her role does not. She too has a key to the back up server room.
That should raise a yellow flag and trigger an investigation. Why does the admin need access to the backup server room? Used to work there and nobody got her key when she transferred? She made a copy so she can download client information after hours to sell on the black market? She found it one day in the lunch room and never gave it back?
A quick follow up investigation with the manager of the backup server room might find out that, yes, one financial administrator assistant has the key to allow her to drop off a copy of the CEO’s external back up drive once a week as a security precaution. Or pick up the CxO’s private faxes that happen to come into a printer in that room.
Its okay then. Its an anomaly, but every agrees that its okay.
Which then begs the question should other administrators also have access to the back up server room in case Mary is on vacation or ends up on leave? Perhaps others should have this privileged key as well, now that we know its part of their needed entitlements.
The key here is not to count number of entitlements or keys, but use analytics to identify those critical keys and anyone in the organization who has abnormal access to the privileged key. That is an effective identity management approach.
One last question: does it bother anyone other than me that I never have seen a pilot of a commercial airliner pull out a set of keys to fly the airplane?
