It’s that time of year when you might be expecting many of your employees (some of which will be privileged users) to take some well-earned holidays. In their absence, much of the work is delegated to other members within the organization or even to contractors in some cases. In the case of your privileged users, for this to happen, often temporary access needs to be provided. Managing this privileged access, however, is no easy task and this kind of practice often leads to an increased risk in privilege abuse.
By now, we all know the danger that privileged users pose to the security and integrity of sensitive data. All it takes is one disgruntled employee with excessive permissions to decimate an organization’s reputation and revenue. We saw this earlier in the year with the Tesla insider that leaked sensitive data, causing Tesla stock prices to drop by over 6%.
Many organizations are now familiar with the Principle of Least Privilege (PoLP) model. This theory states that it is good practice to limit the access that your users have to the bare minimum, so that users only have access to the files, folders and systems that they need to do their job. This makes practical sense, and all organizations should be operating on this model. Many privileged access management solutions enable organizations to maintain this model by reporting on any changes to permissions that might seen as excessive or result in permission sprawl.
Why Privileged Access Management (PAM) Alone is Not Enough
Privileged Access Management (PAM) solutions, help to reduce the risk of your users being the cause of data breaches by limiting privileged access. If, for example, you wanted to limit access during certain times of the day or prevent a particular user from having access to PII, you could do this with a PAM solution.
However, PAM solutions have their limitations and, on their own, they aren’t really enough to guarantee that you’re doing all you can to mitigate data breach risks. There are numerous scenarios where PAM solutions can be circumvented, including if an administrator acquires root access and works around it, or if users with temporary access do not have that access revoked at the end of the temporary time period. In such scenarios, the security controls in place become useless.
In theory, being able to limit access to sensitive files and folders is a great way to limit the damage that your users can do, but it is just one piece of the puzzle.
How Data Access Governance Complements PAM
Everything about data security starts with knowing where your most sensitive data resides, and the current level of risk associated with it. Once you know which files and folders contain the sensitive data, then you can look at who has access to it and monitor when this access changes. Then, lastly, you need to be able to get detailed information on the behaviour of your users in relation to sensitive data. PAM solutions themselves do not offer you all this functionality. To get this level of visibility and increased security, you’ll need to deploy a data access governance (DAG) solution.
There are numerous DAG solutions on the market that have built in data discovery and classification functionality. However, this functionality tends to be expensive and there is a workaround. Integrated within File Server, specifically within the File Classification Infrastructure, there is the functionality to discover, tag and classify data based on the sensitivity and assign a risk value to it. You can then run reports to see which files and folders contain multiple instances of PII (Personally Identifiable Information), for example.
It’s critical that you know within which files and folders your sensitive data resides, including those that may contain PII or business trade secrets and the like. Once you know this, PAM solutions can help you determine whether your PoLP model is working. One critical part of ensuring that you get full benefit of your PAM solution is to get all departments of your organization communicating internally and specifically with the IT department. IT need to know what job responsibilities a user has and whenever that changes so that they can award them appropriate levels of access.
The third piece of the data security puzzle comes in the form of user behaviour analysis (UBA). You have identified which files and folders contain sensitive data and limited access to those files and folders. Now you will need a data access governance solution in place to ensure you are auditing and monitoring what your privileged users are doing with the accesses granted to them.
If you have any hope of spotting potential data breaches then you need to have some way of knowing, in real time, if suspicious, unwanted or unauthorised changes are taking place to critical data and the surrounding systems. Most DAG solutions like LepideAuditor will enable you to do this through numerous pre-defined reports, real time alerts and other powerful functionality. Only by coupling this with PAM can you get the full value out of both types of solution.