Monday, April 16, 2007
Current Privileged User Monitoring Solutions Don't Leverage Lessons from the Past
I just read a ComputerWorld blog entry written by Eric Ogren regarding the need to focus "Privileged User Monitoring" on transaction and business monitoring versus the old access management model.
I could not agree with him more. If there's one thing information security professionals can tell you with confidence... it's what does not work. Things change so frequently within the IT risk domain that it's often difficult to solve a problem with certainty. But, when it comes to dealing with "trusted" users in the real world, we all know what doesn't work. What does not work is printing out long monthly list of users with "excess privileges" and expecting this to significantly reduce the risk of fraud and misuse - at least at the material levels associated with SOX and A-123. In today's world access management and provisioning is a serious manpower drain. And, when you couple this with the need to provide periodic reports identifying the issues and progress, that just adds more manpower requirements... UNLESS you shift the focus to the highest risk issues and higher impact solutions.
Printing out these monthly excess-privilege list places a huge burden on our IT and InfoSec professionals but operational realities are operational realities. Key managers still receive conflicting privileges in order to support all areas under their control. And, key managers also receive powerful privileges such as those allowing them to actually "override" existing system-based control. 99% of the time used, they're probably just doing their job and ensuring the business keeps on functioning properly. But, it's that other 1% that can result in a major failures - e.g., a privileged user modifying quarterly revenue with a simple manual journal entry to conceal a bad quarter. In this case, the user is just using an "authorized" privilege for an "unauthorized" change.
And, what about when an AP Manager creates a vendor, purchase order, invoice, and voucher as part of an ellaborate procurement fraud scheme.
Or, when a database administrator uses their root access to make modifications to a payment record just before its released through the EFT system.
All of these are real examples of high risk conditions and real-world incidents concerning trusted insider - or privileged users.
So, lets stop using the 20/80 solution model and flip things around and do the 80/20 thing. Meaning, lets stop focusing on routine user access privilege conflicts and, instead, monitor and detect the use of privileges to misuse the system or conduct fraud.
posted by Zeleon @ 5:59 PM