Carl Weinschenk spoke with Adam Bosnian, vice president of Products, Strategy and Sales, Cyber-Ark. In late May, the company released a survey that showed an increased rate of IT personnel looking at data that they are not authorized to see.
Weinschenk: What did you learn from the survey?
Bosnian: The survey says organizations should no longer implicitly trust the IT guys. Now my job as an IT guy is to protect an organization from everyone in the organization - including myself. Our survey kind of reflects that move, which is still in its early stages. I don't know if these folks are under additional scrutiny, but the decisions being made are to bring these folks under the same level as others.
Weinschenk: That seems like quite a change.
Bosnian: What's happened is that we've gotten the perimeter security pretty good. Regulators and bank examiners have said that we've done a really good job. But we have no idea who is doing what within the organization. That's really the difference we've seen in the focus in an organization from the security perspective. What we are starting to understand is that insider threats are 80 percent perpetrated by people with privileged access. Not you and I, but people who have privileged access. Over half of those people are no longer supposed to have privileged access.
Weinschenk: How does that happen?
Bosnian: I get privileged access for a short amount of time, maybe to work on an application on the production server, so I am given system administrator rights. I then go back to my normal job but have never had the admin rights removed or never changed the password, so in three months I can still use the password. But when I do use it, there are no footprints on who used it because it is a shared account. If I log on in a shared account as system administrator, nobody knows who I am. There is no log anywhere that brings it back to Adam Bosnian. I can go and do anything. I am implicitly trusted by the organization and there are no footprints.
Weinschenk: Isn't it true that this situation is changing as regulations become more stringent?
Bosnian: You are asked to show you have control. Regulators say if you can't prove who logged in, you can't show me that you have control of that system. That's the base level. It really boils down to proving to me who logged into the system. If you can't, you don't really have control of your systems.
Weinschenk: Are these shortcomings difficult to fix?
Bosnian: One area that is relatively straightforward and low cost is finding a way to associate system administrator accounts with people who logged in. Rather than have passwords on yellow sticky notes, software should keep identities in a centralized repository. We call it a digital vault. The person logs in with a normal login and authentication. Once he is logged in, he gains access to a password. From a behavior change cost, you are adding two clicks to get the password that, before, the user kept in his head. Those two clicks mean that the company knows the password is secure, who had access to it and when it was returned. It also changes the password so the old one that I used won't work anymore. It's not extremely costly. The software is 20 to 50 grand, that kind of thing. But it's not too costly a product or too much of a behavior change cost.
Weinschenk: Is there another layer to this?
Bosnian: Instead of the system admin person logging into the server, it's an app logging into a database, such as a financial application getting data in a database somewhere. It's machine-to-machine communications. In that environment, the identity to allow logging into that database is somewhere programmatically in a script, a file, or an application. Somewhere it is hard coded, in some cases, in clear text where someone could read and use it. Even if it had a database monitoring tool watching, it looks like the application is logging in, not Adam Bosnian. To fix that problem, you have to modify the application. You have to remove the hard-coded password. In the middle, there's a little script. In that script is a password that needs to be taken out of the script and put into the digital vault. A function call must be put in there. When the application wants to log into the database, they will go to the vault and log in that way. It's a little more costly to solve that problem.
Weinschenk: How much is the trend of watching administrative activities growing?
Bosnian: No one proactively wakes up in the morning and says I want to fix this problem. They may know it exists and that how they are doing things is not the best way. But it's not the top priority in their mind to fix it except that now it is highlighted on regular basis by the auditor. Now they know they have something they need to fix. That garage door is not high on my priority list, but as soon as the inspector says he will fail the house and it will not sell, that raises the priorities to go and fix it. It gives us the ability to say it is a priority and provides the rationale to actually get the dollars.