News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Eric Ogren's picture
Eric Ogren

Security Impact

More posts | Read bio

March 7, 2007 - 12:10 P.M.

It's about activity, not privileged users

2 comments

Controlling the actions of privileged users is the cornerstone of just about every compliance regulation. I was speaking about the chances of this approach becoming a really effective approach to security with Ted Julian of Application Security. The discussion, which could’ve used one more latte, centered on the need for security to focus on securing business intellectual property and transactions. Policing of people, while important, is way over-emphasized.

In my experience, the results of corporate initiatives to control access of privileged users and applications almost always fall way short of expectations. The reason is simple: security seldom knows who all of the privileged users are, and people’s job responsibilities and business requirements keep changing. The administrative demands of keeping up-to-date become impractical, leading to great relaxation of all of the access control restrictions.

Privileged users are the company’s greatest assets -- the trust that the organization puts in them is how they became privileged in the first place -- so they do need some leeway to do what is best for the company... as long as they are authenticated and operations on critical resources are audited. Control and oversight of all activity affecting sensitive data is what business requires.

Standard operating procedure is to have independent auditing of business operations. Businesses must account for who is accessing sensitive data and modifying infrastructure configurations and executables, and must audit what the activity was. It doesn’t really matter if it is a privileged user, application developer, or non-privileged user. What is important is what all users are doing with sensitive information. Vigilance over privileged activity might well have detected patterns of abuse at DuPont, TJX, and the Veterans Administration in time to head off a crisis. It is not the people; it is the activity.

What People Are Saying

Add new comment

Life

Submitted by dildos on September 9, 2007 - 9:31 P.M.

This article is about life

Reply | Report this comment

I strongly agree. I've been

Submitted by Zeleon on April 16, 2007 - 4:54 P.M.

I strongly agree. I've been an infosec professional for over 20 years and the most costly, challenging, and unrewarding solution models has always been those focusing on the trusted insider. You are right that organizations spend alot of time and energy hiring and nurturing key personnel. Once these personnel accept promotions, transfer to other departments, or just exand their sphere of control, it is almost impossible to address the associated risks by cutting off access.

In spite of this logic, some product companies and consultants still continue to make millions of dollars chasing this slippery wet snake - only to have it slip out of their hands every single time.

Companies that sell SOD products merely highlight the thousands of internal users with access privileges that conflict with policy. But, users change roles frequently, leave, transfer, etc. And, IT staffs have much more to do than spend all their time reviewing access tables.

In addition, the poor security professionals out there spend their time consolidating logs so they can more easily review them for potential misuse. This puts the responsibility for identify misuse or fraud into the hands of someone having to use their eyeballs and their own personal experience to identify complext issues within complex data.

Considering the advances made in continuous transaction inspection over the past four years, this seems the way to go. These technologies are only now being adopted by the early adopter community but I've supported a handful of implementations and they are very impressive. They detect very specific types of transactional errors, misuse, and fraud much like IDS systems detect network attacks. For example, check out oversightsystems.com. This is the solution the UN selected to address some of these same issues.

Reply | Report this comment

Related Posts

The fobbit
Los Angeles goes Google; dumps GroupWise; shuns Microsoft; ignores IBM
Your next stop ... the Password Zone
And things were going along so well, too

Today's Top Stories

Droid launch draws tech-savvy crowd
AMD graphics chip shortage hits PC vendors
Android smartphone pioneer hits turbulence in Q3
Yahoo follows Google onto China's porn offense list
Intel readies 2.3GHz, 3.5GHz WiMax support with Kilmer Peak
First iPhone worm spreads Rick Astley wallpaper
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.