CIOs are struggling to defuse a double-primed ‘trust time bomb’ that threatens the organisational security from both the shop floor and from the supply chain. And why is this so? The well-credentialed Jo Stewart-Rattray, Director of Information Security at a national accounting firm, explains the pitfalls of organisational risk created by employees morphing into super-users who possess enough network access to damage a business.
A further challenge involves trust issues created by the increasing attraction of cloud computing to businesses that are seeking to reduce the capital and operational cost of their technology systems.
While the software-as-a-service business model appeals strongly through its fee-for-service simplicity, it creates a Medusan trust tangle about where corporate data resides, how it is protected and who has responsibility if that integrity is infringed.
Many services, including Microsoft, offer free cloud storage space as part of their SaaS offerings which is where the questions begin: Who owns that data? In which jurisdiction does it reside? What security is in place to protect it? The bottom line for cloud computing is whether businesses are entering into contracts or just taking their information security on blind faith.
However, the more immediate challenge is the poorly recognised threat of privileged user access management, which became evident earlier this year when I chaired a CIO meeting that examined security threats associated with user privilege policies.
‘User privileges’ was the hot button issue for the 16 CIOs seated around the table: many thought they were alone in dealing with this problem because it appeared to have an easy fix.
However, at the end of the day, those executives went back to their workplaces recognising that it is a widespread issue from which both government and private sector organisations are suffering. They put managing user privilege policies and the related tools at the top of their action lists.
The difficulty in addressing this user privilege vulnerability is that it creates conflict between an organisation’s security and its culture.
User privilege is often associated with trust. However trust alone is not a control. Without adequate controls, this is a trust time bomb just waiting to explode. This is evident in the fact that we’ve seen high-profile rogue administrators come out of the woodwork recently.
As well as a granular view of security challenges from my role with RSM Bird Cameron, I have an industry-wide perspective as co-chair of an international task force within ISACA.
These perspectives reinforce that this troubling culture of excessive user privilege on computer networks has developed over many years. At the recent AusCert conference in Queensland, the trust time bomb was a topic of recurring concern for delegates. People are accumulating extraordinary amounts of access that is not needed to do their jobs.
One example was an employee who built up a remarkable level of computer network access during years at an organisation. When a new employee joined the business, the manager said to copy the network privileges held by the long-serving employee, which is a ridiculous risk.
Cradle-to-grave user management has gone by the wayside. CIOs are starting to recognise that there is a dire need for the life-cycle management of users, but they are unsure of where to start.
One CIO said the challenge is to balance trust with an intentional culture of security. In some respects, because trust has existed historically, we are talking about an intentional change of culture, which is harder to effect. In the beginning, security is intentional and, over a period of time, it becomes automatic.
Privileged user management is a hot topic at the moment. A central tenet of this approach is the principle of ‘least privilege’. Rather than making every user a network administrator, this gives each user just the network access required to perform his or her job. Even system administrators should maintain a distinction between their privileged system administrator account and their day-to-day account.
Businesses should aim to build security into their DNA as they have with OH&S, which is now ingrained. It’s certainly not the same with security.
* Jo Stewart-Rattray is Director of Information Security at national accounting firm RSM Bird Cameron in Adelaide. With information security credentials including CISA, CISM, CGEIT and CSEPS, Jo sits on ISACA’s international Knowledge Board. ISACA is a non-profit, independent IT governance association with more than 86,000 constituents in 160 countries.