Separation Of Duties through a key hole

A Discussion on Security Improvements

For decades, businesses have sloppily adopted and implemented haphazard business practices of over-doing, over-granting IT personnel with unchecked elevated access. This elevated access provides IT personnel with increased capabilities to perform wide-spheres of critical tasks and duties with near-unfettered control and access over IT business assets.

IT personnel are not only (routinely) granted access to many, if not all, forms of sensitive information, but also ‘keys’ to critical, underlying, IT systems, applications and services. To be clear, this kind of access is not the problem, it is how we’ve gone about providing it.

Taking A Step Back

When non-IT personnel are on-boarded to perform business functions, of the many things, they are given a computer or laptop. These employees also receive a ‘standard‘ user account (or ID) to use to access business resources and assets to perform their daily duties. With perforce and imposed IT controls, these ‘standard‘ user accounts are used by employees to collaborate on business topics, perform work tasks, browse the web, answer emails, perform data entry for home-grown applications, and so on.

Employee, or ‘standard‘, user accounts should be limited to:

  1. viewing and editing information or data (permissions) and
  2. actions they’re capable of performing (rights)

As a simple example, a marketing Director’s ‘standard‘ account would typically be given the ability to ‘edit’ all marketing-material type documents. However this same account wouldn’t possess any ability to modify permissions or settings.

Taking A Broader View

Business data and applications are comprised of security layers with many branches. No big surprise, right? Definition of these layers are predicated, agreed and implemented based upon business functionality, sensitivity, criticality, rules and what have you. Security practices ensure and safeguard the integrity of sensitive information, such as social security numbers, financial details, etc. In addition, beneath the scene, strict practices ensure the integrity of the systems and applications for which they run on.

Why do these safeguards exist limiting access and exposure to sensitive data on systems?

Because of their nature and use, ‘standard‘ user accounts are potentially susceptible to increased risk. How come?

Where a list could fill many books, we’ll touch on a few.

  • Standard‘ user accounts are the primary types used most often, and for nearly everything
  • Employees tend to write down their passwords on sticky notes or in their checkbook
  • Despite tight screen saver rules and routine business training, employees tend to leave workstations unlocked
  • Employees routinely browse the internet thus becoming targets for malware and viruses
  • Routine pounding of social engineering employed to gain entry or privileged access via emails, phone calls, etc.
  • Concerning asset control; mistakes can be made. Security is instilled to limit access to high-value or mission critical assets. These measures proactively prevent potentially small or wide-sweeping risk or impact (for example, databases running on back-end systems). Let’s not overlook that such could include accidental leakage of sensitive information or intellectual property

To many, layers of separation or protection of assets isn’t a new or novel concept – “gee whiz, what is this all about?”

Regardless of a cute smile or dazzling personality, one simply wouldn’t grant a sales Director access to payroll information, let alone financial data. In short, these measures instilled by IT organizations are to prevent accidental or potential ‘what ifs’ or tampering(s). The less ‘what ifs’, the less likely the business will be compromised and we will all sleep better.

Like a bank, military base or even a Vegas casino, we’ve all become familiar, through Hollywood, of the series of the imposed measures (some extreme) to ‘keep the bad guys out’.

How do we protect the environment from ourselves?

Okay, here’s the crux of it – IT personnel are likewise provided with a ‘standard‘ user accounts to perform their daily tasks (mentioned above), however with one GIGANTIC difference.

In many cases, it has been found ‘standard‘ IT user accounts maintain or possess a degree, if not complete, elevated control over internal and possibly cloud assets with no separation between ‘standard’ and/or administrative duties. Despite the risks outlined above, business have adopted a model of ‘one ring to rule them all’ – Yikes! With all this said, there is no reason not to trust your IT personnel with this level of authority. The problem is how we’ve gone about providing it.

This lack of separation comes in many flavors , shapes and sizes (boy does it). Take for example the SQL administrator whose ‘standard‘ account is used for both database management and checking Facebook. Or the email Administrator who uses his ‘standard‘ account for all types of email testing, server patching and troubleshoots Outlook on everyone’s workstations. This factually happens more than one would care to realize.

This really boils down to IT ‘standard‘ user accounts maintain or possessing elevated abilities far beyond what they should; such as logging onto systems, setting up and performing automated tasks (e.g. scripts), installing or removing program, creating or deleting information, patching systems, maintaining access to databases, modifying file and/or folder permissions, along with myriad of other actions we couldn’t begin to capture herein.

There is also a well known problem of credential hijacking, where a hacker records or captures the credentials of an account and uses it to penetrate other systems.

In addition to the tasks listed above, this boils down to IT standard user accounts possessing the ability to log into systems, setup and perform automated tasks, install or remove any program, create or delete information, patch systems, change file and/or folder permissions along with thousands of other actions we won’t capture here.

What is the answer to this dilemma?

The answer is separation of IT duties.

As a short explanation, separation of IT duties is the process of clearly and accurately defining, reviewing, packaging and implementing consistent administrative controls (or model) governing the various types of IT business assets. These controls would provide clear-cut and consistent separation between one type of IT administrative task or ability versus others.

Included therein would prevent crossing, or tampering with these streams of separation. As an example, a ‘standard‘ user ID would not have any level of administrative control over business assets. A workstation admin, or ‘privileged‘ account, would only possess the ability to manage and maintain workstations.

Regardless of your business size, separation of duties (SOD) is a senior requisite (ref article:  Security: Separation of Duties & MFA – Part 1). You need to define, adopt, enforce and routinely monitor for efficacy, while keeping a pulse on manageability.

Avoid a model which is or could become unwieldy and confusing. Ensure it is scalable and portable across business units. Above all else, keep it simple and consistent. In addition, ensure the business performs unbiased quarterly or semi-annual reviews and adjustments.

In closing; please don’t confuse separation of duties with other security measure like two/multi-factor authentication.