The insider threat: automated identity and access controls can help organizations mitigate risks to important data.A 2007 PRICEWATERHOUSECOOPERS (PWC) Global State of Information Security Study estimated that people inside organizations were the culprits in 69 percent of database breaches. This finding runs counter to conventional wisdom that contends that outsiders, such as hackers, are the primary cause of information security incidents. In response to that belief, auditors have recommended focusing organizational resources on installing firewalls and other network-level controls to protect against hackers. That approach will not work, however, when the greatest threat is inside that barrier. The likelihood of the insider threat was highlighted by a 2007 InformationWeek.com study in which 45 percent of 900 trusted employees surveyed admitted taking sensitive data with them when they changed jobs. This finding points to the importance of internal auditors changing their approach to information technology (IT) security and taking a closer look at insider risks. A GROWING RISK New technologies such as enterprise resource planning (ERP) applications, business-to-business processes, and mobile devices may not only enhance data availability, but also may increase the threat that trusted insiders could steal intellectual property, personally identifiable consumer and employee data, and financial information. At the same time, organizations need to share data with business partners, vendors, customers, and outsourcing companies to achieve strategic objectives. Managers are now discovering that sharing information with third parties increases the risk that critical data will be misused. Estimates of the financial impact and likelihood associated with IT risks change frequently as systems become increasingly integrated across organizations. Unfortunately, few organizations that have invested in integrated systems also have acquired automated software that can detect internal data breaches. Thus, many organizations have concluded that the financial impact of these breaches is within their risk-tolerance level. Many organizations confront the insider threat by requiring employees, contractors, and others who access their systems to comply with their security policies. Although policies such as encrypting sensitive data within e-mail messages can reduce the risk that hackers will compromise important information, they may not be sufficient to prevent users with legitimate access to critical applications from stealing data. Most organizations are not capable of enforcing adherence with security policies at the point of use. IMPLEMENTING IAM CONTROLS One way organizations can manage security risks from insiders is to implement centralized and automated identity and access management (IAM) controls. IAM controls enforce security policies by monitoring employee and third-party access and use of sensitive data in real time across multiple databases in numerous locations. The first step in creating IAM controls involves internal auditing rallying key stakeholders, such as legal, human resources (HR), business process owners, regulatory compliance, and IT security, to determine the information that needs to be protected most and the database applications where it is stored. Second, stakeholders must agree on common definitions for the most sensitive data, which may differ across ERP applications and less-structured word processing, spreadsheet, and e-mail files. Finally, the data should be tagged and consolidated within central servers where encryption and physical security measures can be applied. Once the data has been stored within central servers, digital rights management technology can be used to control whether this information can be transferred to another server, computer, e-mail account, mobile device, the Internet, or printer. For example, if a user is about to violate a security policy by saving customer data onto a spreadsheet, the software will send the user a warning message prohibiting the procedure. A challenge, however, is balancing the need to mitigate security risks with legitimate users' need to access data to complete their job responsibilities. Overly restrictive IAM security policies may be relaxed based on feedback from users, subject to supervisor and business process owner approval. For example, based on management's risk assessment, security policies may be modified to allow customer data in summary form to be transferred to spreadsheets for analysis. AUTOMATING PROCESSES To further manage insider security risks, organizations should consider automating processes and related controls. These processes include providing new user access, modifying existing user access, terminating user access, and providing third-party access. USER PROVISIONING Automating new employee database access and subsequent modifications based on the individual's unique job responsibilities or roles within the organization can substantially reduce security risks. The biggest problem with manual controls is keeping up with modifications to user access due to promotions or new project team assignments. It may take the help desk anywhere from one day to a few weeks to change an existing employee's database access, increasing the risk that fellow employees may share their passwords so that co-workers can access necessary data more quickly in violation of security policies. Internal auditing normally reviews whether employees who have been promoted or transferred to new project teams have had previous application and data access revoked because it is no longer needed to fulfill their job responsibilities. This review can be time-consuming, however. Organizations like UPS have automated the process of establishing and modifying access using access provisioning request systems (APRSs) that are controlled by their central HR system. The APRS links directly to all role-based responsibilities and corresponding access requirements across all database applications. Initially, the organizations define and enter into the APRS several hundred local, national, and international employee roles and their associated application and data access. After an employee is reassigned to a new role within the organization, the APRS immediately sends an electronic message to the applicable supervisor for approval, and then automatically provides the employee with the appropriate application and data access. The system also can incorporate new roles based on employee requests and supervisor approval or as new applications are installed. Moreover, the APRS can automatically determine whether previous access is still needed. USER TERMINATION Accounts that are left active after users leave organizations are another source of insider risk. To address the concern over such accounts, the IT department at WellSpan, a hospital and physician network based in York, Pa., periodically generated a list of files and accounts that had not been accessed within the last 60 to 90 days and analyzed them for possible deletion. However, substantial delays in identifying all accounts of terminated employees exposed the organization to the risk that these accounts might be used maliciously after the employee had left the organization. To mitigate this risk, WellSpan now terminates user application and data access through an automated link between the HR system and the IAM system on the date the employee leaves the company. The IAM system leaves a complete footprint of all accounts created by applicable users during their tenure with the organization, including how long it has been since each account was accessed. This information helps the organization determine which accounts to retain and which accounts to delete. IAM systems also can indicate the date and time that accounts are created by users who are within two weeks of termination, which are more likely to include data that the employee may be trying to remove from the organization. A related risk is that soon-to-be-terminated users may send sensitive data in outgoing e-mail, which can be mitigated by scanning all messages and rejecting transmissions that contain such information. One limitation of automated controls is that trusted users may simply write information on paper. This risk can be reduced by tracking users' login and logout times and frequency of access to sensitive data on a real-time basis. A sudden increase in the duration and frequency of access to important files may trigger an investigation by the forensic team. THIRD-PARTY ACCESS Many organizations have addressed the risk that vendors and other outside organizations will access sensitive data by creating uniquely identifiable third-party accounts that prohibit access to the internal network. Instead, third parties are only allowed access to a demilitarized zone (DMZ), which is a separate network between the Internet and the organization's internal network that stores frequently requested information. IAM controls can then be used to ensure that separately tagged sensitive data is not uploaded to the DMZ. Automated controls also can ensure that third-party accounts are not allowed to have organizational e-mail accounts. A CRITICAL MISSING LINK IAM controls are only one part of a comprehensive information security solution to managing insider risks to data and systems. Internal auditors also frequently need to consider whether changes in IT infrastructure result in new or increased IT risks and harness technologies that can estimate their likelihood and financial impact. Only then can auditors advise management about the best ways to mitigate these risks. GEORGE R. ALDHIZER, III, PHD, CIA, CPA, CFE, is PricewaterhouseCoopers Associate Professor in The Calloway School of Business and Accountancy at Wake Forest University in Winston-Salem, N.C. To comment on this article, e-mail the author at george.aldhizer@theiia.org. To share emerging risk issues and best practices from your own audit experiences, or to request coverage of a particular risk, e-mail jamesroth@audittrends.com. EDITED BY JAMES ROTH AND DONALD ESPERSEN |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion