The five-step privilege management checklist for financial organizations
Paul Kenyon, co-founder and COO, Avecto
Financial institutions sit at the top end of the scale for security and reputational risk, with their databases of customer information making them especially vulnerable to criminal interception and subject to regulatory obligations. Taking this into consideration, it's crucial that banking and financial firms take a close look at how administrator rights are allocated on company-owned machines. This is problematic, given that unmanaged administrator rights can open the door to malware attacks that exploit elevated privileges, ultimately exposing sensitive financial data that can result in staggering, and frankly, unquantifiable damage.
But the reality is, managing these risks need not be a complex endeavor. To do so, companies should adopt an approach of least privilege, which takes into account security and productivity by granting users only the rights necessary to carry out their jobs. This can be accomplished with a five-step checklist and solve many of the problems created by a “loosely-managed” desktop environment.
Step 1 - Rationale
The first task is to clearly define the benefits of a privilege management project, which will vary even between organizations in the financial services sector, depending on their application infrastructure. A few themes, however, will be common to all:
- Security: The permissive elevation of admin privileges is an obvious security risk, because users can potentially run unauthorized software or even malware.
- Compliance: Policing admin rights has become a regulatory issue, not only to meet legal requirements imposed in some countries, but to satisfy independent audits.
- Efficiency and cost: There is potential to reduce helpdesk workload. Low-level functions, like power-management and connecting to printers, can be granted without administering full admin rights.
With this rationale in place, the technical goal of the project should be explained clearly. This will usually be that an organization wants to end up with a design in which every user has become a standard user, meaning with the least privileges needed to perform their roles.
Step 2 - Planning
Next, we'd recommend performing an audit using some form of passive monitoring process for roughly three months to gauge the necessity of various apps within different contexts to build an “application rights map.” This will be helpful to divide users into at least three categories: administrators, standard office users and special cases, for instance those accessing special applications or departmental heads, and in-house developers. The applications themselves must also be audited. Bear in mind that once an organization has implemented a privilege management system, these policies will be subject to constant modification as new applications are added or as ones already identified are gradually added to a controlled list. At this stage, a baseline should be established using a reporting tool, which will offer a “before” and “after” comparison with which to assess a project's success and to identify wrinkles.
Step 3 - Pilot
Because implementing privilege management is a major project for any large organization, the best place to start is by identifying a department that can be used to roll out a three to six-month pilot with minimal disruption. This meets two purposes: testing the implementation at a technical and user level, as well as communicating its imminent arrival to a relatively small group. Armed with monitoring data, the project heads must assess use and policy elevation cases for specific applications after inviting users to register them using a web-based pick list, eliminate false positives and identify applications that should be blocked.
Step 4 - Organizational challenge
Implementing least privilege control presents a significant cultural change for financial organizations on a number of levels. All users will find that their interaction with applications has changed and the project team must model how people relate to the new system. Communicating clearly with users in a step-by-step manner is essential by outlining the various stages and timeline of the project, including the schedule for notification where admin rights will be removed and who is affected.
Step 5 – ROI
After selecting a least privilege product, the final essential component is a reporting framework, critical for demonstrating to auditors that the policy design is not only consistent but has been implemented. Without this, it will be impossible to assess the success of a least privilege project, let alone manage it on a day-to-day basis. Such software will generate reports compatible with a central database such as SQL and possibly an external higher-level management system. Without reporting, there can be no auditing oversight. Without that, there can be no compliance.
As the sophistication of cyber crime continues to evolve, it is necessary for financial institutions to adopt more proactive endpoint security measures. Don't rest on your laurels when it comes to your business. Privilege management will help combat these threats and help comply with security standards laid down by regulation.