The five-step privilege management checklist for financial organizations

Share this article:
Paul Kenyon, co-founder and COO, Avecto
Paul Kenyon, co-founder and COO, Avecto

Financial institutions sit at the top end of the scale for security and reputational risk, with their databases of customer information making them especially vulnerable to criminal interception and subject to regulatory obligations. Taking this into consideration, it's crucial that banking and financial firms take a close look at how administrator rights are allocated on company-owned machines. This is problematic, given that unmanaged administrator rights can open the door to malware attacks that exploit elevated privileges, ultimately exposing sensitive financial data that can result in staggering, and frankly, unquantifiable damage. 

But the reality is, managing these risks need not be a complex endeavor. To do so, companies should adopt an approach of least privilege, which takes into account security and productivity by granting users only the rights necessary to carry out their jobs.  This can be accomplished with a five-step checklist and solve many of the problems created by a “loosely-managed” desktop environment.

Step 1 - Rationale

The first task is to clearly define the benefits of a privilege management project, which will vary even between organizations in the financial services sector, depending on their application infrastructure. A few themes, however, will be common to all:

  • Security: The permissive elevation of admin privileges is an obvious security risk, because users can potentially run unauthorized software or even malware.

  • Compliance: Policing admin rights has become a regulatory issue, not only to meet legal requirements imposed in some countries, but to satisfy independent audits.

  • Efficiency and cost: There is potential to reduce helpdesk workload. Low-level functions, like power-management and connecting to printers, can be granted without administering full admin rights. 

With this rationale in place, the technical goal of the project should be explained clearly. This will usually be that an organization wants to end up with a design in which every user has become a standard user, meaning with the least privileges needed to perform their roles.

Step 2 - Planning

Next, we'd recommend performing an audit using some form of passive monitoring process for roughly three months to gauge the necessity of various apps within different contexts to build an “application rights map.” This will be helpful to divide users into at least three categories: administrators, standard office users and special cases, for instance those accessing special applications or departmental heads, and in-house developers. The applications themselves must also be audited. Bear in mind that once an organization has implemented a privilege management system, these policies will be subject to constant modification as new applications are added or as ones already identified are gradually added to a controlled list. At this stage, a baseline should be established using a reporting tool, which will offer a “before” and “after” comparison with which to assess a project's success and to identify wrinkles.

Step 3 - Pilot

Because implementing privilege management is a major project for any large organization, the best place to start is by identifying a department that can be used to roll out a three to six-month pilot with minimal disruption. This meets two purposes: testing the implementation at a technical and user level, as well as communicating its imminent arrival to a relatively small group. Armed with monitoring data, the project heads must assess use and policy elevation cases for specific applications after inviting users to register them using a web-based pick list, eliminate false positives and identify applications that should be blocked.

Step 4 - Organizational challenge

Implementing least privilege control presents a significant cultural change for financial organizations on a number of levels. All users will find that their interaction with applications has changed and the project team must model how people relate to the new system. Communicating clearly with users in a step-by-step manner is essential by outlining the various stages and timeline of the project, including the schedule for notification where admin rights will be removed and who is affected.

Step 5 – ROI

After selecting a least privilege product, the final essential component is a reporting framework, critical for demonstrating to auditors that the policy design is not only consistent but has been implemented. Without this, it will be impossible to assess the success of a least privilege project, let alone manage it on a day-to-day basis. Such software will generate reports compatible with a central database such as SQL and possibly an external higher-level management system. Without reporting, there can be no auditing oversight. Without that, there can be no compliance.

As the sophistication of cyber crime continues to evolve, it is necessary for financial institutions to adopt more proactive endpoint security measures.  Don't rest on your laurels when it comes to your business. Privilege management will help combat these threats and help comply with security standards laid down by regulation.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in Opinions

Beware of the malware walking dead

Beware of the malware walking dead

This Hallows Eve might be a good time to remind ourselves that zombies can be just as deadly, and I'm referring to recycled tools and techniques from years gone by.

Why the Home Depot attack shouldn't have happened

Why the Home Depot attack shouldn't have happened

Major retailers are falling prey to massive credit card information heists, despite spending millions on cyber security systems.

Next-generation malware: Think like the enemy and avoid the car alarm problem

Next-generation malware: Think like the enemy and avoid ...

When it comes to enterprise security, one rule remains constant - attacks will continue to increase in sophistication and attackers will seek to outmaneuver existing defenses.