The financial risks of uncontrolled user access
Dangers are posed by ineffective provisioning of user access rights. A secure enterprise provisioning system can address specific risk areas highlighted by the FSA’s Financial Crime Sector Report.
Criminals are increasingly using IT to commit crime. This is probably due to criminals' recognition that fraud, extortion and money laundering crimes can be committed just as easily in electronic form as they can physically. They realise poor information security offers a quick, cheap and easy way to commit financial crime against firms and their customers.
This was the stark warning given by the Financial Services Authority (FSA) in its 'Countering Financial Crime Risks in Information Security' report published in November 2004.
The report concludes that firms could do much more to address potential risks, rather than responding to attacks once they have occurred. It highlights the need for senior management to take responsibility for information security and the need for firms' defences to be continually reviewed and updated to keep on top of the increasingly sophisticated methods used by criminals.
In addition to the emergence of new information security threats, such as phishing, the report also reveals that traditional threats to information security still exist because firms do not invest adequately in their security frameworks. An area of particular concern is the effective provisioning and de-provisioning of user access rights.
Due to the sensitive and often embarrassing nature of such threats, real-life examples of security breaches due to ineffective provisioning are hard to come by. However, there are a number of provisioning 'horror' stories which do slip through the net.
A network manager, sacked by a manufacturer of measurement and control devices used by the US Navy and NASA, was able to detonate a software 'time bomb' in the company's network, destroying the programmes that ran its manufacturing machines. The malicious code was responsible for $10 million in loses, 80 redundancies and the loss of several customers.
There's the computer technician who, having been fired from a temporary position at one of New York's prominent publishing houses, was able to erase all the data on five of the company's eight servers. The company was forced to shut down its operation for two days and lost more than $100,000.
Then there are the hackers who used the login names and passwords of two former employees to crash computer systems at a US software company. The employees had been responsible for the company's systems and even helped build the network that was targeted. The company estimates it lost $50,000 in revenue because of the incident.
The FSA acknowledges: "Weak user administration is a common and long-standing failing. Firms need to ensure that only current employees have access to systems and that these employees have the correct account privileges. Unless user account reviews are regularly conducted, there is a risk that staff will leave or move and that user accounts will be used for unauthorised access."
The report recognised a range of solutions across small and large firms; from manual user administration to automated identity management solutions that capture and maintain details of employees' access rights across the organisation, using either centralised or decentralised administration. However, irrespective of the solution firms deployed, a number of common issues arose.
The first area of concern highlighted by the report is "Failure to reconcile between employees listed on human resources systems and live user accounts on a timely basis to identify redundant accounts."
The latest enterprise provisioning technology addresses this issue by including a reconciliation engine 'out of the box', as a core element of the system's design. It supports ongoing audit initiatives by ensuring controls and policies are strictly enforced, in order to ensure compliance across the enterprise.
Reconciliation becomes an ongoing process that monitors the resources being managed. If the engine detects any accounts or changes to user access privileges effected in non-conformance of the policies defined within the system, it can immediately undo the change or notify an administrator, depending on how it is configured.
The second area of concern detailed in the FSA's report: "Failure to delete access rights when a staff member changes responsibilities or departments," is equally well managed by the latest provisioning solutions. They will automatically reconcile identity information from the majority of HR systems and directories – the trusted sources of information relating to staff responsibilities and departments.
As long as staff changes are reflected in at least one of these trusted sources, the provisioning system will automatically reconcile the change and amend the user group membership accordingly; a process often referred to as role-based access control. The alteration in membership will trigger the appropriate provisioning processes to reflect the change within managed applications; for example, deleting existing user accounts, deleting existing user privileges or entitlements within an application, modification of user rights and the creation of new user accounts or privileges.
The report also expresses concern that many financial enterprises have "No review of user account access rights or application privileges by the business or IT to determine if a user has excessive rights or incompatible privileges for their job role." This is a problem easily overcome by a periodic review of access levels.
Leading-edge enterprise provisioning systems can be configured to periodically remind individuals to generate various reports (detailing who has access to what, exceptions, and so on), acknowledge that they have examined the results and are satisfied that they properly reflect the firm's policies. This allows for greater confidence that proactive controls are working properly and that the appropriate personnel are validating that they are working.
According to the report, the lack of segregation of duties between IT staff administering user accounts and those who review the appropriateness of account privileges is a problem faced by many enterprises.
Segregation of duties is indeed a key vehicle for preventing fraud and detecting errors in the processing of financial transactions. It ensures the same person does not participate in more than one key function of a transaction, and that actions are properly monitored and overseen by others.
Effective implementation of a strong segregation of duties model makes use of a range of access policy controls. However, sometimes, a user's responsibilities are not predefined and therefore cannot be captured as access policies. In such cases, the user's access rights are defined by the rights they are granted within a specific target application.
In addition to the above, the report expresses concern with regards to there being no review of generic accounts often used by technicians. Again, new provisioning technology addresses this by providing the capability for enterprises to manage the lifecycle of generic or service accounts used by technicians or any other systems within the organisation.
The report also highlights the "use of personnel accounts for conducting user administration through temporary assigning of administration privileges rather than using a dedicated systems administrator account" as an additional area for review. This is a risky practice that needs to be eliminated through effective definition and enforcement of policies. While even the most cutting-edge provisioning systems cannot do much to help define these policies, once they have been defined, they can help enforce them over time in an efficient, cost-effective way.
By employing a secure enterprise provisioning system, organisations are able to ensure that only current employees have access to systems and that these employees have the correct account privileges. In addition, by regularly reviewing accounts, an effective provisioning system eliminates the risk posed by staff leaving or moving into other departments, by automatically revoking their access rights. If undertaken within a secure provisioning framework, identity and access management need not be a risky business.
Michael Burling is an identity and access management expert, and managing director EMEA of secure enterprise provisioning leader Thor Technologies.