If there ever was an example where privileged access management may have prevented a train wreck of astronomical proportions, the case of Airman Jack Teixeira is it, as we have now learned through the June 15 indictment, he was accessing and sharing information for which he had no need to know. The issuance of a security clearance is not carte blanche to view everything and anything at that level of clearance and below, it allows one to access information needed in the performance of their duties and nothing more. This concept is that of “least privileged access.”
In November 2021, the Cybersecurity Infrastructure Security Agency (CISA) pleaded with organizations to up their cyber hygiene. That plea was pointed at those entities who had a part in the critical national infrastructure. Included among the array of shortcomings cataloged by CISA included that of privileged access management. Today the plea continues to be made. When will be the right time to enforce this concept, how about today.
Context-based access
At the recent RSAC 2023, the topic continued to be top of mind and discussed from all corners. Members of industry offered their perspective on context-based access.
Speaking to Joseph Carson, chief security scientist and advisory CISO at Delinea, we heard how privileged access management can be used to “elevate the data and the application and not the user.” Meaning, individuals’ access to sensitive data should be “just in time and on demand with zero friction.” Thus, Carson makes the argument for “context-based security,” vice role-based security.
Within the context of Teixeira, there was no need for this individual to have the level of access he had to purloin those documents which he ultimately shared outside of the cleared personnel ecosystem. Carson noted, Teixeira should know the road, but had no need to know the content of the documents traveling on the road to keep the network up and running. The often-encountered conundrum lays in having users which are “overprivileged.”
Need to Know
Paying attention to the segregation of duties is of import, opined Robert Hughes, chief information security officer of RSA. He suggests a strong identity governance and administration (IGA) will greatly assist entities in tracking who needs access to what, why and for how long and adjudicate access accordingly. Within this context, the use of artificial intelligence (AI) he noted, would allow the “review of mountains of entitlement and usage data that users generate.” This review allows organizations to discover, he continued, “what users could access and what they are really accessing.”
Hughes added how the AI could “look at usage data to reveal incorrect, illegal, or out-of-compliance activity: just because a user can download a large amount of data from a shared file doesn’t mean that they necessarily should be able to.”
In sum, where users have wide and unnecessary access to data, they need to be throttled back to accessing data which is needed in the performance of their duties and when that need dissipates, there should be no continued access to the information. Utilizing tools to search and detect “fishing expeditions” within the data sets is not time wasted, as it will, as Hughes noted, reveal the incorrect, illegal or out-of-compliance behavior.