In this article we will learn about Hacking the Hacks.
Introduction[Hacking the Hacks]
Role-based access control (RBAC) can significantly increase the security of an organization’s network, especially against internal hackers. However, companies are often hesitant to implement RBAC because they are concerned about the lengthy and complex implementation and that it will have a negative impact on their productivity. There are several ways to ensure that RBAC can be implemented in time to ensure security without negatively impacting employee productivity.
There are many different types of hacks that can occur on an organization’s network. Companies often target the most popular type of hack – unknown intruders from outside the network accessing secure company data. There is another type of hack, which is a breach of security from within the organization by the company’s own employees.
This often happens more often than the organization realizes. In fact, it is much easier to breach security from the inside, which is why organizations should take measures to mitigate this problem. A recent example of this was a former employee who stole 30,000 credit records from his employer in New York over a two-year period after he left the company. In total, the cost of his crime was estimated at more than $100 million. According to one study, a staggering 59 percent of former employees admitted to stealing company data when they left their jobs.
Problems with access rights
While you often hear about bigger and more publicized hacks, smaller hacks happen all the time. So how can this happen? Often, when an employee is on board, they are assigned specific privileges. In most cases, he has the same rights as an employee for similar work, the so-called user of the template. When copying rights from a template user, a new employee can sometimes be accidentally granted too many rights because the template user may have additional access rights. Another common problem is that employees tend to borrow access rights from each other.
Let’s say one employee is going on vacation but needs to complete something while he’s gone. They will often be loaned credentials to complete a task, but this access is never revoked.
Additionally, organizations are often unaware of these incorrect access rights that employees have, so they cannot easily correct the problem. The organization doesn’t know who has what permissions and most likely doesn’t investigate or audit it regularly. The IT department often knows more or less who has and needs which rights, but for time reasons only adds rights and usually does not remove any. They are unable to easily determine exactly who has access to secure applications, so they are often unaware if there is a security risk on their network.
Finally, the most common security issue is when former employees are not disabled on the corporate network. Often, the organization does not simply remove access rights when the employee leaves the organization. This is usually because an administrator has to go into each system and manually disable users. You can see how this could be a major safety concern, especially if a disgruntled employee leaves the organization.
Role-based access control
So how can this problem be mitigated to ensure internal disruption does not occur? Several identity and access management solutions can be used to help an organization better understand the security issues they have, as well as easily fix any issues and make them less likely to occur in the future. One of them is the role-based access control (RBAC) system.
RBAC allows an organization to assign permissions to employees based on the job, role, and location the employee fills in the organization. The organization compiles an authorization matrix that records in detail what systems/applications and rights within the applications the employee should have. Then, when an employee is hired, they are enrolled in the HR system and using user provisioning, the functionality of the identity management system, a network account is automatically created for that employee.
For this, the identity management software reads the authorization matrix and knows exactly which permissions must be assigned to the account. RBAC ensures that employees have the right rights from the start and are not given too many rights.
RBAC can also provide additional benefits. It can also ensure that secure systems and applications are maintained in this way and that employees do not accumulate too many rights during their employment. This is possible with an IAM solution; generate a report that shows exactly who in the organization has access to each of the secure systems and the changes that have been made. If there are errors in these access rights, the organization can easily remove these access rights.
Another way of monitoring access rights is the attestation or verification module. This type of module checks the network and applications periodically or in real-time for current access rights, which are compared to an RBAC matrix that contains standard or accepted rights; basically verifying that everything is fine on the company’s network. If any differences are found, the attestation module alerts the manager and system owner for review.
If this difference is approved, an electronic signature should be obtained to verify this fact and possibly also the expiration date of the set rights. If rights are found to be unauthorized, the workflow process can automatically manage the revocation of rights with notification emails to all relevant stakeholders.
An automated account management solution can easily help solve the problem of ensuring that an employee’s access is removed once they are no longer with the organization. The automated solution allows any change in the source system to be reflected in all connected systems and applications. For example, when an employee leaves the organization, a manager can easily deactivate the employee’s account in the source system, such as PeopleSoft, and have all their accounts and access rights revoked with one click.
However, many organizations are often hesitant to implement RBAC. They are worried about both the lengthy and complex implementation and the negative impact it will have on their productivity as employee access rights change. The task of completing an RBAC matrix can be a very complex process that can take up to several years for some organizations. According to a study, up to 70 percent of attempted RBAC projects fail to meet their goals.
There are newer methodologies to shorten the process and provide immediate benefits. It is possible for an organization to use the HR system as a data source, collecting the departments, titles and locations of all employees, essentially an organizational hierarchy, and using them to create roles for each unique level of access required. The next step is to obtain current rights from Active Directory to be members of security and distribution groups and share data associated with employees in different roles.
Ensuring employees remain productive
Another problem that organizations are concerned about is the problem of productivity. Implementing RBAC may mean that employees now have fewer access rights and permissions to their machines. This means they will have to request permission to make changes, download or access other resources, causing productivity issues. One way to avoid this is to assign a team leader in each department who has advanced access rights. This can be the manager of each department or someone designated by the manager.
Instead of having to contact IT every time an employee needs to make a change to their computer or need additional access, they can contact their line manager or a designated individual.
Although this may reduce the productivity issue, it can still be a burden for a larger company with larger departments. Another more advanced method to help with this problem is to use a workflow management solution. Workflow management is a controlled, automated process with a defined sequence of tasks that can replace an otherwise manual process performed by multiple people. This allows for a streamlined and efficient process for employee requests.
So if an employee needs to request access to a certain application for a project, they simply go to the web portal, request whatever they need (applications, computer changes, mailboxes, distribution lists, etc.). The workflow is set up by the organization so that when a user requests a change, the request then goes through a predefined sequence of workers who must approve it before the change is implemented.
This makes it easy and safe to make any access changes. It also ensures that there is a consistent process and that nothing is communicated or lost along the way. Additionally, it ensures that permissions are granted by the right people so there is no misunderstanding and the end user doesn’t get something or access a system from which they are restricted.
RBAC in conjunction with workflow management can have a huge positive impact on an organization. Working together, these two solutions ensure that the corporate network is secure without impacting employee productivity.
Dean Wiech is the CEO of Tools4ever, a global provider of identity and access management solutions.