How can we combat threats linked to privileged users?

While cyber threats are increasing in today’s digital world, they are more and more often linked to privileged users. Why is that? What can be done about it? We asked these questions to Julien Patriarca, cybersecurity expert and Support and Services Manager at WALLIX.

Hello Julien. Privileged users are increasingly seen as representing cybersecurity risks. Can you explain this trend?

This trend is the result of the growing importance of digital technology in our daily lives. Whatever service we use to pay taxes or place orders online etc., all our digital actions are translated into data. Our bank card numbers, identity data, as well as companies’ data are now stored on servers managed by people who hold, as I often call it, the “keys to the kingdom”, i.e. they have access to all of our digital data, which is rarely encrypted, or only in a format that is generally easy to decode. People are increasingly aware that these data are stored on servers that can be accessed by certain users. It is therefore becoming imperative to be able to know who accesses these data or servers, as well as when and why they do so to be sure of avoiding data leaks, whether or not they are intentional. It is important to emphasize this point; we often speak of malicious intent but that is not the only threat, there is also negligence. So, by keeping an eye on the people with the keys to the kingdom – the privileged users, we are able to know what they have done or not done on the information system.

Is it true that privileged users represent the biggest threat to a company’s information system?

They are one of the biggest threats. The threat posed by privileged users becomes greater if we look at the insider threat. We often hear about nasty hackers prowling the internet and attacking servers, but for companies, the insider threat linked to administrators certainly represents the biggest, or one of the biggest threats at the moment.  Nevertheless, we should not demonize privileged users. I think that the main challenge is to make people aware of their responsibilities; as I said earlier, there are not only malicious people, there are also negligent people. That is the real threat. Negligence is part of the insider threat. Hence, the fact of monitoring activities, and possibly recording privileged sessions to find out what happened, be able to review an incident, restore a service etc., is necessary in order to reduce or possibly eliminate IT negligence.

Nevertheless, the insider threat does not appear to me to be the primary motive for companies to adopt a cybersecurity solution. When clients come to us, they primarily want to deal with the issue of audit and compliance: who has access to what, where, when and how they obtain access. Dishonesty or malicious intent are issues that generally arise afterwards. As far as I can remember, I have never had a discussion with anyone who was determined to deploy a surveillance solution because they were afraid of their administrator population. Besides, we generally talk about monitoring rather than surveillance. The cybersecurity solution must first and foremost enable companies to avoid negligence or deal with an act of negligence as quickly as possible, to review an incident and carry out a post-mortem in order to restore the service, and possibly of course to have visibility over administrators’ activity. However, we do not assume that the administrator populations are malicious. That may of course be the case, but a cybersecurity policy should not be viewed from that angle because the result is often the same whether there is negligence or malicious intent.

Several solutions exist to secure organizations’ critical assets, including Privileged Access Management (PAM).

How does that type of solution meet the challenges posed by privileged users?

PAM meets them entirely. At WALLIX, the first thing we ask for when we deploy a solution is to forbid admins’ direct connections to the server. If you allow the users to choose, in 100% of cases, they will not connect via the solution. The PAM solution makes it possible to come between the administrators and the servers using granular access rights (by timetable, server, protocol etc.) and thanks to optional features such as session recording. Connections can no longer be made directly but only via the solution which offers considerable protection for information systems by avoiding security incidents, reducing downtimes and very quickly reviewing incidents to restore the service or make adjustments to the security system in place. The WALLIX solution includes this aspect of monitoring privileged users’ activities and makes them aware of their responsibilities. If people know that they may be watched or that their actions may be reviewed during an audit, they become aware of their responsibilities and negligence decreases.

The PAM solution, in particular thanks to privileged session management, is all the more essential today.

Most companies use third party application maintenance services. As a result, when someone connects to the company’s systems, it is difficult to know who controls access, who connects, when they connect or what they do when they are connected. In fact, an access and privileged session management solution is essential to monitor third party maintenance providers. Once again, the WALLIX solution makes providers aware of their responsibilities, forcing them to perform their obligations correctly – if they do not already do so, because the company will inevitably be able to find out what happened or did not happen on its systems in the event of an incident.

It is very important for companies to at least know what people do when they connect to its systems,

especially if they are external parties, about which they know little or nothing. I remember one customer in particular who had signed a contract with a company in India for third party app maintenance. The customer noticed that there were addresses from countries connecting to its information system that it did not recognize. After investigating, it discovered that the provider that it had signed the agreement with had subcontracted the contract to people near the Philippines. What’s more, the company had an extremely sensitive activity in the banking sector, so giving root or administrator access to banking servers to people on the other side of the world was totally unbelievable! That is a really concrete example of why you must first control providers’ access to your systems via a PAM solution such as the WALLIX Bastion privileged access management solution.