An unhappy systems administrator who may want to teach a seemingly unappreciative credit union a lesson. An employee who is passed over for a promotion or a raise. A technically savvy database administrator who, for the right price, is willing to change someone’s credit history so they will be approved for a loan.
Each of these nightmare scenarios represents a situation in which an employee has privileged access and the ability to thwart a credit union’s weak internal IT controls. While most IT staffers are trustworthy, insiders are often at the center of security breaches and incidents of data theft. Consider the following studies:
* According to a recent Computer Security Institute (CSI) study conducted jointly with the FBI: 80% of respondents surveyed reported security incidents involving insider abuse of privileges (up from 64% during the previous year).
* A 2005 IDC Research survey found that 31% of responding organizations had terminated employees or contractors because of internal security violations.
* A recent poll conducted by DarkReading.com asked 648 IT pros if they ever accessed proprietary information during their careers. More than one-third (37.5% to be exact) admitted to abusing their security privileges and accessing information in company files. Ten percent of respondents admitted to accessing unauthorized information on a regular basis.
These findings demonstrate that in determining who should have access to critical systems and data, it is vital that IT managers and staff understand the importance of systems and policies in place to create a security environment based on role and scope. This is especially true for credit unions that depend on third-party vendors to manage their IT processes.
Because many credit unions do not have the IT staff or budget to keep all functions in house, they often outsource to solutions providers. Some of these processes–including application hosting, data warehousing and transaction processing–expose sensitive employee and customer data to non-credit union employees. While this dynamic often results in operational efficiency for the credit union, it is critical that IT managers ensure all of their providers and partners deploy the most effective solutions available to protect proprietary systems, applications and information.
To compound the issue, many credit unions and third-party vendors run mission-critical applications on Linux and UNIX systems. Within these environments exists the root or “superuser” account. Without proper controls, anyone with access to the root account will hold the virtual “keys to the kingdom” without justification based on their job classification, specific duties or role within the IT department. This violates the security best-practices doctrine of least privilege and can expose proprietary systems and information to malicious activity and sabotage.
While most savvy administrators would likely agree that protecting the root account is a key component to Linux/UNIX security, there is often a debate about just how to accomplish this. One of the fundamental questions that should be addressed as IT managers evaluate both internal security posture and the defenses deployed by a solutions provider is whether to deploy commercial solutions or rely on freeware.
The Trouble With Freeware
Perhaps the most widely used open-source program for delegating responsibilities within Linux and UNIX environments is sudo. The basic intention of sudo is to provide administrators with a way to allow users to access certain programs that require the root password without giving them complete root privileges. While sudo does contain a handful of positive attributes, IT mangers familiar with the program understand that its drawbacks make it an incomplete, insufficient solution.
One challenge with sudo is that it is a “quick and dirty” approach that invariably grants more privileges than are required to do the job, resulting in an unnecessarily high risk of accident or attack. Some tasks still do require root privilege, and hackers are crafty enough to exploit this by looking for ways to subvert sudo root processes while still retaining root’s context.
Another drawback associated with sudo is that vulnerabilities often go undiscovered and unreported. Users must rely on open forums for solutions to noted problems–if they are discovered at all.
With sudo continuing to fall out of favor more and more credit unions and third-party providers are turning to commercial identity and access management solutions as more effective means of addressing insider threat to satisfy Federal Financial Institutions Examination Council (FFIEC) and other compliance regulations, as well as to follow best security practices, without alienating the IT department.
IAM To The Rescue
Identity and access management (IAM) refers to a comprehensive set of solutions used to identify users within an organization and control their access to systems and information by aligning their designated user rights, identity and role to the correct intellectual property and digital assets. As iterated previously, because privileged accounts carry elevated capabilities, they must be more closely monitored for misuse. Deploying commercial IAM solutions accomplishes this far more effectively than sudo or other freeware application.
Credit unions and other organizations can benefit greatly from an IAM system that ensures only authorized users are able to access proprietary systems and information. An effective IAM solution will also make certain that those authorized to perform various duties with elevated privileges and access will be confined to what their role designates. Their activities will be recorded and an indelible audit trail will be created. In addition to helping guarantee the integrity of data in financial systems, this is invaluable for forensics and troubleshooting purposes, and it often serves as a deterrent to malicious or unethical behavior. Role-based access can and should be granularly defined to meet compliance and data privacy requirements.
If a credit union works within the framework of these best-practices approaches, an IAM solution will allow for an easier implementation and enforcement of security policy related to privileged accounts.
These technologies serve as a centrally controlled application for password management for blend of systems typically running within a Windows/UNIX/Linux network. By making it easier to authenticate users and automate access restriction, IT administrators will be one step closer to a secure infrastructure and to complying with industry and federal regulations.
Ellen Libenson is VP-product management at Symark Software. She can be reached at elibenson
LETTERS TO THE EDITOR
Credit Union Journal encourages reader feedback. Letters to the Editor can be sent to Managing Editor Lisa Freeman at lfreeman@cujournal.com. Letters can also be faxed to 561-832-2939 or submitted online at www.cujournal.com.
