There has been a lot of talk over the past few years on Just In Time provisioning. That is, using an SSO (Single Sign On) platform to create nearly real-time accounts in web-based applications the first time they are used. This increases productivity and reduces the amount of work required for IT workers to create user accounts. Of course, it isn’t real-time, but is typically quick enough to keep human labor in the loop.
The potentially deadly mistake of
NOT granting temporary access
The opening for potential data theft or getting hacked comes along for the ride when giving access to specific applications, data, communications without a clear end date. Whether you are attempting to provision ‘just in time’ or to automate these types of entitlements based on roles, the scenarios never consider the plain and simple business truth that sometimes people need temporary access only.
Why is this important ?
The CrowdStrike 2019 Global Threat Report discusses how long it takes for attackers that have compromised a single endpoint to move laterally within your network. The Russians have the best average time at a little under 19 minutes. To accomplish this task, groups of cybercriminals need to follow a rather specific kill chain of tasks. So precise that there’s an entire attack framework devoted to it. Within that framework, there are several points at which additional access is necessary. These include moving laterally within the network, gaining access to Active Directory (AD), and granting themselves access to resources. To accomplish this, attackers ultimately rely on poorly attended groups to help provide them the access they need.
An innovative approach to this is found in GroupID Self-Service and built-in policy rules whereby any access to applications, data, communications, etc. is governed by membership in groups that govern that particular business asset. Then following up on that group being established as the gatekeeper is an admin-imposed rule that any membership should be temporary by policy with ongoing enforcement. In other words, no member can remain. They are automatically removed after a pre-determined time. The oversite is then delegated to the business holder of the application. Only they can extend the membership life. In other words, proactive and regular action is REQUIRED in order to maintain access.
Enforcing this type of control around entitlements causes regular review by compulsory action. Don’t think of this as attestation. Yes, products like GroupID provide for this type of oversight on a directory, but attestation is just a statement of validity, it is not a control mechanism.
In the end, what an admin wants is different than what an auditor wants. An auditor wants to know who did what and validated when. Whereas, an admin who is responsible for security, wants to sleep at night and does so by knowing that access will only be given for a pre-determined time. The attestation acts as the safety check, but his policy of temporary access has most likely stamped out inappropriate access from a tenure long before it can be validated through the attestation process.
Security needs to get more proactive and less reactive in order to optimize Active Directory Group Management. Do you agree? Share your comments below.