The IT director of a nonprofit organ donor center for more than 200 hospitals in Texas was fired in November 2005. At the time of her termination, the employee was informed in writing that all her access rights had been revoked. The company also took steps to lock all administrator accounts to which she was known to have access. Despite such steps, the terminated employee still managed to access the company’s network from her home via a VPN account that she set up previously without anyone’s knowledge.

Once inside the network, she used an administrator account belonging to another employee to log into several servers, including the company’s organ donor database server and main accounting server. Over the next several hours, she then deleted donor records, accounting invoice files, database and software applications, backup files and the software tokens needed to run some applications. In a bid to cover her tracks, the ex-employee manually deleted all logs of her VPN sessions. She also disabled the activity logging functions on the database and accounting servers – making it impossible to identity the individual files and applications she deleted.

What makes this case really interesting is that the sabotage occurred even though the company took reasonable steps to handle the terminated employee. The company immediately revoked the employee’s access privileges after terminating her and disabled all administrator accounts to which she had had previous access. So what more could a company do to prevent incidents like this? Here are some ideas:

• Formalize your approach to identity governance by building an authoritative repository of all users and their access privileges – mined from all critical systems. Without centralized visibility, there will always be blind spots, as the situation above illustrates. Statistics show that the average employee has 35% more privileges than they need – so mine the data to find out.
• Once you’ve centralized your data, you can automatically scan it to detect anomalies and policy violations. For example, accounts that don’t map to an active employee in the HR system can be flagged as “orphans” and duplicate accounts (employee with more than one account on any system) can be flagged for immediate remediation.
• Put in place consistent, repeatable processes for business-level oversight of access privileges. For instance, you can require that any change in employment status (termination, transfer, promotion, etc.) automatically triggers a review of all of that employee’s access privileges by his or her supervisor. In the case above, this would have resulted in a comprehensive report of all access privileges held by the fired IT director, with the ability to revoke these privileges at the click of a mouse.
• Consider using privileged user management (PUM) tools like Cyber-Ark to deal with “shared” and administrative accounts. These accounts are particularly troublesome because they are anonymous (e.g., UNIX “root”) and don’t map to a specific employee. With PUM tools in place, organizations can tightly control access to privileged accounts and track, monitor, and log every activity performed by employees using privileged user credentials.

Additionally, consider integrating PUM tools with identity governance solutions to ensure complete visibility and control over all user access privileges. For example, privileged accounts under management by Cyber-Ark can be imported into SailPoint IdentityIQ, displayed in access reviews, and can be used to escalate an employee’s risk score based on his or her access to privileged accounts.

How do you manage the access rights of privileged users?

Bruce highlights five techniques for companies that help them deal with trusted employees. The goal of these tactics is to prevent insider threats, or internal security breaches. In theory, I agree with Bruce’s points, especially those about quantifying trust levels and limiting the access that trusted employees have. These are both important strategies for corporations trying to proactively manage risk. I don’t agree with all of Bruce’s tactics, however, because he focuses on deciding which employees to trust and how to monitor them, which can be a difficult and delicate dance for companies.

Since most Fortune 1000 companies have tens of thousands of employees, it’s practically impossible to measure each employee’s “trust” level. Further, most corporations do a dismal job of maintaining good controls over access, allowing employees and other insiders to accumulate privileges well beyond those required to perform their current duties. My belief is that companies need to ensure they have full visibility into what access levels each of those employees have, and whether they align with the corporate policy (for example, an employee shouldn’t be able to set up a vendor in the system and pay that vendor).

This full visibility into user access across the enterprise allows companies to monitor the critical applications, as well as who is accessing them. It also allows them to prevent access when necessary, or terminate it upon an employee’s firing – precisely when an employee suddenly has a motive to do damage. For more advice on this topic, we just posted a podcast discussing how organizations can avoid security breaches (and failed audits, by the way) with an identity governance strategy that provides visibility and control over access to critical IT resources within their organizations.

What do you think – is your company taking a proactive approach to identifying risk exposure tied to user access?

This week’s “Miserable Monday” (or migraine Monday) showed the sheer volume of layoffs being announced on a weekly basis. As difficult as those job losses are to process, companies are leaving themselves vulnerable to insider sabotage if they can’t quickly remove access rights associated with those employees. Take, for example, the recent news that a fired Fannie Mae engineer allegedly planted a malware time bomb. His account access wasn’t shut down for almost two weeks after he was fired. I cringe when I hear news like this, because it’s completely foreseeable and entirely preventable.

More than ever before, the issue of good identity governance is a strategic imperative for global companies. It’s critical for these organizations to inventory, analyze and understand the access rights of their employees – and be ready to answer the critical question “Who has access to what?” Surprisingly, most companies, both large and small, can’t answer that simple question. In fact, we surveyed IT managers at Fortune 1000 companies and 66% of the respondents said they couldn’t map out who has access to what if their CIO asked them for it on short notice (you can read the full results of our Market Pulse Survey here).

I can appreciate the pressure faced by companies planning major layoffs, but I truly believe that the better a company understands which users have access to critical corporate assets, the better it can realistically understand its potential risks if the organization acquires another company, is acquired by another company, or undergoes a significant down-sizing. Whether you’re anticipating a major corporate change or not, I encourage all the customers I see to review their identity governance strategy, making sure they have visibility across their enterprise and can answer that critical question: “Can SOMEBODY tell me who has access to what?”.