Trust No One

How do you build a security apparatus that has to defend against an insider who has perfect knowledge of your IT infrastructure, elevated administrator privileges, and resides within your security perimeter? A growing number of organizations are beginning to ask this question, but many do not know where to begin.

For most potential customers, the prospect of their system administrators doing evil is preposterous. What isn’t preposterous is the credentials and access they have, and potential for a nefarious actor or cyber criminal to exploit their compromised credentials.

Generally speaking, it is difficult to differentiate between an administrator with evil intent, a cyber criminal operating with an administrator’s compromised credentials, or someone simply making a mistake. Therefore, these and other use cases fall within the purview of insider threat management.

Implementing insider threat management can seem daunting; however, there are some basic actions that can initially be taken to dramatically reduce risk in this area. Here are a few basic examples of how the Shattuck Group is helping customers manage this problem space:

  • Encrypt all data, only de-crypt for trusted workloads and end-users. Minimize or eliminate clear text compute.
  • Automate everything, especially production configuration and deployments. Remove human logical access to servers.
  • Employ role separation with policy based access to privileged data, functions, and servers. Explicitly grant access based on role, action, system, and policy.

With these simple steps you remove an insider’s ability to directly access sensitive data; when necessary, the data is accessible but the encryption keys to decrypt it are not; and by removing direct access to production servers, it minimizes the risk of malware installation or accidental misconfiguration of production workloads.

These basic steps are helpful forcing mechanisms that will drive architectural decisions that you must be prepared to make. For instance, removing direct human access to production servers will require establishing a continuous integration and deployment environment with tools such as Puppet or Chef, Hudson and Bamboo. Encrypting data will require establishing a key management and authorization approach with KMS or other solution. Role separation will require you to identify and validate organizational responsibilities and privileges.

With a basic approach to insider threat management, you can dramatically reduce risk of customer or sensitive data compromise. Coupled with enhanced audit and security alarms, you can stay informed in the event of a security incident, but sleep well knowing at worst an adversary will only walk away with cipher text.