Combating Insider Threats
Updated: Dec 12, 2022
Imagine that you get into work one day and go to the share drive folder you use to complete your daily tasks, only to find out that it's not there. All of the files for the project you and your team have been working on for the past four months are gone. What happened? A disgruntled employee was terminated and deleted critical files on their way out. How did this happen? This employee's account wasn't de-provisioned before their termination notice. This example, as well as many others, of insider threats, is combated by an Identity Governance & Administration solution. "Identity Governance and Administration (IGA), also known as identity security, is at the center of IT operations, enabling and securing digital identities for all users, applications and data. It allows businesses to provide automated access to an ever-growing number of technology assets while managing potential security and compliance risks" (SailPoint, n.d.). The three most important reasons to invest in an IGA solution are separation of duties and least privilege, role-based access control, and information classification.
Separation of Duties and Least Privilege
Separation of duties (SoD) aims to divide tasks and privileges among multiple people to prevent conflict of interest, wrongful acts, fraud, abuse, and errors (Behr et al., 2017). SoD can be costly to implement because more employees are needed. Even though multiple tasks can be achieved by one to few people, it is in the companies best interest to require more employees to complete the tasks. Without SoD, employees have a higher chance of doing the wrong thing. Intentionally or unintentionally. Additional employees with suitable SoD measures are essentially an insurance policy against Insider threats.
Furthermore, these employees should require the least amount of privilege to perform their duties. The United States Cybersecurity & Infrastructure Security Agency (CISA) says, "Only the minimum necessary rights should be assigned to a subject that requests access to a resource and should be in effect for the shortest duration necessary (remember to relinquish privileges). Granting permissions to a user beyond the scope of the necessary rights of an action can allow that user to obtain or change information in unwanted ways. Therefore, careful delegation of access rights can limit attackers from damaging a system."
Role-Based Access Control
Role-based access control (RBAC) restricts a person's network access based on their role in an organization (Zhang, 2020). RBAC is quite similar to the principle of least privilege; however, you assign access and restrictions to a role and assign a person to their position. This allows the company to quickly set the proper pre-defined access without missing anything or giving too much access to new employees or people transitioning roles. For example, without appropriate RBAC, an employee could transfer to a new role, acquiring access to new assets while still maintaining the access of their previous role. Thus, violating both SoD and the principle of least privilege creating an insider threat.
The process of classifying information into relevant categories is known as information classification. Information of different types should be separated and limited to the responsible individuals entrusted with access (Istrefi, 2019). It makes it hard to understand how data should be handled and who should handle it without classifying it. Imagine telling an employee that they do not have the authorization to view sensitive information without determining what information is sensitive. This confuses everyone, and using RBAC is pointless if the information isn't classified. All data should be labeled, no matter how important or unimportant it may seem.
Investing in IGA is essential to combating insider threats. IGA asks three critical questions. "Who should have access? Who currently has access? And how is access being used?" (SailPoint Technologies, 2018) SoD and least privilege, RBAC, and information classification answer these questions. Knowing these answers provides the organization an effective defense against insider threats.
Behr, A., Coleman, K., & Technolytics Institute. (2017, August 3). Separation of duties and IT security. CSO Online. https://www.csoonline.com/article/2123120/separation-of-duties-and-it-security.html
CISA. (2005, September 14). Least privilege. https://us-cert.cisa.gov/bsi/articles/knowledge/principles/least-privilege
Istrefi, K. (2019, July 30). Information classification - Why it matters? PECB. https://pecb.com/article/information-classification---why-it-matters
SailPoint Technologies. (2018, September 5). Enabling and Securing Digital Identities [Video]. YouTube. https://www.youtube.com/watch?v=z3Ta2HS13k0&ab_channel=SailPointTechnologies
SailPoint. (n.d.). What is identity governance and administration (IGA)? https://www.sailpoint.com/identity-library/identity-governance/
Zhang, E. (2020, December 1). What is role-based access control (RBAC)? Examples, benefits, and more. Digital Guardian. https://digitalguardian.com/blog/what-role-based-access-control-rbac-examples-benefits-and-more