Regardless of which survey results you examine, there is no doubt that the biggest security risk organizations face today is the insider threat. And, with the mission-critical role that today’s mainframes play, we must pay close attention to the insider threat and the management of privileged users. Just because the insider threat is significant does not mean we should presume that a large majority of insiders are malicious. Insider threats come from many sources. Certainly, malicious insiders pose a threat, but often the threat originates from good employees making mistakes, or a valid system account being compromised by an external attacker.
Faced with these significant threats, we must focus our security management practices at effectively mitigating the risks in this area. But there are several challenges that must be properly addressed. Often, there are too many privileged user accounts (allowing extensive access to system resources) with 24×7 access privileges. The necessary audit information to understand all account behavior may not be available — and when it is available, there is often too much data, making it difficult to determine risk levels. Organizations may try to limit the number of privileged accounts on the system, but this often forces sharing of these accounts amongst multiple users. This means sharing passwords, therefore increasing risks.
Managing the threat from insiders requires adoption of best practices to address the risks and challenges that most organizations deal with on a daily basis. There are 4 main elements of an effective best practices approach:
- Assess and Secure
- Govern and Control
- Record and Review
Assess and Secure
It is important to assess your existing security posture and, based on that assessment, implement the necessary security controls to mitigate the key risks. This involves identifying your privileged users and determining which of these users truly need this level of access. It is extremely likely you will find that you have too many privileged users. You also need to understand your data landscape. Make use of scanning and classification tools to gain an understanding of where your sensitive data resides. Determine the location of sensitive financial data (PCI data for example), Personally Identifiable Information, Private Health Information, and other information that is confidential to your business. Understanding your data landscape and determining the risks of each classification of data that you own will provide you with the necessary information to implement good risk mitigation capabilities. Restrict access to this data as much as possible and, in many cases, limit this access to only your privileged users. And remember, your list of privileged users needs to be a small list.
Govern and Control
With a good understanding of who your privileged users are and where your sensitive data resides, it is now critical that you implement the right governance and control. The use of a privileged access management tool that allows privileges to be elevated only when needed will be important to ensuring you adhere to the principles of least access and therefore mitigate risks in this area. Also, the use of multi-factor authentication for privileged users is important to prevent these high-risk accounts from falling into the wrong hands. Monitoring these accounts to ensure compliance with access policies is essential. This will involve understanding who has access to critical applications and data as well as being informed of who has been accessing these resources. Logging and alerting around this area will help mitigate many critical risks. Another important best practices aspect involves identifying who has not accessed sensitive resources in several months or even years. These are the users that need their permissions reduced, which will reduce your overall risk and is consistent with the principles of least access.
Record and Review
No matter how well you fine tune your access controls, bad things may still happen. It is therefore important to monitor the activity of all users, especially privileged users. The use of tools that can monitor activity against security policies, and send alerts when these policies are violated, is essential.
Many organizations use Security Information and Event Management (SIEM) platforms within the Security Operations Center (SOC). A best practice involves sending mainframe security events to these SIEM platforms. This allows the SOC to identify security issues on the mainframe and react quickly to reduce the risk to the business. But, it is important to filter and enrich the event information coming from the Mainframe to the SIEM platform, to ensure these events are clearly understood and don’t overwhelm the platform. Remember, our mainframes can be very chatty!
Now that you have the necessary steps and controls in place, you need to operationalize each area to ensure you maintain a good risk posture. This includes the continuous use of “cleanup” tools to review if users need their level of access control adjusted, which will be necessary when employees change jobs or leave the company. Don’t forget to continuously scan for sensitive data, as data is always changing. Understanding when and where new copies of sensitive data enter your systems helps you adjust your access policies, reduce risk and pass audits.
Remember, our environments are continuously changing and we need to continuously monitor these changes and adjust. With this approach we stand the best chance of keeping our risks at the lowest possible levels.