Page258
Account Access Review
No matter the care and rigor taken in administration of access control there will necessarily be instances of overentitlement, which is simply providing more access than is strictly necessary. While applications may break and employees complain when insufficient access has been granted, there will be far fewer complaints levied for accounts being provided too much access. Periodic access review can serve as a control on superfluous access.
While theoretically it would be prudent to review all access for each and every subject and object, doing so proves extremely cumbersome. A risk-based approach should often be employed to prioritize review of highly privileged accounts, significant transactions or services, sensitive data, and critical systems and applications.
According to the Institute of Internal Auditors Global Technology Audit Guide, “As part of the IAM (Identity and Access Management) process, entitlement management should be designed to initiate, modify, track, record, and terminate the entitlements or access permissions assigned to user accounts. Regardless of the methodology the organization employs to group user accounts into similar functions (e.g., work groups, roles, or profiles), entitlements for each user need to be managed properly. Therefore, the organization should conduct periodic reviews of access rights to detect situations where users accumulate entitlements as they move within the organization or where users are assigned improper entitlements” [19].
Access Aggregation
Access aggregation occurs as individual users gain more access to more systems. This can happen intentionally, as a function of Single Sign-On (SSO). It can also happen unintentionally: users often gain new entitlements (also called access rights) as they take on new roles or duties. This can result in authorization creep: users gain more entitlements without shedding the old ones. The power of these entitlements can compound over time, defeating controls such as least privilege and separation of duties. User entitlements must be routinely reviewed and audited. Processes should be developed that review, and ideally reduce or eliminate, old entitlements as new ones are granted.
Privilege Escalation
Elevation of privilege, or privilege escalation, involves gaining higher-level privileges than those initially afforded. An adversary might exploit a vulnerability in order to achieve privilege escalation. Legitimate users, especially those performing administrative functions, might also have need of wielding higher-level privileges than those available to standard accounts. Even in cases of legitimate users, privilege escalation must be controlled given the more substantial capabilities associated with the elevated privileges.
Even users who constantly perform actions requiring higher-level privileges still operate systems/applications that have no need for those higher privileges. While simply leveraging a single highly privileged account can be quite efficient, this increases the exposure of privileged accounts when they are being wielded for web browsing, sending emails, etc. An alternative to leveraging one sufficiently privileged account for all actions would be to provision multiple user accounts to those employees requiring the use of higher privileges. One account, which would be the de facto account used for general-purpose computing, would be a standard unprivileged user account. Their additional account would be the one to be wielded when performing actions requiring more substantial privileges.
While logging in/out with the various accounts as needed might theoretically be a viable option, the operational burden, and annoyance, would be substantial. Thankfully, modern operating systems provide built-in capabilities that can be used specifically to handle this multi-account scenario.