Segregation of Duties on a globalized culture?
Segregation word might be perceived as a negative word, but when administering IT systems, we DO have to segregate everything… segregate, divide, categorize, organize and so on.
As Occam’s Razors says, “the simplest solution is almost always the best.”, and this is true meanwhile we commit all our policies and best practices. For sure, having a single identity (say user ID on Active Directory) is the simplest implementation, but does not comply with many security policies and market standard best practices.
Having a single identity (let’s say Hans Solo or soloh, just as an example) which is used to read email, but not only corporate, personal as well, for web surfing, to print those nice presentations… and additionally to administer one or several servers… to manage a web server… to create users and groups… …and so on is not what our IT environment needs. Now you might be getting some clarity: this simple model cannot guarantee the security of all the environments soloh manages.
Neuron fight result… an idea
So yes, we must segregate. Mainly we must segregate rights and permissions, and most likely on the several environments present in our network. We cannot afford the risk of exposing credentials, and worst if those credentials have some sort of rights or privileges. If we keep separated our food from soaps and cleaners (imagine a pancake of dishwasher with syrup of vanilla hands soap!), then why we should maintain the same multi-purpose account; is difficult to know what this account can accomplish, where it can accomplish it, and if this action is legitimate.
The solution is quite simple. Create a new, exclusive account for any administration purpose. I have to admit that having more than 1 identity (or userID in AD world) is not simpler, but having into consideration that I must maintain separation because of the usage of each identity, then yes, is the simplest approach while maintaining my security.
Now that there is no doubt on why I must segregate, it comes the next question: what is to be segregated? Again, a puzzling question to answer; a deeper analysis of your daily operations has to be done in order to identify assets, more important critical assets… but as a rule of thumb, keep a standard user away form IT Administrative tasks. Now we end up having 2 categories: Non-Privileged Users (or standard users) and Administrative users.
In the event (an unpleasant event we don’t wanna see!) that our Non-Privileged user soloh gets compromised, the damage is minimized, just because this standard user has limited permissions. But what will happen if the Administrative account soloh-Admin is at risk… well, then we have to worry, and start to run. Furthermore, we will consider new segregation for administrative proposes. For example, if our user soloh has to administer some shares on file servers, the HHRR database, and our mighty Active Directory, then we will create one admin account for each of the roles: soloh_Share, soloh_SQL and soloh_AD.
Ok, but how much is enough? Several factors to consider before giving an educated response: How much money and/or business will you lose in case of a breach? How much time will you be unable to work until coming back to normal operation? How much damaged will end up your enterprise image after the event? So yes, it has to be enough; let me bring an example… you decide to change the local Admin password every month in your 500 computers and servers, but this password is the same for all… then as soon as 1 computer is compromised, the 499 remaining computers are compromised as well. As an alternative, you can have a different password to each of them; so in the event that one gets compromised, the remaining 499 are partially safe. This can be considered as Segregation of Assets.
What would I do if I’m working for you
To start with, separate a normal or Non-Privileged user from an Administrator or Privileged User. A normal user is exposed on unsecure networks like the Internet or by malicious emails. Any Privileged user should avoid such insecurity. An effortless way forward to security is to provision new identities for administration purposes.
Once the non-privileged users are segregated, we must have a clear understanding on daily operations. What are Admins doing and how are they doing it. Having this information, we can start creating several administration areas, each one of them having its own privileged users segregated from other areas.
And last, but not least, make a magic trick: make disappear ALL shared accounts. If you cannot make them disappear (as in the case of Built-In Administrator accounts), then change its password to something ridiculous long, and keep it away from Admin users (a safe box with an envelope could be enough, but if you can afford a digital vault, much better). Shared accounts are a nice gate inviting bad people trying to hack into our network.
What we can Achieve by Segregation of Duties
Having several accounts for different roles on our environments will help us to protect from “Lateral Movement Attacks”; once one identity is compromised, the attacker will try to use it in several assets (the 500 computer example I provide earlier, the attacker will try the credentials on each of those, and it will try to harvest more credentials until being able to “elevate its rights”).
Each segregated asset and/or identity, will act as a security zone, or as a buffer zone that will help us to protect our assets. If a hacker is trying to harvest credentials from non-privileged users:
- We are protected because Privileged accounts are segregated from non-privileged ones.
- We will have time to identify the attack and react before privileged accounts might be compromised.
- We are able to identify (and better audit) the segregated accounts.
In the worst-case scenario that a system gets compromised, this technic will help as a contention measure, just because the credentials of other environments are different.
Sadly, if our directory is the compromised one, then most likely the attacker might have access to all remaining systems. But bear in mind that Segregation Of Duties is just one brick in the wall… we need the rest!