Active Directory Cleaning

What is the CIO and CISO’s Worst Kept Secret?

Paul Wahlen

Technical Director

Aug 15, 2016

My colleagues and I have observed an issue which has plagued enterprises for some time now, and the longer it remains unaddressed, the greater the vulnerability to the organization. Identity management related to Active Directory (AD) has been a legacy issue for years and only now has awareness of the issue among many CIOs and CISOs been reaching critical mass. In the past, enterprises have consistently added members and groups to AD at alarming rates, yet they have never gone back to clean it up. This practice results in a circumstance of growing vulnerability creating the ideal conditions hackers seek for high risk identity compromises. These compromises, of course, can lead to damaging breaches threatening an organization’s livelihood.

Why does this unmanaged access represent such a serious threat?

The average user has more than 100 entitlements making certification a time-consuming process for managers. These managers are approving the majority of certification requests without actually trying to validate each one. Certifications are typically a quarterly, or yearly process, leaving organizations at risk with employees having excess access to which they should not be entitled. This represents a hidden time bomb in the organization.

The security community widely recognizes that misuse and compromise of identity is at the root of modern threats and data security cannot be assured unless organizations know: who has access, when do they have access, and whether the identity should have access. A majority of these entitlements are not current, and hence not being monitored by the account owner, and that’s where a danger lies. Access to these dormant accounts and other unsupervised or shared accounts provide avenues of breach to attackers that to SOC teams might think of as legitimate activity.

What’s the solution? It boils down to these use cases:

  • Identify accounts with excess access
  • Clean up outlier access
  • Provision access dynamically and based on roles to reduce access over-provisioning
  • Perform effective access governance and SoD monitoring
  • Monitor dormant and orphan accounts

Few companies know where a definitive inventory of HPA accounts resides, usually because they simply don’t exist. The naming conventions for HPA accounts are unreliable and lists are incomplete. Many actual HPA accounts reside outside these partial user lists and there is no easy way to track these down manually. Using advanced machine learning to discover privilege access and entitlements, no matter where they reside, is essential to addressing this challenge successfully. By using its Access Analytics robust machine learning platform Gurucul can connect to AD and at the same time connect to a HR authoritative source and aid the clean up by giving invaluable visibility. Actions and outputs would look like:

  • Replacement of traditional access provisioning with intelligent roles to reduce excess access going forward
  • Implementation of risk-based certifications to reduce rubberstamping of certification
  • Reporting of unused entitlements and access outliers
  • Reporting of high privileged access (HPA), orphaned and inactive accounts
  • Removal of unused accounts and entitlements

So, while a number of CIOs and CISOs remain stuck in a legacy AD access management mind frame, they do so at the risk of their organizations. The forward-looking security leaders, meanwhile, are facilitating their organization’s security and productivity, while enabling them to stay in sync with the evolution of technology and compete more effectively in today’s fast evolving markets.

Previous
Next