How the Disney insider threat case breaks the security binary illusion
Security is always a bit like a game of whack-a-mole in that you never quite know where the next incident is going to pop up. On the face of it, this shouldn’t be too hard. Everyone knows to secure your PII, PHI, customer financials, production environments, and other resources that are clearly highly sensitive. But sometimes the question of what is sensitive is less black and white, filled with plenty of gray areas.
This uncertainty can lead to organizations failing to properly secure their resources, as we saw in the recent incident over at Disney.
In case you missed it last month, a former menu production manager named Michael Scheuer was arrested after he used his credentials to mark items at the park that contained peanuts as safe for those potentially deadly allergies. Thankfully, the menus never made it to the parks. But this incident raised plenty of questions. First and foremost of how this former employee was still able to access company systems.
Slipping Through the JML Cracks
Managing the Joiner-Mover-Leaver (JML) Lifecycle is the bread and butter of Identity and Access Management. Making sure that employees have access to what they need to get work done, and then removing said access when it is no longer needed.
Unfortunately, even when organizations succeed in managing the majority of their JML processes via their Identity Provider (IdP) like Active Directory or Okta, disabling accounts’ access when it comes time, some mistakes can always slip through.
We often see this in non-federated accounts, BYOI situations, and in cloud infrastructure like AWS where a user can make a local IAM account that can stick around unnoticed.
What was strange about the Disney case is that Scheuer is reported to have been actively using his access to this system for three months and nobody appears to have taken steps to boot him out. Considering that he was mostly making annoying changes like turning menu texts to Wingdings or altering prices, this menu system probably (and mistakenly) was not considered valuable enough to warrant serious action.
Security is a Balance, Not a Binary
As the number of resources that security teams are tasked with protecting has skyrocketed in the transition to the cloud, there’s been increased pressure to prioritize security for the most sensitive resources. This makes a lot of sense considering the very human restraints on time that force us to choose where to direct our efforts.
The downside of this is that far too often this mindset leads to a false choice between securing only our “crown jewels” and leaving everything else open as accessible to anyone within our organization because getting a handle on standing access is too heavy of a lift.
Combine the prioritization factor with the legitimate concerns that heavily and widely restricting access to too many resources will cause too much disruption to the workflow, and you will quickly reach a state of paralysis within the organization.
Thankfully, there is a third way that bridges the gap between security and productivity.
How to Mitigate Former Employee Access Risks
Insider threats pose a different set of challenges than your average hacker. Mostly because authentication protections like MFA are not likely to work since they are who they say they are.
If a former employee retains credentials to a service, particularly one not directly governed by your IdP, then they can still access it whenever they choose.
Here are a few tips for securing your resources against insider threats, but they really apply to all access management threats since an attacker who takes over a legitimate account can exploit all of their legitimate access.
Know Your Risk
Understand that each resource does have a different level of risk. Knowing your risk per resource can inform you on how best to protect it.
Regulated data or systems can be given more extensive protection requiring human manual approvals whereas services like the menu creation software can receive monitoring and lighter challenges before a user is allowed to access it.
Reduce the Blast Radius
Recognizing the varying levels of risk allows organizations to manage access effectively. Attackers are only as dangerous as the access privileges in their possession allow them to be. By reducing their ability to access resources, we mitigate a significant proportion of our risk.
For those resources deemed to be truly low risk, leaving them as standing access reduces the amount of time revoking privileges.
But for resources that are medium to higher risk, organizations can put in controls that require that a user request access before it is provisioned to them. Utilizing risk assessment and usage can help determine whether approval should be granted automatically or if it should require manual approval for an added layer of human oversight and accountability.
Automate as Much as Possible
When dealing with a massive enterprise like Disney, automation of the vast majority of processes is critical. Even if certain resources require manual approvals to maintain high security standards, the provisioning process must be automated in order to enable productivity.
In the vast majority of requests, approvals can be automated as well if the user meets the right conditions. These might include context from a generated ticket, being in the right group according to the access policy, and more.
Importantly, we want to ensure that deprovisioning is fully automated to close the window for exploitation of open-ended access.
Go Beyond the IdP
Have visibility across multiple systems, not just what you see in the IdP.
Your HR systems can provide valuable updates, such as when an employee changes roles within the organization or leaves. In both cases, their access privileges are likely to change and ideally we want to remove access as quickly as possible.
Especially in cases like Scheuer’s where the separation was less than amicable.
Image Credit: Andrea Danti/Shutterstock
Rom Carmel is CEO and Co-Founder of Apono.