We identified the two areas of risk – over-privileged administrators and data proliferation. The next logical question is – what can we do about it. Let’s tackle each one in sequence in two articles – this time we will focus on administrators
Administrators: There are two facets to this problem. One is reactive and the other is proactive.
a. Reactive – This is where you – let’s say an outside consultant brought into assess risk - have discovered – say 100 – administrators all with super-user privileges. Clearly that may be a rude wake up call to your client. The knee jerk reaction may be to curtail the privileges of everyone (except the boss maybe) but that may back fire. Why? Because, maybe some of them have a legitimate need to have those ‘elevated’ privileges – recent promotion, expansion of duties etc. – and you may cause undesired consequences. Except you do. Instead of creating an uncomfortable interview with each ‘miscreant’ or their boss, you can take a much less intrusive path by looking at what each admin has been doing over the past 30/60/90 days – essentially take the data that is available and use that to baseline against what they are entitled to. In other words, if Joe Schmuck, belonging to the ‘super-admin’ group which is accorded 99 privileges (like VM create, VM delete, create a port group …) has only been using 9 privileges over the past 90 days so he is essentially over-privileged over 92%. Likewise, if Joe S has oversight for 150 objects (VMs, hosts, port groups, firewall rules …) but has been operating on 30 objects. He is over-privileged by 80% on his scope. This is actionable data. With this, with the appropriate set of tools, you can now reduce both the privileges and scope in one fell swoop that is customized to each over-privileged admin based on their individual customized usage.
b. Proactive – The above gets you to a good place with remedial action, but how do you stay “right-sized”? This requires a sophisticated tool that has complete oversight over your entire SDDC – VMs, Orchestration Tools, VNFs etc. – and monitors the entire SDDC to enable proactive policy enforcement so that Joe Schmuck is only allowed to operate on 30 objects and 9 privileged operations. And for more advanced customers, there could be a secondary set of 20 objects and 10 privileged operations that requires Mary Doe (Joe’s boss) to approve (fully automated of course) and all the rest of the SDDC is explicitly out of bounds for Joe. The cool thing here is that while Joe Schmuck can continue to be part of the same ‘super-user group and no changes are really needed from touching Active Directory. This is important because, AD is a highly sensitive and controlled environment and is truly the nerve center of the entire data center. So, having a way to ‘right size’ the privileges without touching AD is usually welcome (in the fullness of time Joe Schmuck may be demoted to a ‘group admin’ by adjusting his AD group). But this doesn’t stop with Joe Schmuck. For all the 100 administrators, we have the view of privileges used and objects accessed. And these policies can be created and enforced for all the admins in SDDC. That is a truly locked-down yet flexible security framework.
And there is a great complementary article on this by a great IDG Contributor and security practitioner – Leslie K Lambert - on the same vein talking about real customers who are confronted with ‘too much access’ and ‘hidden privileged access’.
So, there you have it - the three golden rules
1) Acknowledge that there MAY be risk in your organization
2) Use tools to ‘expose’ what this may be in your organization
3) Take remedial measures and proactive steps to reduce your risk
Next time we will focus our attention on the second area of exposure ‘Data’.