Help – I have identified risk, now what do I do

How to control an 'excess privileged' environment reactively and proactively

Continuing on from where we left off the last time (Read Episode 1 & Episode 2 to refresh your memory), we now focus our attention on ways to ‘mitigate risk’ in your hybrid cloud.

We identified the two areas of risk – over-privileged administrators and data proliferation. The next logical question is – what can we do about it. Let’s tackle each one in sequence in two articles – this time we will focus on administrators

risk game play boggle Wokandapix

Administrators: There are two facets to this problem. One is reactive and the other is proactive.

a.     Reactive – This is where you – let’s say an outside consultant brought into assess risk - have discovered – say 100 – administrators all with super-user privileges. Clearly that may be a rude wake up call to your client. The knee jerk reaction may be to curtail the privileges of everyone (except the boss maybe) but that may back fire. Why? Because, maybe some of them have a legitimate need to have those ‘elevated’ privileges – recent promotion, expansion of duties etc. – and you may cause undesired consequences. Except you do. Instead of creating an uncomfortable interview with each ‘miscreant’ or their boss, you can take a much less intrusive path by looking at what each admin has been doing over the past 30/60/90 days – essentially take the data that is available and use that to baseline against what they are entitled to. In other words, if Joe Schmuck, belonging to the ‘super-admin’ group which is accorded 99 privileges (like VM create, VM delete, create a port group …) has only been using 9 privileges over the past 90 days so he is essentially over-privileged over 92%. Likewise, if Joe S has oversight for 150 objects (VMs, hosts, port groups, firewall rules …) but has been operating on 30 objects. He is over-privileged by 80% on his scope. This is actionable data. With this, with the appropriate set of tools, you can now reduce both the privileges and scope in one fell swoop that is customized to each over-privileged admin based on their individual customized usage.

b.    Proactive – The above gets you to a good place with remedial action, but how do you stay “right-sized”? This requires a sophisticated tool that has complete oversight over your entire SDDC – VMs, Orchestration Tools, VNFs etc. – and monitors the entire SDDC to enable proactive policy enforcement so that Joe Schmuck is only allowed to operate on 30 objects and 9 privileged operations. And for more advanced customers, there could be a secondary set of 20 objects and 10 privileged operations that requires Mary Doe (Joe’s boss) to approve (fully automated of course) and all the rest of the SDDC is explicitly out of bounds for Joe. The cool thing here is that while Joe Schmuck can continue to be part of the same ‘super-user group and no changes are really needed from touching Active Directory. This is important because, AD is a highly sensitive and controlled environment and is truly the nerve center of the entire data center. So, having a way to ‘right size’ the privileges without touching AD is usually welcome (in the fullness of time Joe Schmuck may be demoted to a ‘group admin’ by adjusting his AD group). But this doesn’t stop with Joe Schmuck. For all the 100 administrators, we have the view of privileges used and objects accessed. And these policies can be created and enforced for all the admins in SDDC. That is a truly locked-down yet flexible security framework.

And there is a great complementary article on this by a great IDG Contributor and security practitioner – Leslie K Lambert - on the same vein talking about real customers who are confronted with ‘too much access’ and ‘hidden privileged access’.

So, there you have it - the three golden rules

1)     Acknowledge that there MAY be risk in your organization

2)     Use tools to ‘expose’ what this may be in your organization

3)     Take remedial measures and proactive steps to reduce your risk

Next time we will focus our attention on the second area of exposure ‘Data’.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about CreativeIDG

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Brand Page

Stories by Ashwin Krishnan

Latest Videos

More videos

Blog Posts