Privileged access and information integrity auditing
Click here to read more about SpamStopsHere, the e-mail security company that brings you this blog.
Two fundamental principles of information security are privileged access and information integrity auditing. In order to protect data, one needs the records of data access, as well as the records of any alterations or destruction of the data.
Many organizations unfortunately don’t have someone assigned to perform privileged access and information integrity auditing , either due to a misunderstanding of the importance and value, or due to a lack of resources. Although I’m unable to provide the additional resources to help your organization, I hope to at least stress the importance and value of auditing privileged access and information integrity.
One of your organization’s biggest security vulnerabilities is your employees. As a business owner, if you don’t know what sensitive business data your users are accessing, from where the data is being accessed, and why the data is being accessed, you’re at a great disadvantage at controlling how that data is being used.
Privileged Access
More than likely your company has sensitive data stored electronically, whether it be credit card numbers of customers, or other information that your customers trust you to keep private, such as their e-mail addresses or tax ID numbers. You may even have this information locked in a password protected system. You probably even know who has the password, or minimally who is supposed to have the password. In this article, “privileged access” refers to the exercising of a restricted privilege to access data. The password is the access mechanism given only to those who have the privilege to access the data.
The password in the above scenario works much like the key to a lock that protects company property. A video camera that focuses on the entrance to a locked property storage area and records who accesses the area, helps protect against theft. If property turned up missing, and through regular inventories you knew about when the property disappeared, having a recording of who had entered the storage area when the property went missing would be vital in showing who should be questioned regarding the location of the missing property.
If your company had policies on when access to the property in the locked storage area could be used, the video camera recordings would be useful at showing if an employee was using the propery during hours that violated policy.
Additionally, attempts to gain access to the locked storage area by unprivileged people would be recorded by the camera, whether the attempts were successful or not.
Finally, if an additional video camera were placed inside the locked storage area, a recording could be used to determine if policies on specific property usage were being adhered to.
This usage of a video camera to record privileged access to an area is often referred to as a “security camera”, and you are likely familiar with this usage. These same principles can and should be applied to the privileged access of electronic data. The privileged access to electronic data should be logged, and the logs should include from where the information was accessed, who accessed the information, what information was accessed, and at what time. Additionally, a more advanced auditing system could identify exceptions to policies and alert the appropriate personnel. In the same way as a security camera, this helps to enforce the proper usage and disposition of any protected property.
Information Integrity
When storing records electronically, although the data may be easier to access, it is also easier to modify, and this can be a problem.
In the 1980’s, many school records were still being stored on paper. Although the records were more difficult to access, and definitely took up more space to store, a student couldn’t gain remote access to the records and make changes to grades without leaving some physical evidence behind.
Now that many records are only stored in an electronic format, it’s important to keep copies of all data and any changes in a remote and secure location. These backups can protect against disastrous data loss due to error or system failure, but also can protect the integrity of the data.
With a proper backup, one can regularly compare old versions of data with the current data to determine any changes that were made. This is often the way that schools currently find unauthorized changes in a student’s grades. This type of auditing and comparison should always be done on an archival backup before that backup is destroyed and replaced with a more recent version.
Simple logging of data changes to see if they are being made against policy is also important. The modification and destruction of protected data should always be strictly controlled and strictly monitored. It’s not enough to simply protect and log access to one’s data. The integrity of the data must be ensured to ensure continuity of the data’s usage.
Some of the most important data to be protected against change and desctruction is the auditing information itself.
September 23rd, 2008 at 10:53 am
Thanks for evangelising the issue of data integrity. You are absolutely right with your conclusions, audit trails are a prime target for tampering and they must be protected, idealy indepently from the privileged users. This is a clear security gap in most organizations. It remains so until pain is being suffered (evidence rejected in a litigation for example). There are specific techniques to protect audit data from tampering. This is our speciality at Kinamik Data Integrity. I am happy to discuss this topic with anyone who has an interest (cprimault(@)kinamik.com). Thanks.