How to manage the risk of your high-risk users

Every network has high-risk users. Mitigating the risks they pose can be quite a challenge. Most point solutions only address part of the problem, leaving gaps in overall security. The product that Network World security blogger Richard Stiennon deemed "Best in Show" at the recent RSA Conference is an all-in-one solution designed to manage the risks posed by high-risk users. What's more, the hardened appliance form factor makes it easy to implement and use.

Every network has high-risk users. Typically, these users have broad access to the IT infrastructure and a high degree of technical knowledge. They might be internal or outsourced IT personnel, contractors, vendors or remote application developers. They know a lot about the IT systems and how they operate and might even possess "the keys to the kingdom" because they administer servers, networks, applications or databases. In fact, I might have just described … you.

Securing a network from the potential damage that can be done by high-risk users has been problematic. Even if such users have no intention of doing harm, there is still the need to monitor and report what they are doing in order to comply with regulations such as the Payment Card Industry (PCI), the The Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act. There are plenty of point solutions that control what users can do or what applications they can access. While the point solutions are helpful, they have limited visibility to what's happening in real time and tend to leave gaps in coverage.

Some companies address the need by fashioning their own solution. Richard Stiennon, chief research analyst at IT-Harvest, gives the example of a large managed security service provider (MSSP) whose security operations center (SOC) people had access to customer firewalls and routers. Not wanting to expose the login credentials to critical network gear to too many people, the MSSP set up a proxy server. Each SOC engineer would log into the proxy server and would have the credentials to log the person into the appropriate customer's devices. The proxy server would record all keystrokes to ensure an audit trail of what the engineers were doing. While the audit trail was a nice tool, it wasn't sufficient to prevent an engineer from taking some action that he shouldn't.

The founders of Xceedium took note of these coverage gaps and designed an all-in-one solution that provides control and audit for high-risk users. The Xceedium GateKeeper is a hardened appliance that allows companies to remotely manage the activities of high-risk users from a central point to anywhere in the heterogeneous IT infrastructure. IT personnel can securely access critical IT resources – from inside or outside the organization – without leaving a footprint. This lets them perform their assigned jobs without having the ability to "stray" and do more than they should. Auditors can monitor all user events and view centralized reports for accountability and testing of controls.

In essence, GateKeeper is the digital equivalent of an electronic ankle bracelet. It fits into security best practices by taking care of the last loose end: the uberuser.

Stiennon awarded Xceedium his "RSA Best in Show" award in April, calling GateKeeper a "must-have technology." Stiennon likes the GateKeeper appliance because it productizes all the features and functions needed to monitor and remediate the actions taken by high-risk users. He says enterprises "would deploy Xceedium to quickly get privileged access under control."

To get started, an organization should identify the people who fall into the high-risk category. Once identified, these people are forced to log into the network by going through the Xceedium GateKeeper. This appliance then uses company policies to control precisely what each user can do and which resources he can see or access. The policies can be very granular. For example, a database administrator can be restricted to going only to the Oracle application on a specific blade server during certain hours of the day.

I mentioned that users don't leave a footprint. GateKeeper virtualizes a service and brings it to an integrated applet on the user's desktop. It is this technique that keeps him from accessing other areas of the network to which he has no access privileges. Xceedium calls it "anti-leap frogging." That is, the user can't leave the special compartment that is created for him to do his work.

GateKeeper tracks and logs everything a high-risk user does; all keystrokes and screens are recorded and reported upon for an easy audit trail. For this reason, organizations that require proof of compliance with PCI or HIPAA can benefit from Xceedium's solution. (Not all high-risk users are IT professionals; they might be doctors, nurses or other healthcare workers who should not have access to certain sensitive medical records, or retail clerks or merchants that are prohibited from handling credit card information.)

The appliance integrates with other devices and services in your security ecosystem. For example, it integrates with a variety of authentication services, including Open LDAP, SecureID, Radius, Active Directory and PKI/CAC. When a user logs into GateKeeper, his credentials are passed to the preferred authentication system(s) to confirm his identity.

GateKeeper can store policies from external sources, and policies can be entered directly into the appliance. It then acts as the policy decision point to determine what a specific user can and cannot do. GateKeeper has policy enforcement capabilities, so if a user tries to do something he doesn't have privileges for, the action can be terminated. It's also logged as a violation, and an alert can be triggered. The activities log can feed into SIEM systems for a more holistic look at security events on the network.

Xceedium has a number of government and military customers, so the appliance has gone through the process of being certified to meet requirements for FIPS 140-2 Level 2; JITC PKI/CAC; CC-EAL2; CC-EAL3; and CC-EAL4 (pending).

Xceedium has created a neat appliance that satisfies a lot of needs. GateKeeper is a purpose-built, automated, intelligent, all-in-one solution to fulfill the need for operational efficiency without compromising compliance and security requirements. It ties up the loose ends of how to corral high-risk users and keep them from abusing their privileges.

Learn more about this topic

RSA 2009 Best of Show

17 high-risk security threats (and how to fix them)

Compliance and regulation

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT