Why Access control is security's most critical battlefield
When my manager summoned me to his cubicle, he looked like a washed-out pug. I had my degree in security and a couple of years of experience by then. I was advising on over 20 projects, firing on all cylinders.
"I need you to look into this ticket. I know how it looks, but we have to do this."
I read the issue, frowning, my head tilted sideways. Silence. He knew what I meant. "What the hell", then I stormed off. The requester's desk was on my way to the coffee machine anyway. I fixed the problem in 30 seconds... And I got a candy cane for my effort.
It's not that I am a genius. The ticket was from an employee getting an "Access denied" over a document in her "Documents" folder. Users have total control of this folder, they can simply change the permission themselves.
Why did that escalate to me? Poor woman had been bounced around in email threads for days. Security analysts had reacted dismissively. Then it fell into "Not in my job description"-type of politics.
So, how can a 30-second problem become a 2-week service ticket that bounces between five people and ends when a manager takes one for the team?
Because access controls are not sexy, and that woman had the un-sexiest problem of access controls: a stupid one.
Yet, access controls are the most important ones to protect your data. This week,
- I will convince you of this fact,
- explain why we perceive access issues as menial,
- and how we can defeat this perception (with arguments, not candy canes).
The toilet analogy
My most famous analogy is that access management is like cleaning up toilets. Nobody notices your work until you do it wrong.
Access management is a losing game, politically, because most people (96% to be precise) are trustworthy. "Why do you restrict access to my direct report, we've signed a code of ethics, you have to trust your employees!" I hear that every week. We are imposing a major inconvenience which makes people feel like children.
It's a lot of pedagogy. The technical part is already complex enough, but we also have to explain to individuals how these restrictions are meant to prevent threat actors that overtake their identity from ravaging the whole company.
What makes it worse is that organizations breathe and live. As a baseline, my organization processes yearly about as many "staffing events" as there are employees! Interns, consultants, transfers, leaves, terminations, hires... Every change requires access reviews. I'm not even counting reorgs, which happen all the time on a whim! Trust me, every manager will forget to create access tickets to ensure the reorg is reflected in your systems.
What do you have?
- Employees feel distrusted;
- Employees must deal with complexity;
- Access change all the time, and lag the actual change;
- Managers don't follow procedures to trigger the access tickets.
I'll let your imagination run wild on how we could expand the toilet analogy to define this minefield.
Compliance loves access controls
What's ironic about the access management distance is that compliance's main purpose is to review their effectiveness. Compliance is not sexy either (that's another article topic for the future), but it drives engagement from senior management, the board, and regulators. In other words: it's a big deal not to be trifled with.
Think of SOC 2, SOX, and SEC regulations (read these acronyms out loud, fast). At their core, the separation of duties enforced by access control guarantees fraud prevention and accounting book integrity.
Access management is necessary to run compliant a large business.
So, why do people still dislike it? Despite automation efforts, organizational changes get so messy, that anyone who's involved in an audit will spend hours stitching up a bunch of tickets to make sure they tell an accurate story.
Imagine selling that to a bunch of college students who dream of being pentesters with their Hackerman hoodies.
Unpopular opinion: getting access management right matters more than whatever DOM-based reflected XSS you can string together.
Especially given that...
A new wave of social engineering changes the game
The 2023 MGM and Ceasar's Palace breaches paralyzed Vegas. The initial point of entry was gained by a group called the Scattered Spiders. Even the FBI are freaking out about them!
Scattered Spiders have no technical knowledge. Their main quality is being native English speakers. They don't hack. They call customer service, pose as IT people, and bullshit their way into gaining access to a user account.
And then they cash in. They sell the entry point to actual criminal hackers who deploy ransomware.
Conventional detection measures focus on credential attacks (for good reason, they represent over 70% of attacks). However, this social engineering pattern that is escalating puts more pressure on tightening access segmentation: Scattered spiders seek higher access and obtain it sooner because they attack human weaknesses.
I keep hammering in this: malware research is cool, but it does not stop the emerging threats like Scattered Spiders (who have a cool name).
How about you, do you have any access management horror story?
If you like my content, subscribe to the newsletter with the form below.
Cheers,
Pierre-Paul