User Rights Management
User rights management is a security feature controlling which resources (e.g., assets, applications, data, devices, files, networks, systems) a user can access and what actions a user can perform on those resources.
User rights management typically entails the following:
- Creating a rights profile granting privileges to access specific resources and perform particular actions.
- Creating groups and/or roles.
- Assigning groups or roles to a particular rights profile, so that they inherit the profile’s rights.
- Assigning individual users to one or more groups and/or roles.
- Adding, updating or deleting profiles, groups, roles, or users.
Too often, that is the full extent of the user rights management process.
Limitations of typical user rights management
The exponential growth of a global information economy means that an ever-increasing amount of personal data is collected, used, exchanged, analyzed, and retained in a global footprint of IT resources (including databases, and cloud, virtualization, and big data sites).
And that creates three critical drivers limiting the effectiveness of typical user rights management:
- Increased assignment of overly-broad user rights to groups, roles, and individuals to ensure they can do their job without triggering security alerts or being blocked from necessary resources.
- Increased use of bring-your-own device in the workplace.
- Increased incidents of data breaches, incorrect or lost data records, and data misuse due to a user’s intentional, accidental, or compromised action. (See Insider Threats and Privileged User Monitoring for more information.)
With each high-profile incident, there is increased public demand for organizations to ensure the privacy, integrity, and security of personal data entrusted to their care. At the same time, SOX, HIPAA, PCI, GDPR, and other compliance regulations demand that organizations provide complete visibility into and an uninterrupted record of what data is accessed or changed, when, and by whom.
Simply assigning groups, roles, and individuals to a rights profile will not meet these public and compliance demands. What’s needed is a more expansive user rights management system.
Expanding user rights management
Robust user management requires a combination of policies, procedures, and technologies. Some options include:
Privilege Management: Ensure appropriate user privileges, according to principle of least privilege, based on functional unit, role, and duties. Revoke excessive user rights and remove dormant users.
Separation of Duties: Ensure privileged users cannot monitor themselves, since they can alter security controls to conceal their irregular activities.
Behavioral Analysis: Create a behavioral baseline profile or ‘whitelist’ of typical patterns of access to databases, file shares, and cloud-based applications based on functional unit and role; and then spotlight the riskiest users, client hosts, and servers so security teams can prioritize investigation of any anomalies.
Authentication: Authenticate both the user and bring-your-own devices attempting to access resources.
Detection, Alerting, and Blocking: Provide real-time monitoring and auditing of data usage, including the “who, what, when, where, and how” of the transaction. Alert and report any deviations from corporate policy or behavioral baseline profile, which may indicate privilege abuse. Block user access when unusual activity is detected and then review user’s privileges.
Privileged User Access: Monitor all privileged user access to files and databases (including local system access). Review new user creation and newly granted privileges. Restrict usage of shared-privileged accounts.
Unauthorized Changes: Verify that changes to data objects and data systems are properly authorized. Unauthorized activities should be thoroughly investigated and controls should be implemented to prevent future incidents.
Honey Pot: Leverage strategically-placed hidden files to detect compromised users and block the infected user or endpoint if there are any write or rename actions on the deceptive files.
Audit reports and analytical tools are needed to support forensic investigations and incident responses. They are also required to demonstrate compliance with regulations set by lawmakers and industry-specific groups.
Audit Details: Capture the raw access query and associated system response to help identify the ‘who, what, when, where, and how’ of data access and changes. That information, in turn, helps data security and forensic personnel determine whether access was authorized or unauthorized, and whether changes were in scope, accidental, or intentionally malicious.
User Accountability: Correlate each data access event to a specific user, which acts as a deterrent against data tampering since the user is easily identified.
Audit Trail Integrity — Ensure that privileged users cannot change the content of the audit trail to conceal irregular activities. This helps organizations comply with requirements for separation of duties.
Use real-time alerts and auditing details to identify trends, patterns, and risks associated with data access. Prioritize open incidents by both severity and specific user, server, or client host. Drill deeper into a specific incident to determine data access and usage, compare with behavioral baseline profile, and then close the incident, whitelist the authorized behavior, or revoke user privileges.
Learn how Imperva solutions can help you enable robust user rights management.