The Four A s of Access A practical guide to auditing an access process.

Transcription

1 The Four A s of Access A practical guide to auditing an access process. Ken Heskett, University of Michigan Objectives Understand access-related terminology and how you can use this information to help with your risk assessment Learn the four A s of Access: Ask,Approve,Act, and Audit Terminology and questions to help with risk assessment, audit planning, and report recommendations 1

2 Introduction Senior IT Auditor for University of Michigan Access and Accounts manager for U-M Academic department IT manager Desktop support manager for U-M central IT unit Technical support manager for Campus Computing Sites Served in USMC Holds a BA in Classical Archaeology and History from U-M and MBA from Walsh College Access in the Age of the Dinosaurs Implementation of Enterprise Resource Planning (ERP) systems starting just after System access thought to be simple and easy to maintain. Roles are used to manage what privileges are granted to the account. As of 2016: 164 Finance-related roles 221Human Resources-related roles 281Student-related roles And this does not include research and donor relations. 2

3 The Dinosaur Access Management System 11 FTEs grant/change/revoke access to ERP systems manually No integration of workflow system to access management, was a direct replacement for a paper-based system Confusing about what to ask for resulted in the retention of Unit Liaisons Training and Access/Compliance form requirements Secondary approvers to represent the data stewards Terminations were last priority Four A s of Access Ask Approve Act Audit I need access. An authority agrees that I need access. The access mangement team grants me that access. Does this guy really need this access any more? 3

4 Terminology Identity Are you in or are you out, with respect to your institution? Can have variations on being in. Authentication Are you who you say you are? Really? What else do you have to prove it? Authorization Are you allowed to see or do something? Who says so? Identity What must be true for somebody to be considered affiliated with the institution? What is the process for creating an identity? Who or what begins that process? How is identity taken away and when? What about visitors with other affiliations? 4

5 Accounts Identity is provided to information systems with an account. Multiple accounts can be associated with a single identity: Desktop Administrator Group Shared System Application Guest Accounts Production vs. non-production accounts Further identification common at colleges: Student Faculty Staff Contractors Alumni Visiting Scholars Retired or emeritus staff and faculty Non-user identities 5

6 Authentication What technology is used to authenticate? Is authentication specific only to the application? Is enterprise authentication (RADIUS, TACACS+, Kerberos) used? What if federated authentication (OpenID, Shibboleth, SAML) is used? Application-based Authentication Does a password complexity policy exist? What are the password requirements (length, complexity, history, expiration, and reuse between systems)? How are the passwords stored (i.e. are they encrypted, hashed, salted)? Who administers the system and are they using privileged credentials or an administrator account? 6

7 Enterprise Authentication What systems use enterprise authentication? Who is are the system administrators and how do they log into the enterprise authentication system itself? What happens should enterprise authentication fail? Be aware that even if enterprise authentication is used, there are probably application-level accounts in use, particularly system accounts. Federated Authentication There is less control within your institution, so what business agreements exist (and is there a right to audit)? How are passwords encrypted in transit outside of enterprise s network? What risks does another institution s authentication requirements present to your institution? What happens if federated authentication fails? 7

8 Multi-Factor Authentication Are multiple MFA allowed for the same identity and under what circumstances? What if somebody forgets their MFA device at home? Do exceptions to using MFA exist? How about people with disabilities? Authorization Is there documentation of that authority s approval? When does authorization expire? Is authorization ever reviewed and what is the reviewer looking for? Is authorization managed by groups (Active Directory or LDAP)? Are there groups nesting within groups with different or conflicting privileges? 8

9 Access Management as an ITIL Process Access Management at an Institution Policy is the foundation of the process and that policy should empower systems or data owners with the authority to grant/deny access to the systems or data that they are responsible for ISO and ISO are industry standards Access management can be a manual or automatic process Access management for operations is usually distinct from that of projects 9

10 Four A s of Access Ask Approve Act Audit Manual: Request Automatic: Entitlement Role Agreement to comply Training Business Need Granting access Modifying access Revoking access Who has access to what Appropriateness of access Terminated identities Ask How does somebody request access to something? Do people even know what they are asking for? Has this already been defined and by who? Manual process Is the process paper based, maybe workflow based (Lotus Notes, Sharepoint, Remedy, etc.), or uses the Hey, Joe? method? Automatic entitlements and role-based access Who decided that a particular role received what access? Was that approved by the data or system owner? Are entitlement ever reviewed and retired? 10

11 Ask How does somebody request access at your institution? Approve What policy drives the sharing or hoarding of information at your institution? How does a data owner decide if an identity has a business need for accessing something? Examples of approval step include: Agreement to comply with policy Training requirements for particular roles Approval from more than data owner, such as the requestor s manager When does approval for an identity s access end? Can an approver actually deny an access request? If they can, will they? 11

12 Approve What approvals are required in your institution? Act Separation of duties between authorizer and actor. Determine the access team s priority toward granting or revoking access and if it is aligned with the business function of the unit. Can access team refuse an inappropriate or abnormal request? May be automated: Who designed the automated process? Who approved the automated process? 12

13 Act How is access actually granted/changed/revoked at your institution? Audit If access is granted to an identity, is there a record of that access being requested and authorized? Is access granted to the access management team appropriate and approved? Is access that is granted appropriate to the type of identity? Is every person with access still affiliated with the institution? Do the customer service metrics agree with the data about the access process? 13

14 Audit How can you find out if someone still needs their access at your institution? Observations about the Four A s These are distinct steps because different people enable proper segregation of duties. Ask step is often simplified to Give me whatever Bob had, because the access request process is often poorly understood and documented for users. Approve step is sometimes over complex and each component should be examined for business value or risk versus cost. Act step balances needs of granting versus revoking access, depending on business requirements. Audit step should be used by people involved in the whole access process, not just auditors. 14

15 The Silent A How does your institution manage the death of an identity? Accounts may grant access to private communications, research data, and other information. Impacts on: A professor s students Fellow researchers Family Potential donors Death takes away the primary detective control the account s user. Other Observations The access process has a dual nature in customer service and information security. Auditors can objectively evaluate existing control points for business value and recommend the addition to controls as well as the removal of controls. Principle of Least Privilege and Segregation of Duties should guide an audit, but should understand the risk appetite for a particular institution. If you cannot determine segregation of duties, who can help you figure that out? 15

16 Trends in Access Automation and increasing role-based provisioning. Access management by sensitivity. Maybe more permissive access for employees, but active detective controls through automated auditing tools. Auditors will need to examine the decision and review process for role-based provisioning. Network access controls (including 802.1x) could provide another method of network authentication, particularly for mobile devices. Do you have any questions or war stories regarding access management audits? 16

17 One Final Thought 17