Mitigating Credential Theft - Using Hospital Protocols as an Approach Part 2

March 9, 2016 by Allen Broken, Principal Security Architect

In my last post (http://bit.ly/1SxQcK4) I talked about the idea of adopting a model of IT systems management that matched how a hospital deals with sick patients. In this post, I’ll be detailing solutions for adopting this model in a corporate network.

First off, we need to have our administrators ‘suit up' to interact with the general population. Every systems administrator needs a clean source-built Secure Administrator Workstation (SAW) that’s designed specifically to protect the use of their administrative credentials. The use of the SAW should be paired with limiting the scope of their administrative credentials such that they can have access to local systems administrative privileges on a one-off basis. An administrator using a protected system using a credential which rotates its password after use is a lot like a physician in scrubs that throws away gloves and sanitizing hands between patients.

That’s a good solution for individual workstation administration, but what about my SQL DBAs or Virtualization Admins? They have access to highly sensitive systems and could potentially do some serious damage if their credential access is not managed properly. They still need the SAW referenced above, but do they need permanent admin access active 24x7x365? In most cases they don’t, and now we can set them up to check out their access, on a defined time basis, based on a defined case. Just like in the hospital, checking out medications for a particular patient at a particular time under particular orders. I see Administration on Demand as a perfect solution for this class of administrator and, when combined with a purposeful SAW deployment, will help prevent the loss of their credentials.

So finally, what about the Active Directory Administrators themselves? In the hospital analogy, they represent the Pharmacists and Active Directory is the pharmacy. It allocates access to the powerful controls which must be tightly managed. Coupling the SAW from above with a specific clean source build of Active Directory is the final step to adopt a similar model to healthcare. Fundamentally, this model removes the accounts used for Active Directory administration from the general population and ensures they only interact with Active Directory in the most secure manner possible.

None of this is a single product or control. But it is a fundamentally different operating model. With this model, I.T. assumes breach in EVERY interaction and takes appropriate precautions to ensure that breach does not spread. More importantly, those accounts and activities with the most possibility for harm would be the most controlled. From a risk management perspective, it puts the most investment in the most sensitive areas while largely leaving the end user population to function as normal.

I believe this model is THE answer to the current credential theft problem. I see great value in Microsoft’s Securing Privileged Access strategy https://technet.microsoft.com/en-us/library/mt631194.aspx. Microsoft’s strategy provides the framework that we at Ascent Solutions use to implement this model for our customers, but the Microsoft model can only go so far. They do provide hardware like Surface Book or Surface Pro which are fine end user devices. However, there isn’t a Microsoft provided hardware option for ensuring Active Directory itself has a clean source highly secure physical platform to run from. That’s why I’m so very excited about Ascent’s partnership with SkyPort Systems. With the Skyport SkySecure Appliances we can deliver this model end-to-end as a turn-key solution for hardening their Active Directory environment in the fastest manner possible. I’ll write more about this in a later blog entry, but in the meantime, check out their website to learn more about this incredibly powerful solution (www.skyportsystems.com).