the magic of tidying up your directories
Author: Patrick Parker
We’ve all, at some point, ignored the clutter in our home until it built up and became a nuisance. The difference between ignoring clutter in your home versus the clutter in your corporate directories and applications is that excess privileges and orphaned identities act as a backdoor for hackers to get inside your systems. Privileged identities provide hackers with a way around your network security and are comparable to oily rags ready to catch fire next to stored items with high value. With this image in mind, it is easy to see that privilege clutter must be addressed quickly and effectively.
Given the risk and importance of this task, maybe we need a fresh approach—one not constrained by popular IT practices which might have outlived their usefulness. For a source of innovative ideas, we need to look no further than a new trend for decluttering our own homes and lives. Marie Kondo rose to fame as a guru for her revolutionary approach to home organization and decluttering. Known as the KonMari Method™, KonMari is a departure from the traditional method of tidying up room-by-room. The shortcoming of the room-by-room approach is familiar to us all. It always seems that by the time you finish, you are back to where you started, forever, picking away at piles of clutter.
KonMari encourages tidying by category, not by location, and keeping only those things that speak to the heart, discarding items that no longer “spark joy.” The items are thanked for their services and then let go. Let’s explore if we can apply the six rules of KonMari to create a new way to assess the mess and decommission dangerous standing privileged access that no longer brings joy to your security team and auditors.
RULE 1: Commit Yourself to Tidying Up
The first rule of KonMari is much simpler to adhere to in your home than in a corporate IT setting. There are fewer people to convince at home, and it comes down to you deciding to put in the effort and sticking with it. Organizations tend to be large, complex and IT manages privileged identities in applications and systems scattered across different departments. Tidying up privileged identities will inevitably require new processes, which may be perceived as barriers slowing down developers and system admins accustomed to having standing privileged access. Getting all the necessary stakeholders onboard across these departments requires a sponsor with enough “Executive Juice” to get the cooperation needed to decommission access and to ensure the adoption of the new processes for privileged access. And just as decluttering your home is not a one-and-done project, decluttering privileged access must become a new hygiene habit or “program” that will need to continue after the initial cleaning.
RULE 2: Imagine Your Ideal Lifestyle
The goal of decluttering is not to clean up privileged access just in time to pass the annual audit. Decluttering is meant to be a lifestyle change which, in IT terms, would be a new way of working or a set of processes and procedures to reach and maintain an idealized goal. This idealized goal will be different for each organization based on their industry regulations, national laws, and tolerance for risk. One helpful way to map out your idealized end state is to classify different types of privileged access and the risk each type represents to the business. This will lead to productive discussions on what would be considered tolerable, “managed” risks and what should be prevented entirely. One helpful bit of advice would be to have at least two broad categories for privileged access. The first, “Privilege Clutter,” is the well-managed standing privileged access controlled by a PAM system. How much clutter each person finds acceptable varies widely. The same can be said for different organizations’ comfort level with the risk represented by shared privileged access.
On the other hand, privileged access represented by dormant, orphan, and unmanaged identities could be considered “Privilege Garbage.” Most people will agree that it isn’t acceptable to have garbage lying around. The same goes for an organization’s riskiest entry point for hackers, unmanaged, and uncontrolled privileged identities.
RULE 3: Finish Discarding First
Discarding is an essential aspect of the KonMari method not just because it is the act of eliminating clutter, but more importantly, it allows you to focus more of your energy on the things you decide to keep. It also changes how you acquire new objects and the consideration they are given.
This rule is very applicable for security as a well-known mantra is that less is more in security. It is much easier to manage and monitor a small number of privileged identities than many. Detecting abnormal behavior or account takeovers can be as unlikely as finding the proverbial needle in a haystack when an organization is cluttered with too many privileged admin identities.
The second part of the rule regarding the consideration given when acquiring new objects is also good advice that they should visualize and streamline the process by which privileged access is acquired and revoked. Admins and developers should not feel overly burdened by the process when requesting privileged access. Still, a request mechanism, preferably as a shopping cart style system, should be in place to ensure that new access is given the proper consideration and can be reviewed, renewed, expired, or revoked in a timely manner.
RULE 4: Tidy by Category, Not by Location
This rule contradicts the common practice of focusing cleanup efforts system by system. Instead, KonMari would organize the cleanup based on the type of privileged access or identity. The justification is that people store the same kind of item in many different rooms. Therefore, you’re repeating the same type of work in many locations, which is less efficient than completing one type of work before moving on to another.
A risk-based interpretation of category would seek to audit and eliminate unneeded directory or system-wide superuser access first and then proceed down the risk ladder to the lower tiers in access such as sensitive database and file servers, then application servers, and finally, user desktop PCs. Another category-based approach would be to tackle personally-owned privileged identities first and then move on to shared privileged identities, followed up by service and application privileged identities and finally hard-coded embedded privileged usernames and passwords used by DevOps automation and applications. Whatever the category-based approach, you could see the benefit of reducing risk quickly across an enterprise’s entire on-premise and Cloud landscape instead of the slower system by system approach.
RULE 5: Follow the Right Order
Following the proper order means starting with the items in the easier categories and then working your way up to the more difficult categories. Avoiding what is known as the “Phase 1 High Bar” is a well-known strategy and a must for successful Identity-related projects. This approach gives the team time to mature their skills as a unit on less complex or challenging “quick wins.” With a few successes under their belt, they will have acquired the experience and management’s confidence to proceed ahead into riskier and more complex areas.
For your privileged access decluttering program, your system-wide super-users will likely be the simplest to clean up and implement proper controls. At the far end of the difficulty spectrum would be identifying and cleaning up the embedded privileged usernames and passwords used by DevOps and automation. Rule five should be strongly heeded as it is second only to rule number one (lack of executive juice) as the most likely to lead to project failure.
RULE 6: Ask Yourself if It Sparks Joy
The last rule is undoubtedly the one that has garnered the KonMari approach the most fame and attention from the press. In rule six, we are instructed to ask ourselves if the item in question “sparks joy” within us. Marie says that joy is personal, and everyone will experience it differently. This statement may sound silly since we’re discussing privileged access and not family heirlooms, but each organization must own the definition of success for its decluttering program. We might find it useful for privileged access to classify types of access as either “joyful ” or “joy killers.”
Joy killers are the “Privilege Garbage” we discussed before. These dormant, orphan, and unmanaged privileged identities serve no productive purpose. They often accumulate over time, remaining undetected, exposing your organization to the risk of an attacker using them for malicious purposes. These should be discarded early in your program to quickly bring joy to your audit department.
Joyful access would be the access that keeps the organization’s applications and IT staff running smoothly and enables daily progress. This access is likely to be the well-managed privileged identities controlled by your PAM system and as rotated service identities or recorded and monitored break glass administrative accounts.
Whatever your definition of joy, following these six simple rules will deliver a well-organized, more secure, and tidy privileged access environment to your IT executives and stakeholders.