When it comes to handling insider security threats, gaming industry IT professionals face challenges that set them apart from peers in other markets, writes Philip Lieberman.
-High volumes of sensitive payment and player data make your network an irresistible target for hackers and thieves.
-In an effort to administer large numbers of servers and applications with limited staff, IT groups in many large casinos choose easily-remembered, shared, never-changing passwords that leave a gaping security hole: if you know one password you might know them all.
-Casinos experience high staff turnover in prime destinations such as London, where large pools of employees handle similar tasks in businesses that are adjacent to one another. As a result some organisations lose and gain as many as hundreds of employees each week. IT professionals in these organisations also change jobs on a regular basis, giving them the opportunity to take sensitive insider knowledge out the door.
Unfortunately access standards can be nearly impossible to uphold because conventional identity and access management (IAM) systems don’t manage or control the privileged identities present on your network. Privileged identities are the so-called “super user” accounts that grant IT staff full-time, anonymous access to data and configuration settings virtually everywhere on your network:
-Privileged logins used by IT managers, helpdesk personnel, network engineers, database administrators, application developers, vendors and contractors grant unmonitored access to computer hardware, line-of-business applications, databases, directory services, and nearly every other IT asset.
-“Super-user” credentials that are often hard-wired into custom and packaged software applications grant access to databases, middleware and other application tiers. These credentials are seldom if ever changed, and can be misappropriated by developers, contractors and administrators to gain anonymous access to player and financial transaction records.
-Software service accounts can also require privileged logins to run, and unless frequently changed can provide unmonitored access to those who know the credentials.
Witrhout automation, it’s simply not practical to detect the presence of all the privileged accounts on your network – or to control and audit their use. Imagine, for example, when a senior IT staffer resigns his job and moves to a competing casino. While you can monitor his conventional user activity through your existing identity access management systems, you probably lack the tools to know precisely what super-user access the staffer requested to view and copy transaction data or change configuration settings in the days and months before his or her departure.
Taking Control
Fortunately privileged identity management software can automate the discovery, hardening, control and monitoring of all types of privileged accounts. These solutions can be deployed quickly even on the largest corporate networks, continuously securing privileged identities through a four-step process (abbreviated as I.D.E.A.):
-IDENTIFY and document all critical IT assets, their privileged accounts and interdependencies.
-DELEGATE access to credentials so that only authorised personnel, using least privilege required, with documented purpose, can login to IT assets in a timely manner at designated times.
-ENFORCE rules for password complexity, diversity and change frequency, synchronizing changes across all dependencies to prevent service disruptions.
-AUDIT and alert so that the requester, purpose, and duration of each privileged access request is documented and management is made aware of unusual events and requests.
Privileged identity management software can automatically track privileged identities that appear on new and changed hardware and applications as they’re deployed on your network; secure all privileged passwords according to your policies; enable rapid password recovery so that IT staff can perform routine services and emergency repairs whenever necessary; and change each privileged password immediately after use to prevent unaudited access.
Choosing the Right Solution
Your choice of a privileged identity management solution should start with an honest discussion among all process stakeholders including the CSO, CIO, IT administrators, and anyone else involved in the management of sensitive accounts. The key stakeholders should be those that will suffer the most damage should the solution take too long to implement, unnecessarily add to staff workloads, or provide insufficient coverage. Define your project goals and then determine who on the team is best suited to determine whether each vendor’s proposed solution is really a fit.
You’d never choose a doctor based solely on cost, nor would you trust a physician who writes a prescription before taking the time to diagnose your condition, check your medical history, and perhaps run some tests. The same holds true for choosing a privileged identity management vendor. Expect your software vendor to provide:
-A detailed, written analysis of your organisation’s security and business goals;
-Explicit documentation of your needs with respect to systems, applications, and management lines of control;
-A trial evaluation of the proposed solution in a test environment with a realistic mix of your target systems and applications;
-A clear statement of work that details the time and cost required to bring unsecured privileged accounts present in your target systems and applications under control.
News stories of insider data theft offer plenty of motivation to secure the privileged identities on your network. Fortunately with the choice of the right solution you can close this insider security threat quickly and at a reasonable cost.
A senior IT executive at a large casino told us that automating the process through a single, centralised console was like “a whole new world,” eliminating what were once time-consuming, error-prone steps that teams of IT staffers took in an attempt to document and manually change the privileged accounts present on the organisation’s network.
