The Threat: Privileged User Abuse

Privileged user access is a necessity for managing almost any IT application. Someone or a group must have the ability to maintain the application as needed to support the organization's business processes when issues arise. This blog explores how to prevent Privileged User Access Risks in Oracle E-Business Suite with SafePaaS Privileged Access Management solution.

Numerous situations occur where an organization needs to grant “superuser” access to employees under unusual circumstances. These are instances of “exceptional access” that fall outside the user’s typical job role or responsibilities and will typically create access policy violations that need to be highly supervised. Despite the need, access privileges that create risks, such as segregation of duties conflicts, need to be mitigated and require the maintenance of an audit log of all superuser access activities in order to satisfy regulatory compliance requirements. But this level of Privileged Access comes with risks, these are several examples of risks where actual malfeasance has been determined.

Chief Information Officers are keenly aware of the threat not only to their intellectual property but ultimately to their bottom line.

• According to the Association of Certified Fraud Examiners fraud survey,  $348billion a year in corporate losses can be tied directly to privileged user fraud.

• In a recent survey conducted of IT practitioners Ponemon Institute showed 45% of respondents believe the threat will continue to grow and another 43% believe it will remain the same over the next 12-24 months.

• An employee with privileged user access, at a U.S.-based global energy company, was enticed by a foreign company, to steal source code and other intellectual property from his employer. As a result of his theft, the energy company lost three-quarters of its revenue, half its workforce, and more than $1 billion in market value.

The challenge is while Privileged Access is necessary, it needs to be determined to what degree and how organizations manage this need and minimize risk. Too much access has been the typical response which obviously increases Privileged Access risk.

As an organization, SafePaaS has developed controls monitoring user access that can be extended to Privileged Users and SafePaaS’ FirefighterID™ capabilities are able to prevent and monitor this level of access in a more effective manner.

Who are Privileged Users?

Damage caused by privileged users is the most extensive, the hardest to mitigate and the hardest to detect as it is done by authorized users doing things they are authorized to do. 

They are often very technically savvy and have elevated access to systems, making it easy for them to cover their tracks.

So, who are they?

• Database Administrator

• System Administrator

• Network Engineer

• IT Security Practitioner

• IT Audit Practioner

• Data Center Operations

• Application Developer

• Cloud Custodian

The challenge is how to provide the level of access needed for these users to effectively manage the applications to address issues as they arise, while not impacting organizational operations, and also minimize risk with Privileged Access users.

Standard ERP Access Controls

Below is the Oracle E-Business Suite user provisioning screen showing the steps to provide a user with Privileged Access capabilities, (the concept is the same regardless of application).

As you step through the setup, there are key areas of risk. In this example; no resetting of passwords, indefinite access and what access are they assigned through responsibilities.

Most organizations set up these users without any restrictions or monitoring which causes Privileged Access risks. Organizations today are looking to do a better job of controlling and limiting this level of access.

ERP User Provisioning Process does not mitigate super user risk.

• Not revoking privileged access status after the employee’s role changed, and providing everyone at a certain level in the organization with such access.

• IT operations are primarily responsible for assigning, managing and controlling privileged user access rights. However, business units and IT security are the functions most often responsible for conducting privileged user role certification.

• Privileged access rights that go beyond the individual’s role or responsibilities are often assigned.

• There is an inability to create a unified view of privileged user access across the enterprise.

Privileged Access cannot be managed effectively through the standard provisioning process. Typically, once Privileged Access is given to a user, it is not revoked; creating a high level of risk. De-provisioning occurs either manually or automatically when someone leaves the organization; Privileged Access users aren’t affected by that process.

IT is the part of the organization that manages Privileged Access, but IT is typically monitoring this level of access; so they are monitoring themselves.

Privileged Access typically goes beyond the assigned individuals needed access to address the issue. It is difficult to determine what level of access a Privileged Access user needs to address a pressing issue. In most cases, Privileged Access users are given more access than they really need.

Every organization is different, making it difficult to create a single unified view of Privileged User Access, and how to manage this level of access. Organizations typically have many business processes with each process having unique functionality requiring a detailed understanding of each application. Because of the complexity, Privileged Access is typically assigned to more than one person, so establishing a single PA is unattainable.

The Business Case for Improving Privileged User Access controls

Identity governance is the policy-based centralized orchestration of user identity management and access control.

 

• Cyber security risk is increasing with the adoption of Social, Cloud and Mobile which is uncharted, unregulated and faces few restrictions.

• Organizations must improve Identity Governance to safeguard against data breaches, theft, fraud, sabotage, and other security risks.  

• The User access request process in many ERP Applications is inefficient and inconsistent where users are granted access without necessary policy checks and approvals.

• The User provisioning process can be improved by consistently enforcing access policy, such as segregation of duty (SoD) rules, before violations get introduced into the ERP environment, controlling sensitive business information to potential threats and vulnerabilities.

There is a clear business case for improving Privileged User Access controls;

-Changing technology where Identity Management is becoming more of risk concern. Many organizations are deploying multiple applications such as cloud, on-premise, custom applications...Privileged Access needs to be managed for each mission-critical application where fraud may have a significant impact on the organization.

-Most organizations' provisioning process is very unstructured with emails, phone calls, ticketing systems that don’t provide an auditable consistent process. This is compounded with Privileged Users due to the level of access and related risks. There is a need to enforce policy management within the provisioning process; the more you can automate the more predictable and effective it will be to manage.

-With automation and focus on access management, you can improve the provisioning process with policy evaluation and workflow approvals to prevent introducing risk to the organization. SafePaaS FirefighterID™ capabilities help improve the management and monitoring of this level of access.

The below infographic represents the provisioning process using SafePaaS iAccess™ which is slightly different for Privileged User Management.

-The first swim lane identifies the access policies and sources for users to be provisioned, they come from your other onboarding processes such as Active Directory, HR, IDM...

-The second swim lane provides for the following; only registered users are allowed access, manager or through self-service users request to access ERP. Once the request is initiated,  the process for policy violations (step 1) is started. Upon completion, the approval workflow is initiated to ensure all approvals are provided for the request.

-The third swim lane shows how the user is updated based on workflow approvals (if desirable) for roles requested in the ERP.

-To close the loop for Privileged Access,  certification is initiated with MonitorPaaS™. MonitorPaaS™ provides a report of the FireFighter Access as to which applications were accessed by the user and what functions they may have executed; establishing a monitoring control over this level of access.

 

This second infographic represents how to control superuser access.

 

If you wish for a deeper discussion around our Privileged Access Management capabilities, we are here to help. 

The Three Pillars of Modern Transaction Monitoring

 Transaction monitoring  – the cornerstone of the audit process

It has been a way to infer to some level of probability that a control is effective. The control of greatest significance for the longest time were the accounts with their own magical double-entry controls. Confirming the validity of balances, allowed an auditor to express whether they represent a true and fair view of the financial affairs of the company. This in turn allows an investor to judge the amounts, timing, and certainty of future cash flows. It coincidentally has some capability to find fraud. Now we all realize that by the time an issue is reflected in the books of account, any issue is by definition historical with little chance to correct. We have controls in place within processes that are far upstream from the accounts. We also all realize that we have obligations to constituencies beyond investors: employees, customers, vendors, and that controls must be in place to protect their interests. Of course, we now have legislation that enforces these obligations, not least of which is GDPR. We also realize that damage can be done to a company’s reputation even if the internal controls over financial reporting are effective. For all these reasons transactions need to be CCM continuous controls monitoring to confirm that internal controls, financial, information security and reputation are well designed and remain effective. 

Sampling

Within the Auditors toolkit has always been sampling, as a way to predict with a known level of probability whether the hypothesis that a control is effective can be asserted. Verifying every transaction by human power is an expense rarely justifiable to shareholders. Even sampling has had some improvements with the ability to coordinate sample sizing with control frequency and coordinate samples with audit procedures, records request and engagement letters. In this way, samples can support the evaluation of many controls in the overall audit plan. With the early focus on the accounts as being the touchstone of internal controls, the hypothesis being tested was that every balance could be supported by underlying transactions and that all transactions get processed. As the audit universe has expanded, hypotheses being tested have expanded: all authorizations have been approved, all expense claims are legitimate, all employees have passed background checks, all activity on the network is legitimate.

Continuous Controls Monitoring

With the need to increase the reliability of controls, coupled with the need to make the control verification methodologies much more efficient, transaction monitoring moved into the realm of rules being applied and every transaction being evaluated. If we take the example of all expense reports being legitimate, we may have rules that report numerous transactions just under authorization limit or multiple employees with expenses to the same vendor on the same day. Being able to report these allows us to move from a sample-based approach to a substantive approach and therefore have a much higher degree of confidence in the assertion. This increase has only been viable because of the ability to deploy specialist tools for continuous controls monitoring, but they can only be as good as the rules that they evaluate.

Where is Transaction Monitoring going?

Audit as a Service and mining for audit rules

Anomalous transactions are by definition rare. The rate of learning is very dependant on having training data. SaaS companies have access to the precious commodity of fraudulent transactions across their tenants. This means members of the service share the spoils of the service in terms of the refinement of the rules. It also means that the service provider has to be able to guarantee privacy in the use of the learning data. Extraction and Anonymization capabilities must be transparent so that all parties can understand this risk.

 

Audit Optimisation

Given that manual audit will continue to be necessary we need to develop a risk management audit tool program that will focus scarce audit resources on where they can provide the most value to the organization. Objective Function to minimize residual risk, maximize reliability, maximize confidence in the assertion and minimize cost, subject to the constraints of limited people and budgets. Audit Procedures confirm a set of controls that if they prove to be effective, reduce the residual risk in a number of risks identified in the risk assessment phase of an audit program. We also know the time and costs associated with their execution. This allows us to ranks them according to their “risk removed”. We can also modify the time and cost for sample size in the control and increase or decrease the confidence in the result. In this way we can optimize for both “Risk removed” and “Confidence Gained” subject to cost and resource constraints.

Conclusion

A transaction monitoring solution is vital to protect the validity of financial reporting, assets of the enterprise, Information security, and reputation of any organization. Transaction monitoring is necessary to confirm internal controls are designed well and working effectively. Having adequate internal controls is mandated under many regulations that now include GDPR. A transaction monitoring solution should include manual audit, continuous transaction monitoring machine learning and audit optimization. Specialist providers in the cloud have an advantage in speed of learning through getting training data from many tenants.