The recent US National Guard leak has once again focused attention on the risk that overprivileged access poses. A massive intelligence breach occurred when Massachusetts US National Guardsman Jack Teixeira, an IT specialist with a top secret security clearance, accessed and printed classified files and posted them to a civilian Discord chat room. He did this after having been previously reprimanded for his mishandling of classified information. This isn’t the first time the US military has faced this challenge. The Snowden and Manning leaks famously stemmed from the same issue – overprivileged IT access. So, what can Defense and enterprises do to mitigate this type of breach?
Why is Privileged Access Management So Hard to Solve?
Overprivileged access occurs when a user or users have more permissions than they need to access systems, applications or data. Privilege abuse occurs when a user with elevated access rights, such as an admin, uses them for malicious purposes. The National Guard leak is a prime example of this.
This isn’t a new problem. Organizations have been struggling with how to implement appropriate controls to limit privileged accounts for years.
A few years ago, the question “How do I prevent an administrator from seeing my organization’s sensitive files?” was posted on Microsoft’s community forum. The responses basically drew the conclusion that if an admin was determined enough, then there wasn’t a lot that could be done. Also, if you found yourself in that situation, you should instead be looking at your employee hiring process rather than looking for a technical solution. This response has been the standard for many years when it comes to overprivileged admins.
However, curbing admin accounts is not just about protecting your sensitive data from privilege abuse. It’s also about protecting another valuable asset – your people. Not allowing admins to see sensitive data is not just about keeping things secret, it also reduces the exposure risk for the admins themselves. Overprivileged accounts are prime targets for hackers, who use these compromised accounts for land and expand exploitation of critical networks and data. The more information your admin has access to, the more data a hacker can steal.
Real-world Overprivileged Admin Examples in Microsoft 365 and SharePoint
It’s not just Defense agencies who are at risk. Here are a few real-world examples of privileged access management challenges in an enterprise setting.
A company’s SharePoint admin had been asked to check the permissions on a file that contained details of an impending round of layoffs from the company. The admin accidentally saw part of the file during this process. Luckily for them, their own name was not on the list, but what caught their eye was that their friend’s name was. While HR and Managers are paid to carry the burden of information like this, IT administrators are not. As a result, the company needed to ensure their admin could not see HR and other company-sensitive information moving forward.
Another customer wanted to ensure that only certain people could access their Board of Directors documents. They were not satisfied with the usual practice of relying on permissions in M365, separation of duties for administrators and auditing to monitor for anyone attempting to grant themselves access to the files. Due to the nature of the files and the increasing responsibilities for data privacy that exist today, they felt the “standard” approach to overprivileged admins was not good enough in Microsoft 365.
With the advances in access management, what can be done today to prevent leaks and overexposure of sensitive data from privileged accounts?
Controlling Privileged Access Management in Microsoft 365 and SharePoint
Technology exists to effectively eliminate this problem and protect both the sensitive data and your people. The stakes in the current climate are just too high to accept a strategy that is full of holes and caveats. While trusting your employees is a noble idea, it is naïve. Unfortunately, abuses of trust and credential theft occur all too often and can be extremely damaging to your business or in the case of the recent National Guard leak – national security.
In the three military leaks, collaboration platforms provided the access point for the exposed sensitive data. While platforms like Microsoft 365 have some privileged access management capabilities, they can be expensive, complicated to configure and don’t provide the level of granular controls that third party solutions can offer.
NC Protect is a complementary add-on product that enhances the built-in security capabilities in Microsoft applications. It dynamically adjusts access and protection in Microsoft 365, SharePoint on-premises and Windows file shares – based on a real-time comparison of file content and user context – to prevent unauthorized users, including admins, from seeing information that’s not meant for them.
Dynamic attribute-based access control (ABAC) policies can be set so that an admin can see that a file exists but cannot open it to view the contents. Different users can have different access and editing rights to the same content. It allows admins to perform their job without compromising the security of sensitive files.
Don’t Stop at Access, Limit What Users Can Do with Sensitive Data
What if a user needs to access sensitive data to do their job? Of course, Admins and other users do need to access sensitive data for day-to-day tasks, but security should not just stop at determining access. NC Protect provides additional real-time controls to prevent sensitive data abuse once access has been granted to authorized users.
- For example, disable options to print, download and/or copy sensitive documents in Office applications (Word, Excel, PowerPoint).
- Or force users to view sensitive files in a Secure Reader that disables print, save, and download capabilities – enforcing secure read-only access.
- Automatically add a secure watermark that can’t be removed to identify the user handling the file including name, date, time, location, IP address, etc. This ensures that if someone snaps a photo of the file to circumvent controls (as the National Guardsman did), the leaker can be easily identified.
- Redact sensitive content (words and phrases) from documents in Office or the Secure Reader.
- Apply required visual markings for Controlled Unclassified Information (headers, footer, CUI Designation Indicator labels)
- Change usage/viewing rights based on the user’s location or device (e.g., home or WiFi).
NC Protect’s ABAC-enabled approach can more tightly restrict access to an individual file using its sensitivity and other user attributes (e.g., classification, role, security clearance, network, time of access, geographic location, etc.), not just role, thus limiting admins from accessing information they are not authorized to. It applies the policy each time any user attempts to access a file, regardless of whether they are authenticated into the system and/or the application. This level of fine-grain, real-time access control supports a data-centric zero trust architecture, as well as enables multi-level security by allowing documents of different classifications to be stored in a single repository.
Learn more about the advantages of NC Protect’s ABAC approach to control overprivileged access in Microsoft 365 and SharePoint.
