Trust No One: The Threat of Rogue Admins

“Trust no one” – a phrase reminiscent of The X-Files – is now a familiar concept in the realm of cybersecurity.

As pressure to protect enterprise systems and data grows and attacks become more sophisticated, today’s IT and security teams just can’t afford to automatically trust any thing (or anyone) inside or outside of their network. Not even system administrators.

Back when I was a young webmistress (yes, that was a title), things were quite different…

I was just learning the ins and outs of keeping our newly-built website up and running when someone mentioned adding an ecommerce functionality. Suddenly, information security became something I had to think about.

Of course, we didn’t have policies in place for security at the time, so I simply went to a website, bought an SSL certificate, and installed it on the web server. If I had the time, I’d email the certificate and password to my manager as a backup, just in case we needed it.

As time wore on, I learned how to request internally-trusted certificates for random uses like securing file transfers (FTP) and internal communications (S/MIME). I’d just log into Active Directory Certificate Services (ADCS) and request a certificate with whatever data seemed appropriate.

Again, no policies were in place.

Times have certainly changed. Most organizations today enforce standard IT security policies and practices across every function in every line of business. But the ability of an administrator to independently request a certificate directly from an internal or external certificate authority (CA) hasn’t changed.

IT and system admins have privileged access and wield immense power over data, devices, and applications. You can’t survive without them, yet few incidents can cripple an organization like an admin gone rogue.

But let’s not equate rogue admins with villains. In many cases, rogue agents have honest intentions (think James Bond), but they prefer to work outside organizational policies and practices that they view as too restrictive or time-consuming for their day-to-day work.

By definition, rogue means, “behaving in ways that are not expected or not normal, often in a way that causes damage.” That’s the real problem.

In reality, the vast majority of admins want to follow best policies and practices, but traditionally slow and manual steps to create a certificate signing request (CSR) lead them to opt for faster, non-compliant alternatives. And for those that do follow policies and procedures, people make mistakes. Human error will always find its way into manual IT processes.

With each mistake, the number of non-compliant certificates eventually extends beyond the capacity of your public key infrastructure (PKI) team to keep up. Then, it happens. An auditor finds multiple non-compliant certificates and demands immediate remediation. PKI teams are left scrambling to reach out to admins to find, renew, and replace all out-of-policy certificates.

Was it expected? Probably not. But should it really come as a surprise? Not at all.

More importantly, the damage caused by these incidents is critical. In a recent blog post, my colleague and Chief Security Officer at Keyfactor, Chris Hickman, discussed the Keyfactor-Ponemon report on “The Impact of Unsecured Digital Identities”. Chris points out that organizations experienced an average of five failed audits in the past 24 months, at an average economic loss of more than $14 million.

In his words, “when there are no controls over how administrators request, renew, and install certificates, they are far more likely to violate IT policies, and it quickly becomes impossible to know where every certificate is located, how they are used, or who owns them.”

The goal of IT admins is to make sure the systems and applications they manage meet defined service levels. In that context, it only makes sense for them to manage the keys and certificates as well.

At the same time, the PKI team should ultimately have control over every key and certificate in the enterprise, and how they’re obtained. But without guardrails in place, there is no way to enforce policies that prevent expensive (and frankly embarrassing) scenarios like those outlined in the report.

It’s a matter of striking a balance between the PKI team’s need for control and the admins’ need for speed. Providing a structure around your certificate issuance and lifecycle is the easiest way to ensure that your PKI team has the visibility and control necessary to remain complaint. Plus, automation allows IT and system admins to avoid outages without taking up valuable time.

Implementing the right solution and processes to secure and automate digital identities will help your organization build a culture of trust and avoid the risk of rogue, or just time-constrained, administrators.

For more information, download the full Keyfactor-Ponemon Report: