The lesser of two evils principle as defined by one of my favorite resources Wikipedia is the principle that when given two bad choices, the one which is not as bad as the other should be chosen over the one that is the greater threat. But that might be difficult to determine when choosing between data breaches and failed audits. For example, you can fail an audit for several reasons with varying degrees of consequences ranging from small penalties and minor remediation efforts to huge penalties, prison sentences and massive infrastructure upheaval. You can also endure all types of data breaches with differing levels of severity, scope and financial outcomes. So choosing one over the other isn’t as simple as deciding between a candy bar and ice cream (I would choose ice cream for those of you keeping score at home).
The key is to come up with a set of security controls that are going to help you mitigate the chance of a data breach while at the same time helping you pass your audit. The SANS institute along with a consortium of U.S. and international agencies and experts from private industry came up with twenty critical security controls to help organizations do just that. Specifically I wanted to highlight number 12, Controlled Use of Administrative Privileges.
I picked this one because auditors have been writing reports about improper control and management of privileged accounts for years. In addition, because of the powerful nature of these accounts, they are a primary target for hackers. Historically, organizations have put rather cumbersome manual processes in place to protect these valuable credentials from both hackers and nefarious employees. The challenge with those processes is that they do not lend themselves well to being audited automatically. Stated another way, these processes forced the organizations to sacrifice auditing for security (i.e. fewer data breaches). But it doesn’t have to be that way.
There are solutions that can help you control and manage these accounts while offering automated auditing. These privileged management solutions inventory all systems, accounts, users and passwords and track where and how they are used. This provides an automated yet secure workflow that you can use to grant access to privileged accounts while enabling you to easily provide reports to the auditors mitigating the chance of a security breach and enabling you to pass an audit. If you would like to find out more about solutions for privileged account management read this E-book: Strategies to ensure success for your Privileged Management Project.