Last month, we addressed the importance of discovery and introduced the concept of Intelligent Discovery. This month, we will focus on the one element of Intelligent Discovery that stands out as the most crucial: ownership.
Ownership serves as the cornerstone of any cybersecurity program.
It involves actively finding owners, maintaining their roles, and ensuring they take responsibility for the operational risk associated with security changes. This active approach is the only way to effectively reduce risk.
To illustrate this point, let’s revisit last month’s example about a messy room that needs cleaning. Imagine the room is filled with boxes, some of which belong to you and others that do not. Among these boxes, there is one containing sentimental toys from your spouse’s childhood. If you were to take the initiative and dispose of everything in that box without consulting your spouse, it would likely lead to conflict. Instead, it is important to actively communicate with your spouse and obtain their agreement before deciding whether to discard or keep the box.
The same principle applies to any asset within an organization, such as a service account, server, application, share, or database. Making permission changes, retiring assets, changing passwords, or onboarding them into a vault platform should never be done without actively seeking the permission of the owner. Failing to do so can result in operational risks, and the responsibility for any resulting issues will fall on the infrastructure or security professional who made the decision without obtaining ownership confirmation.
But how do we determine ownership?
Relying solely on books of record for ownership is not reliable, as they quickly become outdated and manual updates are prone to inaccuracies. Therefore, determining the owner of a random asset, such as a vaguely named service account, is a challenging task. It requires actively analyzing data, utilizing machine learning, AI, and crowd-sourcing to identify the right owner. These methods must actively work together to pinpoint the individual who will accept ownership responsibilities.
At SPHERE, we have achieved success with ownership by actively utilizing multiple methods in a specific order. Firstly, starting with the most reliable and lastly resorting to a default owner if all other methods fail.
One effective method for our customers is the Majority Manager method. This involves selecting the manager with the most subordinates from a group with access to an asset as the owner.
Regardless of the methods chosen, it is important to consider that not everyone qualifies for ownership. Some individuals may be too junior, consultants, or too senior to take on ownership responsibilities. These individuals should be excluded from the ownership determination process.
Even with a comprehensive list of effective ownership methods in place, true ownership is only established when the proposed owner accepts ownership. Only then do you have a confirmed owner. A mechanism should be in place to allow the proposed owner to agree to ownership, ensuring they take responsibility for any potential operational risks.
Lack of ownership is a common reason for delays in security programs. The more successful you are with identifying the correct owners, the faster you can proceed with remediation, and ultimately reduce risk.