It all began at the home office…

Jerry works for the development department of a medium-sized company. He has to work from home for a few weeks due to personal reasons, which is something the company does not usually allow. However, since Jerry has been a reliable member of the team for a long time, the company decides to make an exception. The IT department sets up a VPN connection for Jerry on his private PC at home so he can continue working on projects.

After three weeks, Jerry returns to the office. However, his supervisor forgets to inform the IT department about Jerry’s return because he is busy bringing Jerry up to speed on the team’s current project. Nobody disables Jerry’s VPN connection and it is soon forgotten.
After several disputes with his supervisor, Jerry accepts a job offer from another company in the region. He begins to concoct the nefarious plan of stealing work data from his current job to bring it into his new job. He carefully considers all his options and concludes that transferring the data to a USB stick would not work due to the built-in device control; e-mailing seems risky as well. But, unlike the company’s IT department, Jerry has not forgotten about his VPN connection.

As later investigations of the log files show, Jerry spent several weeks copying confidential data to his PC using the VPN connection. The stolen data included CAD drawings and calculations of his former employer’s unpublished products. Had Jerry not blown his own covers by mentioning his sly scheme to a colleague, he would have caused his former employer damages in the millions of euros.

While you’re here – why don’t you sign up for our webinar?

“Top 5 Risks in Access Management” –
held by Helmut Semmelmayer, tenfold Software GmbH

Sign up for free

While you’re here – why don’t you sign up for our webinar?

“Top 5 Risks in Access Management” –
held by Helmut Semmelmayer, tenfold Software GmbH

Sign up now

How can I protect my company?
The IT department of Jerry’s company should have activated a suitable policy or DLP function in the VPN software to close this particular security hole. However, there are many more gateways for unauthorized access besides VPN connections. Some of these are:

  • Continued use of applications or privileges that should have been removed long ago, but still exist as remnants of previous activities in former departments
  • Continued use of user accounts belonging to colleagues who have already left the company
  • Continued use of project-related rights or other temporary rights that are still active, even though they should have been long removed

The only reliable protection against such scenarios can be provided by following the principle of least privilege, which states that: “A user account (or process) should only receive those privileges which are essential to perform its intended function.“ Had Jerry’s VPN connection been disabled once he returned to his workplace, he could not have used this gateway to steal the data.

How can I achieve the principle of least privilege?
There are several ways of achieving POLP. With tenfold, you can implement all necessary procedures:

  1. Standardize and automate privileges
    With tenfold’s profile assistant, you can find out which privileges are part of the standard set for your departments. Make sure that users receive the relevant privileges upon joining a department (so they can commence work immediately) and that these privileges are withdrawn again once they leave the department (to guarantee data security).
  2. Work with temporary privileges
    If you assign additional privileges outside the standard set for a department, always set an expiration date for them. When doing this task manually, you have to set yourself a reminder in Exchange’s calendar reminding you to terminate the privileges on the set date. With tenfold, you can perform and automate this workflow and it even provides a reminder with which the duration of the privilege activation can be extended automatically.
  3. Establish a recertification process
    Data controllers should be required to review, on regular basis, whether the current access rights still correspond to actual business operations and demands. If everyone adheres to these processes correctly, it is fairly easy to detect unauthorized access quickly.

Jerry could not have stolen data from the company had there been a solid recertification process in place. However, if the process is not system-based, it takes IT departments a long time to collect all of the necessary data to implement a recertification process and it is a tedious process for data controllers as well, as they have to enter the data manually. tenfold provides integrated support for recertification, while adhering to all necessary best practices.

Conclusion
Unauthorized access is a major problem. Theft of intellectual property and unauthorized access to personal information can have serious financial consequences and severely damage your company’s reputation.
It is therefore vital to make sure that all employees have correctly set access rights that are within the limits of their job requirements.
There are numerous approaches to achieving a high level of data security. However, the manual efforts and operational discipline required to implement such methods is discouraging to many companies or can lead to inadequate results. If you opt to use the appropriate IT tools – such as tenfold – you will soon see and feel an increase of success and IT security.