Exactly what does it mean to monitor user activity?
Monitoring user activity can include everything from video cameras used for physical security to active monitoring of how staff utilize social media on their computers. The scope of activity monitoring depends on the objectives of the monitoring effort and the charter defined by the organization.
User activity monitoring within enterprise IT can include this full range of what could be described as surveillance but more often includes the active review of administrator and end user activity with the specific goal of identifying misuse of privileges through ignorance, mistake or malicious intent. The driving objectives are typically information protection, compliance and ensuring availability.
Methods of user activity monitoring are as varied as the technologies used by administrators and end users. These include network packet inspection, analysis of key logging, indexed video recordings of sessions, kernel monitoring and log collection and analysis. Regardless of the monitoring technology, the information must be reviewed in context with policy and the user role to identify inappropriate activity. Such activity would include:
- Email administrators reading email between the board and executive team
- Healthcare workers accessing patient records for a celebrity not in their care
- Sales representatives downloading full client lists and sales pipelines
- Administrators taking shortcuts around the change control process so they can leave early before a long weekend.
It is the nature of monitoring efforts that a great deal of data is collected and analyzed to find the nugget of actionable information. Worldwide shipping containers are inspected to search for criminal environmental, smuggling or terrorist activity. The vast majority of the containers inspected pass without incident. As such, there is constant pressure to speed the process and more quickly identify the ones with illicit content. The same is true for any enterprise IT user activity monitoring solution.
Modern user activity monitoring solutions must allow organizations to quickly identify actionable information from vast amounts of collected data based on associated risk, identity context, time of day and defined policies. These solutions should be able to provide near real-time identification of these nuggets of information while also supporting detailed analysis of historical activity. In both cases, real-time and historical, the solution must answer: Who did What, When and Where?
In the age of privacy nightmares, many employees are wondering why their organizations needs user activity monitoring in the first place.
Many organizations wonder why you need to monitor users when you have controlled what they have access to do. The answer is that privileges always allow room for abuse and very few systems provide granular enough control to come close to solving this issue.
User activity monitoring can address the abuse of privileged access. Any monitoring initiative must start with clear objectives and a charter that has been approved by executive management with the approval of the legal team. The charter must be specific and take into account the governing law in every related jurisdiction. The initiative must also include supervision of the team that will perform the monitoring. Without this level of governance, it is far too easy for even well intentioned programs to violate legal and ethical standards.