Commentary - Today’s fast paced business environment requires that employees have access to information where and when they need it. Organizations, however, struggle to ensure that employees have just enough access – not too much, not too little.
Inappropriate access is extremely common and it can lead to detrimental business risk. Such events range from relatively minor policy and compliance violations to disastrous business losses.
All it takes is one person with the wrong set of access controls to wreak havoc. From lost revenue and increased expenses and fines to damaged customer relationships and corporate brand reputation, the costs are far reaching.
Walking a fine line: When access risks become a threat to the business
The foundation of any access risk management initiative should be adherence to the principle of least privileged access, which ensures that legitimate users have only the minimum amount of access necessary to do their job.
Access-related risks become unacceptable when the principle of least privileged access is violated. It’s critical that organizations avoid violations to minimize risks.
Perhaps more importantly, organizations should understand how violations happen in order to avoid them. Typically, violations are a result of one of five access governance challenges:
1. Entitlement inertia
Entitlement inertia is the failure to remove previously issued access entitlements once they are no longer necessary or appropriate. It’s not unusual, for example, for employees to accumulate unnecessary access privileges as they are promoted, transferred or temporarily assigned to another department within the organization.
Users that drag excess entitlements into their new role may create toxic combinations of access that often result in segregation-of-duties violations or create other business risks. If an organization’s termination procedures are lax, former employees may even retain some or all of their access entitlements after their employment ended.
2. Orphaned accounts
Orphaned accounts are another access governance challenge that can lead to serious financial and regulatory consequences. In a typical large enterprise, user access data is not only contained within centralized directories where it can be monitored, it’s also scattered throughout the organization’s information resources. The data in these user repositories may go unmonitored, greatly increasing the possibility that “orphaned” accounts could remain after the off-boarding process that takes place when an employee leaves an organization.
3. Compliance myopia
Compliance myopia results from the mistaken assumption that compliance with access-related regulatory guidelines ensures adequate access risk management. SOX and other regulatory mandates were never intended to be comprehensive risk management methodologies. Just because access rights meet regulatory guidelines does not mean that they are consistent with the rule of least privileged access and other access governance best practices.
Rubber-stamping happens when business managers are asked to review and approve access entitlements that are communicated to them in a security syntax language that they cannot understand.
Asking business unit managers to certify employee access using a RACF mainframe security administrator’s report is a typical scenario that external auditors fail organizations on. The business unit manager does not have the context to understand the user entitlements on a mainframe application unless the entitlements are presented in business friendly terms that relate to a user’s job responsibilities
5. Accountability loopholes
Accountability loopholes are open as long as full responsibility for access governance is limited to IT. IT security teams are operationalizing access on the request of the business, but they do not have the business context to understand what level of access is needed for a particular job function or business responsibility.
Business units and IT teams are certainly not experts in compliance regulations, however, audit and compliance departments are. It is essential, therefore, that audit, risk and compliance teams collaborate on managing access policies, and that accountability for compliance with regulations and policy be extended to the appropriate business managers.
Monitoring, managing and mitigating access risks
These are all surprisingly common problems in large organizations, and they are natural consequences of the usual pressure on IT departments to provide access quickly when employees are transferred or promoted into positions that require new sets of entitlements. To overcome these challenges, it is essential to monitor, manage, and mitigate access-related risk throughout the enterprise. Automation is the key to ensuring that policies, such as compliance regulations and industry mandates, are used to make the right access decisions and the process for access review and certification is automated to ensure that access rights issues are remediated in a timely fashion.
Monitoring risk requires an automated process for periodically reviewing user access. It should also enable dynamic monitoring of particularly sensitive entitlements and provide business managers with a full view of access entitlements in an easily understood format and a simple, automated way for those managers to certify - or decertify - existing roles and their corresponding entitlements or to authorize new ones. Ideally, access policies should be applied at the point of making a request for access, which would provide a preventative control point that would complement the detective control provided by periodic access review.
Managing risk requires more than the traditional IT-centric view of entitlements. Accountability for linking entitlements to business roles and business roles to people must be shared by business managers if unnecessary risks are to be avoided. But business managers must be able to understand what the entitlement is, whether it is appropriate for a user’s role in the organization and who has it or will have it as a result of the certification. In addition, the manager must know or otherwise be guided by the relevant regulatory requirements and internal policies that need to be enforced in order to ensure good access governance.
Mitigating risk requires a dynamic process for detecting access that is in policy violation. It must automatically kick off an access rights remediation workflow to address these issues without having to wait for a periodic access review.
Automation is the only way to ensure that the right people are quickly informed of policy violations. It is also the only way to ensure that these violations are quickly dealt with and that the change request for the entitlement has been validated. By validating change requests, corporate IT and security managers will be able to more effectively balance the demands of regulatory compliance and management of access-related risk, while enabling a speedy process for access delivery.
Deepak Taneja is the founder, president and CTO of Aveksa, a provider of enterprise access governance solutions.