Access Control Information:
The business risks associated with providing users access to information resources include a broad array of potentially damaging events that are caused or made possible by inadequate governance. Such events range from relatively minor policy and compliance violations to disastrous business losses. The demands of regulatory compliance are among the factors driving corporate IT and security managers to improve their access governance processes, but the issues are broader and deeper than the scope of any regulation.
The stakes involved in access-related risk have risen dramatically in recent years as organizations have become thoroughly operationalized by technology.With nearly every facet of large enterprises’ operations now dependent on or supported by automated systems, risks related to unauthorized or inappropriate access can appear anywhere within an organization at any time and spread rapidly through the business. All it takes is a single person with the wrong access. The potential cost to the business in terms of lost revenue and increased expense or in damage to customer relationships as well as the loss of corporate brand and reputation is virtually unlimited.
However, the same trends that have extended technology to every corner of the enterprise have also dictated that legitimate users—whether employees, contractors, or partners—be granted access quickly whenever they need it. An organization’s IT infrastructure today must be responsive to user demands and somewhat porous in order for business to be transacted. Enforcing security can’t be at the expense of the business being able to move forward and take advantage of marketplace opportunity.While access-related risk cannot be entirely eliminated, it must be monitored, managed, and mitigated through a sound approach to governance.
Corporate boards of directors and senior management teams are focusing on access-related risk as never before, but primary responsibility for managing it usually still resides with the IT security organization. As a result, many IT security managers are caught between the competing pressures to provide ready access to legitimate users while not allowing access-related vulnerabilities to turn into operating performance problems, information theft compliance violations, or shareholder valuation concerns. In fact, the 2007 Deloitte Global Security Survey of financial services executives revealed what Deloitte termed the “Security Paradox”—a situation in which business executives are becoming more aware of IT security issues, but where support for a solution still lies with the IT department. This is highlighted by the fact that only 10% of survey respondents had Information Security led by a business line leader.
Other findings of this year’s survey include:
- 91 percent of participants are concerned about employee security weaknesses.
- 79 percent of participants cite human factor as the root cause of information security failures.
When does access-related risk become unacceptable?
The foundation of any access risk management initiative should be adherence to the principle of least privileged access: legitimate users should have no more access than the minimum required to do their jobs. Least privileged access transcends the concepts of identity and entitlement management. The concept of least privileged access encompasses variables such as business roles and levels of entitlement within particular IT resources. Only by understanding this full context can a user be matched with entitlements in such a way as to ensure that access is limited to the minimum required to execute a job function and that all non-compliant access is eliminated.
Unacceptable access risks begin to appear when this principle is violated, and they often result from one of four causes.
Entitlement inertia is the failure to remove previously issued entitlements once they are no longer necessary or appropriate. It is not unusual, for example, for employees to accumulate unnecessary access privileges as they are promoted or transferred within an organization. A Human Resources administrator with access to confidential employee records who is transferred to Accounting should not retain access to HR systems. An IT manager who is transferred from being a system administrator to a development role should no longer have access to the production system he was administering. Some of these entitlements may become segregation-of-duties violations over time or represent other security risks. If an organization’s termination procedures are lax, former employees may even retain some or all of their access entitlements after their employment has ended.
