The business risks associated with providing users with
access to information resources can include lost revenue, increased
expense, damage to customer relationships and the corporate brand.
With nearly every facet of a large enterprise's operations now
dependent on or supported by automated systems, risks related to
unauthorised or inappropriate access can appear anywhere within an
organisation at any time and spread rapidly through the
business,writes Brian Cleary, vice-president of products
and marketing atAveksa.
To protect the enterprise, IT and security managers must
recognise these issues and address them with an access risk
management initiative that adheres to the principle of
least-privileged access: legitimate users should have no more
access than the minimum required to do their job. Unacceptable
access risks begin to appear when this principle is violated, and
they often result from one of four causes:
- Entitlement inertia - the failure to remove previously
issued access entitlements once they are no longer necessary or
appropriate for a particular job role.
- Compliance myopia - results from the mistaken assumption
that compliance with access-related regulatory guidelines ensures
adequate access risk management. Achieving compliance with one
mandate does not automatically provide the controls coverage for
all regulatory requirements or provide the assurance of full access
risk management.
- Rubber-stamping - occurs when business managers are
asked to review and approve access entitlements that are
communicated to them in a security syntax language that they cannot
understand.
- Accountability loopholes - are open as long as full
responsibility for access governance is limited to IT teams that
don't have the business context to understand what level of access
is necessary for a particular job function.
What to do about access-related risk
Avoiding the business and compliance risks associated with
providing access requires effective business policy and process
management. It is essential to monitor, manage, and mitigate
access-related risk throughout the enterprise. Automation is the
key to ensuring that policies, such as compliance regulations and
industry mandates, are used to make the right access decisions and
the process for access review and certification is automated to
ensure that access rights violations are remedied in a timely
fashion.
Monitoring access risk requires that business managers conduct
periodic review of each user's specific access entitlements and
privileges in an easily understood format. Ideally, access policies
should be applied at the time of request for access to establish a
preventative control point that would complement the periodic
access review.
Managing access risk is a responsibility that must be shared by
business managers who both have a clear understanding of the
entitlement and whether it is appropriate, and are guided by the
relevant regulatory requirements and internal policies that need to
be enforced in order to ensure good access governance.
Mitigating access risk necessitates a dynamic process that
detects access violations and automatically kicks off an access
rights remediation workflow to address these issues.
Automation is the only way to ensure that the right people are
quickly informed of policy violations, that these are quickly dealt
with and the change request for the entitlements has been
validated. This enables corporate IT and security managers to
effectively balance the demands of regulatory compliance and
management of access-related risk, while enabling a speedy process
for access delivery.