The business risks associated with providing users with access to information resources can include lost revenue, increased expense, damage to customer relationships and the corporate brand. With nearly every facet of a large enterprise's operations now dependent on or supported by automated systems, risks related to unauthorised or inappropriate access can appear anywhere within an organisation at any time and spread rapidly through the business, writes Brian Cleary, vice-president of products and marketing at Aveksa.
To protect the enterprise, IT and security managers must recognise these issues and address them with an access risk management initiative that adheres to the principle of least-privileged access: legitimate users should have no more access than the minimum required to do their job. Unacceptable access risks begin to appear when this principle is violated, and they often result from one of four causes:
- Entitlement inertia - the failure to remove previously issued access entitlements once they are no longer necessary or appropriate for a particular job role.
- Compliance myopia - results from the mistaken assumption that compliance with access-related regulatory guidelines ensures adequate access risk management. Achieving compliance with one mandate does not automatically provide the controls coverage for all regulatory requirements or provide the assurance of full access risk management.
- Rubber-stamping - occurs when business managers are asked to review and approve access entitlements that are communicated to them in a security syntax language that they cannot understand.
- Accountability loopholes - are open as long as full responsibility for access governance is limited to IT teams that don't have the business context to understand what level of access is necessary for a particular job function.
What to do about access-related risk
Avoiding the business and compliance risks associated with providing access requires effective business policy and process management. It is essential to monitor, manage, and mitigate access-related risk throughout the enterprise. Automation is the key to ensuring that policies, such as compliance regulations and industry mandates, are used to make the right access decisions and the process for access review and certification is automated to ensure that access rights violations are remedied in a timely fashion.
Monitoring access risk requires that business managers conduct periodic review of each user's specific access entitlements and privileges in an easily understood format. Ideally, access policies should be applied at the time of request for access to establish a preventative control point that would complement the periodic access review.
Managing access risk is a responsibility that must be shared by business managers who both have a clear understanding of the entitlement and whether it is appropriate, and are guided by the relevant regulatory requirements and internal policies that need to be enforced in order to ensure good access governance.
Mitigating access risk necessitates a dynamic process that detects access violations and automatically kicks off an access rights remediation workflow to address these issues.
Automation is the only way to ensure that the right people are quickly informed of policy violations, that these are quickly dealt with and the change request for the entitlements has been validated. This enables corporate IT and security managers to effectively balance the demands of regulatory compliance and management of access-related risk, while enabling a speedy process for access delivery.
This was first published in July 2009