A survey by the Ponemon Institute found that more than half of respondents felt they had access to confidential information not necessary to perform their jobs. Are there best practices available for user privilege oversight to reduce insider threats to enterprises?
Ask the Expert!
Randall Gamby, SearchSecurity.com's resident expert on identity management and access control, is standing by to answer your toughest enterprise IAM questions. Send in your questions today! (All questions are anonymous.)
This question comes up a lot and is a reflection of how provisioning and attestation services are still not fulfilling the capabilities promised by many vendors.
User account provisioning is still the No. 1 struggle in most organizations' IT departments, from both a management and security standpoint. But the problem isn’t in the technologies that many companies have put in place; it’s in the processes that revolve around privilege access management. While most organizations put vast resources into process and technology development for enabling their workers to get to the information they need to conduct day-to-day business, the rest of the account lifecycle process – periodic review, modifying account and eventual removal/deletion – invariably gets put on the back burner.
At the macro level, organizations continuously advance, demote and off-board workers. While companies try to ensure their employees have the access they need, due to the fast pace of business, many are sloppy about “cleaning up” when their workers no longer need access to the information they once had. Per your question, this often results in people retaining “…access to confidential information not necessary to performing their jobs.” However, the good news is, this can generally be solved by taking the following steps:
- Create a lifecycle management process - Ensure the business problem of information access is looked at and addressed from a holistic view – not only provisioning users for the information they need, but also handling changes and access removal as well.
- Include check points - Require periodic attestation from workers’ managers that asks, “Is the worker’s current accesses correct?” and adjust accordingly.
- Create reports - Capture the transactions created by the company’s provisioning services and create executive-level reports on access. Upon review, if the reports identify that the majority of the transactions being executed are “adds,” most likely, workers are continuing to be granted access to information they no longer need.
- Provide self-service provisioning changes - Changes and deletions often go unreported because the process is too cumbersome. By incorporating self-service capabilities into your provisioning services – along with some training – the process becomes more user-friendly and encourages management to use the tools provided.
- Audit your accesses - Every organization should take the time to do a yearly audit of user access. This doesn’t mean you need to do a six-month study. The organizations that are most successful at privilege access audits create a rotating schedule of yearly reviews on logically segmented components of their organizations.
With a bit of discipline, time and effort, unnecessary access can be greatly reduced, if not totally brought to an end, by following these steps.
This was first published in June 2012