As enterprises turn to Web-based applications for various uses -- from payroll, expense reporting and other employee services -- many are finding it more difficult to control access governance, according to a new survey conducted by the Ponemon Institute LLC. Outsourcing services and relying on contractors to do work is also making access a difficult problem to solve.
The survey of 728 IT professionals found many enterprises are having trouble keeping pace with access changes resulting in many employees having more access to systems than necessary. Eighty-seven percent of those surveyed said individuals had too much access to resources that are not pertinent to their job description. The figure has risen 9% from the 2008 access governance survey.
"We're finding more organizations really relying on the integrity of the end user," said Larry Ponemon, chairman and founder of the Ponemon Institute. "But access governance has become more critical as it's become more difficult to deal with the human factor."
The report, "2010 Access Governance Trends Survey," was commissioned by Waltham, Mass.-based enterprise access governance vendor Aveksa Inc.
High-profile data breaches have highlighted cases in which employees have made silly mistakes often resulting in hundreds of thousands of dollars in data breach related costs. Maintaining strong access governance to systems containing critical data could help mitigate the risk of data leakage, Ponemon said. In addition to lost and stolen laptops and portable media devices containing sensitive data, companies are at risk of external attackers constantly trying to steal passwords, and rogue employees, though less common, can cause even more costly damage.
View the 2008 survey:
Survey discovers access control problems at many firms: Despite growing data breach dangers as a result of trusted insiders, many firms are failing to implement a strong access governance program, according to a 2008 survey.
Should employees have local admin rights? While it may save you time, granting users local administrator rights also puts your organization at risk.
Adoption of cloud-based services, whether it be in the form of employee expense reporting applications, Web-based customer relationship management (CRM) suites or other Web-based collaboration platforms make access governance an even murkier issue. More than 70% of respondents say that adoption of cloud-based applications may play or already have a significant impact on business and end-users ability to circumvent existing access policies.
Attackers are looking to seize on "more complicated and sloppy infrastructure," Ponemon said. "They can gain access to a treasure trove of information from intellectual property to insider secrets and so on."
The survey data suggests the problem may be more of a "people" issue rather than a technology issue. Business managers are typically assigned to change access governance of individual employees, leaving much of the work out of the hands of IT security professionals. About 85% of respondents say accountability for governing user access owned by the business is a critical success factor for implementing access governance across the enterprise.
The issue also goes deeper than controlling access for individual employees. As more companies rely on business partners and outside contractors, access governance can become a complex problem to solve, Ponemon said. Many firms also lack access governance policies; nearly 60% of those surveyed said they lack policies or enforcement mechanisms. But having strong policies in place doesn't necessarily solve the problem, he said.
"Policy alone basically doesn't get the job done," he said."We find that people writing policies are too far away from the requirements of the job to create policies that are useful."
Often companies determine there's access governance issues when it's too late -- after the network has been penetrated or data has been breached, said Deepak Taneja, president and chief technology officer of Aveksa. Enterprises can begin by determining which applications are most sensitive and who has access to those applications, he said.
"Once you start cleaning up who has access to what, then you can put in business controls to make sure you don't fall into this pit of having employees with the ability to gain inappropriate access on a continuous basis," Taneja said.
According to the Burton Group, Aveksa and SailPoint Technologies Inc. are emerging with competing access governance technologies. UpperVision Inc. also offers identity and access governance capabilities with a strong focus on compliance. Other vendors include CA Inc., Courion Corp., IBM, Novell Inc. and Sun Microsystems Inc.(now part of Oracle Corp.), that also offer identity management suites with access governance capabilities.
Organizations paying the most attention to access governance issues typically have the strictest regulatory oversight, Ponemon said. The issue has been critical to enterprises in the financial services and health care industries, he said.
"Unfortunately it usually takes some kind of an attack or data breach that motivates C-level executives into saying they need to tackle the problem," Ponemon said. "The starting point is knowing the threat landscape and understanding which applications are business critical."