The access-review process includes understanding workflow: A baseline of access policies must be reviewed and approved by application owners. Additionally, subsequent changes to access rights should be reviewed and approved. Access certification tools, including those embedded in identity management provisioning systems from various vendors, can assist with the review process.
In some cases, a third-party security tool like CA Inc.'s Access Control or Symark International Inc.'s PowerBroker is required to limit privileged user access. For example, rather than giving the UNIX database administrator access to the root account for the purpose of restarting the server, the security tool can delegate the privilege of system restart to a real user.
Some organizations consider the use of two separate accounts to address excessive user privilege. The first one is the "everyday" account for use in routine activities such as logging onto Windows workstations and checking email. The second account is only used for administrative tasks that require high privilege, including working with high-risk production systems. The high privilege account is not used during everyday tasks, which limits exposure to malware. However, the use of two accounts will not address the issue of excessive privileges granted to the user.
Balancing user access between the too lenient and the overly strict can be a challenge, but with these best practices, it can be a bit less daunting.
About the author:
Mark Diodati, CPA, CISA, CISSP, MCP, CISM, has more than 18 years of experience in the development and deployment of information security technologies. He has served as vice president of worldwide IAM for CA Inc., as well as senior product manager for RSA Security's smart card, SSO, UNIX security, mobile PKI and file encryption products. He has had extensive experience implementing information security systems for the financial services industry since starting his career at Arthur Andersen & Co. He is a frequent speaker at information security conferences, a contributor to numerous publications, and has been referenced as an authority on IAM in a number of academic and industry research publications.
This was first published in June 2009