A survey by the Ponemon Institute found that more than half of respondents felt they had access to confidential...
information not necessary to perform their jobs. Are there best practices available for user privilege oversight to reduce insider threats to enterprises?
Ask the Expert!
Randall Gamby, SearchSecurity.com's resident expert on identity management and access control, is standing by to answer your toughest enterprise IAM questions. Send in your questions today! (All questions are anonymous.)
This question comes up a lot and is a reflection of how provisioning and attestation services are still not fulfilling the capabilities promised by many vendors.
User account provisioning is still the No. 1 struggle in most organizations' IT departments, from both a management and security standpoint. But the problem isn’t in the technologies that many companies have put in place; it’s in the processes that revolve around privilege access management. While most organizations put vast resources into process and technology development for enabling their workers to get to the information they need to conduct day-to-day business, the rest of the account lifecycle process – periodic review, modifying account and eventual removal/deletion – invariably gets put on the back burner.
At the macro level, organizations continuously advance, demote and off-board workers. While companies try to ensure their employees have the access they need, due to the fast pace of business, many are sloppy about “cleaning up” when their workers no longer need access to the information they once had. Per your question, this often results in people retaining “…access to confidential information not necessary to performing their jobs.” However, the good news is, this can generally be solved by taking the following steps:
- Create a lifecycle management process - Ensure the business problem of information access is looked at and addressed from a holistic view – not only provisioning users for the information they need, but also handling changes and access removal as well.
- Include check points - Require periodic attestation from workers’ managers that asks, “Is the worker’s current accesses correct?” and adjust accordingly.
- Create reports - Capture the transactions created by the company’s provisioning services and create executive-level reports on access. Upon review, if the reports identify that the majority of the transactions being executed are “adds,” most likely, workers are continuing to be granted access to information they no longer need.
- Provide self-service provisioning changes - Changes and deletions often go unreported because the process is too cumbersome. By incorporating self-service capabilities into your provisioning services – along with some training – the process becomes more user-friendly and encourages management to use the tools provided.
- Audit your accesses - Every organization should take the time to do a yearly audit of user access. This doesn’t mean you need to do a six-month study. The organizations that are most successful at privilege access audits create a rotating schedule of yearly reviews on logically segmented components of their organizations.
With a bit of discipline, time and effort, unnecessary access can be greatly reduced, if not totally brought to an end, by following these steps.
Dig Deeper on Privileged access management
Related Q&A from Randall Gamby
Learn how to create account lockout policies that detail how many unsuccessful login attempts are allowed before a password lockout in order to ... Continue Reading
When it comes to minimum password length, 14-character passwords are generally considered secure, but they may not be enough to keep your enterprise ... Continue Reading
Enterprise SSO products have matured over the years, so what's the state of eSSO today? Expert Randall Gamby discusses. Continue Reading