Can Access Governance Reduce Insider Threat Risks?
Access governance is currently one of the hottest topics when it comes to organizations securing their networks and data. Data breaches from outside hackers has always been big news – consider the coverage of the Target and Sony hacks, just to name a few of recent years. These external breaches gather a lot of attention because they affect the personal data of millions of people. Insider hacks, or data breaches by employees and contractors, also happen with alarming regularity but tend to be less newsworthy as companies are quite often happy to keep it as quiet as possible.
This insider threat is what had led to access governance being so topical. Undoubtedly, employees, consultants and contractors need access to applications and data to perform their jobs and complete projects. The key to access governance is ensuring that users have the correct access to applications and data from the approved devices that are used at the right times. To ensure that employee access rights are correct, and stay that way, it is important to have the right modeling in place. The model should be as simplistic and feasible yet thorough enough to minimize disruption to the employee and the IT staff.
So what would an access governance model look like? Consider your organization’s departmental hierarchy. Is there a way to link the resources and/or access one requires to location, department and title or job role? Chances are your HR system contains all the relevant data needed to begin the process of mapping resources against these attributes.
After collecting the requisite data, the next step is to evaluate the current rights of the users to the ideal data model. By performing this comparison, you will most likely realize that there are certain applications that everyone in the organization has access to. These become the base – rights to email, MS Office, etc. should be granted to every employee. As you continue the analysis, the access required by department, location and role will become apparent as well. Consultants need access to a time reporting system; finance requires access to AP or AR, or both in some roles. What will also become apparent are the discrepancies. A sales person may need access to project management for their territory data but should not have access to accounts belonging to another district while sales management needs access to areas. Conversely, project managers need access to data about pending installs but should not be able to access pipeline reports.
Once all of the discrepancies have been identified, the process of correcting access rights can begin. The easiest method to perform this is to shut off rights that are outside the norm. Inevitably, this will result in complaints from users and managers all while overloading the Help Desk with resetting permissions needed. A better methodology is having the managers of users whose rights vary from the model attest to the discrepancy – providing an explanation of why the variance exists and whether it should be temporary or permanent.
So once the process is completed, everyone can take a breath and rest assured that insider access it completely accurate and in line – confident that the next IT audit will be passed with flying colors? Wishful thinking… Every day, changes occur – new applications come into use while old ones are decommissioned; employees switch roles or departments; one employee fills in for another one leave, consultants need special access for a short term project; and the list goes on ad infinitum.
Obviously, a medium-size company would require a staff of two or more IT personnel just to keep up with the changes to the access rights structure on a consistent basis and even then, errors could potentially occur. Fortunately, automated access governance applications, once relegated only to the largest organizations because of cost and complexity, have become more mainstream as affordability and ease of implementation have become the new reality. The latest generation AG systems can be phased in over time to minimize disruption and provide maximum return on investment at each stage of the process.
Most companies start out with the basic step of automating the process of user account creation and deletion. This allows new employees to be created without manual intervention with a base set of access rights relevant to their position. If additional resources are required, the employee simply goes to a web portal and makes the request. Once a manager approves the addition, the AG system processes the change to the network automatically. If the change involves a system that is not connected to the AG engine, a ticket is generated to the helpdesk for completion. The other side of this automated process is the deletion of an employee immediately upon their separation from the company. This ensures that access to everything for the former employee is disabled without delay and reduces risk of data exposure.
The next step is putting processes in place for continuous auditing. Any changes to the norm for a specific role should be noted and approved by the person’s manager. This ensures that any “back door” changes do not go unnoticed and are corrected, or justified, in the shortest timeframe possible. More advanced AG application allow for modeling of “what if” scenarios as well. By using the modeling, IT and management can easily determine the effect of a change to the AG model prior to implementation. For example, if we add a new cloud application to a certain role, how many people will actually get access and how much will that cost the organization. Conversely, if we shut down an application, how many people will be impacted and require a replacement? The result of the modeling is better intelligence before a final decision is executed.
Another day, another data breach – it doesn’t have to be! While outside hackers will, unfortunately, continue to make the headlines, the implementing of proper controls on internal users via an access governance system, limits the opportunity of inside threats.