Deloitte, in The 6th Annual Global Security Survey, reports that excessive access rights was the top "internal/external audit finding over the past 12 months" -- for the second year in a row.
What is meant by "excessive access rights", why is it important, and why did it remain the top audit finding in 2008 after all the attention it drew by being the top audit finding in 2007? In other words, why is this a hard problem to solve?
A cornerstone of security best practices -- and therefore of compliance requirements -- is to limit access to critical resources to only those employees and users who have a legitimate business need to access those resources. As a result, most companies adopt a policy of "least privilege" which is intended to restrict users to access only those applications that are required to do their job. See the table below for the relevant least privilege text in each of the major regulatory frameworks:
Whereas least privilege is the best practice, excessive access rights result from failing to achieve an idealized implementation of least privilege. And in the real world, completely eliminating excessive access rights is practically impossible.
The management challenge is to determine what's a reasonable target level of excessive access rights in terms of percentage of overall rights granted, and then ensure that solutions are in place to consistently keep actual excessive access rights on or below the target. And the tradeoff in establishing a "reasonable" target is -- you guessed it -- cost. It's more expensive to establish an excessive access rights target of 2% than of 4%, for example. Therefore, management must determine what level constitutes "enough" security, doesn't break the budget or put an undue burden on IT or line-of-business staff, and yet meets the compliance requirements as measured by auditors. What auditors are looking for is a sustainable, measurable process that demonstrates visibility (can the company detect when we have excessive access rights) and the ability to remediate problems when they occur (can the company eliminate excessive access rights within a reasonable amount of time from their detection).
Why is this so hard?
In the real world, access rights are constantly changing, for legitimate reasons: employees are hired and terminated; contractors come and go; service providers and outsource firms require access on a project basis with often unclear timelines; federated identity management systems expand the concept of trusted user beyond the enterprise boundary; departments and whole companies undergo reorganizations; mergers and acquisitions result in major restructurings; layoffs lead to rapid and sometime undocumented role changes; and employees transferring within a company inevitably have to overlap responsibilities (and access) between their old and new jobs. Unclear and imperfect communications between HR, line-of-business (LOB) staff, and IT exacerbate the problem.
Companies large and small that we have talked to employ different approaches to this issue, with equal lack of success. Mostly, they do manual reviews prior to audits going through HR records, reviewing application logs, and interviewing LOB managers -- a process consistently referred to as a fire drill. Other approaches include development of custom reports for SEIM and log management systems, and network-based user activity monitoring.
As the Deloitte survey reports -- and customers confirm -- current approaches have failed to achieve the desired and necessary level of compliance. My prior company, Cloud Compliance, was founded to address this specific problem. Unfortunately, we were unable to raise venture funding. And so, as far as I know, there are no available solutions to comprehensively address this issue.
No comments:
Post a Comment