Excessive access rights. Note that despite the improvement from 2007, excessive access rights remained the top audit finding in 2008 as reported in an earlier post. Part of the reason that excessive access rights has been the top finding for the past two years is that auditors have raised the standard, from evidence of the existence of a process to evidence that the process is effective. Due to the urgency of this issue, and the lack of effective solutions available, this was an initial focus of Cloud Compliance.
Segregation of duties. Segregation of duties, also referred to as separation of duties and abbreviated SoD, is one of the most fundamental concepts of security and control, and also one of the most difficult to achieve. Cloud Compliance's innovative 3-layer rights model enabled definition of benchmark rights, where SoD concepts are embodied. Our analytics can report on inconsistencies between benchmark rights, provisioned rights and actual rights as detected by access activity in order to assure continued compliance with key segregation of duty principles.
Access control compliance with procedures. This audit issue is closely related to excessive access rights; access control is required to prevent users without appropriate rights from accessing audited resources. Cloud Compliance's Identity and Access Assessment (IdAA) solution was able to determine if access controls were effective.
Lack of audit trails/logging, lack of documentation of controls, and lack of review of audit trails. I'm grouping these three top findings together because they represent the facet of access audit where technology and process come together. Application logs, which represent the most effective way to determine user access activity, are an essential tool for ensuring that access controls are compliant. And reports that list who has access to what, along with who should have access to what, become critical components of how access controls are documented.
Excessive developers' access to production systems and data. This audit finding is challenging to address, because it's unrealistic in most operating environments to completely block developers from accessing production systems for troubleshooting and critical maintenance operations. The objective, then, is not to prevent such access but to note when it's risen to an "excessive" level. Cloud Compliance addressed this by allowing a policy to be defined where a reasonable max level of developer access to production systems could be specified, along with a lower threshold for an early warning system. Access levels could then be compared to historical equivalents for trend analysis as well.
Lack of clean-up of access rules following a transfer or termination. There's a clever vendor that claims to "take the SH out of IT". One of the reasons that there's an SH in IT in the first place is the typical IT department's need to manage rights and access rules in a real-world environment with re-org, restructurings, layoffs, role re-definitions and transfers. Especially transfers. Because transfers are not a discrete event so much as a process where an employee has overlapping responsibilities between new job and old job-and therefore must maintain access rights for both jobs. And the duration of the overlap can't be determined in advance. Cloud Compliance's advanced analytics examined user activity to determine when a user's rights to resources required for a previous role could be de-provisioned -- which ideally would be before an auditor happened to discover excessive access rights.
My prior company, Cloud Compliance, developed an Identity and Access Assessment (IdAA) solution to address the top IT audit findings as reported by Deloitte. As noted above, our initial solution helped organizations eliminate excess entitlements (also called dormant accounts, or zombie accounts). We identified users with excess entitlements, and provided tools for isolating high levels of over-entitlement by group, business unit or by application. Unfortunately, although we validated customer demand and the lack of competing solutions, we were unable to raise venture capital to scale the company.
No comments:
Post a Comment