Ronald Reagan famously said "Trust, but verify". He could very well have been talking about entitlement management systems, which manage authorization to critical applications and other IT resources. Such systems are trusted to maintain control over entitlements (also called privileges or access rights). However, the systems themselves rarely have verification or assessment capabilities. This may be adequate for smaller organizations or enterprises where roles change infrequently. But the dynamic nature of most enterprises -- with layoffs, restructurings, aggressive use of contractors and other service providers -- makes assessment not only prudent, but necessary to ensure effective access controls and audit compliance.
Entitlements
Deloitte, in The 6th Annual Global Security Survey, reports that excessive entitlements, also known as excessive access rights, was the top audit finding over the past year -- for the second year in a row! In other words, a fundamental access control that represents a compliance exposure and security vulnerability was the top audit finding in 2007 and, despite all the attention that garnered, was also the top audit finding in 2008 (the latest year for which survey data exist).
Since all major regulatory frameworks, including SOX, PCI DSS, GLBA, NERC and HIPAA, require access controls, many thousands of companies are obligated to prevent excessive access rights and yet, according to the Deloitte survey, have failed to effectively do so.
Not only is excessive access rights the top audit finding, but IDC states that such vulnerabilities result in major financial exposure -- and that up to 60% of rights on most systems are expired and therefore dormant. The problem is that IT and security staff at most companies don't know that dormant accounts exist -- or more precisely, they suspect they exist but don't know how to find or remediate them.
Why is this a hard problem to solve?
Access Controls in the Real World
A paper written by a team at Dartmouth describes observations from field study research of both retail and investment banks. The study was more in-depth than most surveys we hear about; for example, the study team was embedded for three weeks in the security group of an investment bank. The report focuses primarily on internal access controls and the risks of over-entitlement, and they directly address the challenge of effectively managing access controls.
What they found was that the frequent shifting of staff may from one department or role to another often results in users accumulating entitlements over time. Part of the problem is this: Entitlement management systems assume that an employee's direct supervisor can make informed decisions about what entitlements are required to do their job. But as the Dartmouth team points out:
"As more organizations take on a matrix structure, it becomes less evident who reports to whom and who is responsible for permitting and terminating data access."
This leads to ambiguous and unwieldy structures for assigning entitlements, or privileges, as shown in Figure 1:
Figure 1: Privileging in traditional hierarchical corporate structures (left) vs. in dynamically, "matrixed" organizations (right). An arrow represents a supervising relationship (directed graph). Note that on the left, each person has exactly one direct supervisor, whereas on the right, each may have two or more.
And even if the corporate structure and reporting relationship is clear in all cases, the degree of scale and complexity makes entitlement management a big problem as shown in Figure 2:
Figure 2: Complexity and dynamicism in entitlement systems. The number of applications, entitlements and users make it a large-scale problem, and the number of daily modifications makes it a fast-moving target.
The biggest challenge isn't the massive number of entitlements and users, however, but the highly dynamic nature of employees and organizational structure within the firm.
Conventional wisdom holds that role-based access control (RBAC) systems are the answer. By allowing organizations to segregate the massive numbers of employees and entitlements into work groups, RBAC systems make the entitlement management process more effective. But the size, complexity and dynamic nature of many large enterprises make role-based access control challenging, to say the least. Quoting from the Dartmouth study:
"At one very large retail bank that we interviewed, the CISO had recently completed an RBAC project creating 11,000 roles across the firm to control access to nearly 22,000 applications. Developing the roles took a team two years and the ongoing review process was expected to be significant."
In the real world, access rights are constantly changing, for legitimate reasons: employees are hired and terminated; contractors come and go; service providers and outsource firms require access on a project basis with often unclear timelines; federated identity management systems expand the concept of trusted user beyond the enterprise boundary; departments and whole companies undergo reorganizations; mergers and acquisitions result in major restructurings; layoffs lead to rapid and sometime undocumented role changes; and employees transferring within a company inevitably have to overlap responsibilities (and access) between their old and new jobs. Unclear and imperfect communications between HR, line-of-business (LOB) staff, and IT exacerbate the problem.
Managing Entitlements
"Today's information security battleground is all about entitlements-who's got them, whether they were granted properly, and how to enforce them."
Companies large and small employ different approaches to entitlement management, with equal lack of success. Mostly, they do manual reviews of entitlements prior to audits by going through HR records, reviewing application logs, and interviewing LOB managers-a process inevitably referred to as a fire drill. Other approaches to entitlement management include development of custom reports for SEIM and log management systems, network-based user activity monitoring, and RBAC systems.
The management challenge is to determine what's a reasonable target level of excessive access rights in terms of percentage of overall rights granted, and then ensure that solutions are in place to consistently keep actual excessive access rights on or below the target. It's more expensive to establish an excessive access rights target of 2% than of 4%, for example. Therefore, management must determine what level constitutes "enough" security, doesn't break the budget or put an undue burden on IT or line-of-business staff, and yet meets the compliance requirements as measured by auditors. What auditors are looking for is a sustainable, measureable process that demonstrates visibility (can the company detect when and where it has excessive access rights?) and the ability to remediate problems when they occur (can the company eliminate excessive access rights within a reasonable amount of time from their detection?).