For the past two years I've been telling anyone who will listen that ineffective IT access controls represent an ongoing security vulnerability as well as a compliance liability for many regulated firms. The Ponemon Institute has published a survey that not only confirms what I've been saying, but shows that it's getting worse. What a surprise.
Here's how Ponemon summarizes the problem:
When employees, temporary employees, contractors and partners have inappropriate access to information resources -- that is, access that violates security policies and regulations or that is inappropriate for their current jobs -- companies are subject to serious compliance and business risks.
Fair enough. But many enterprises and security-conscious organizations have a "least privilege" policy to ensure that, as regulations and best practices require, users are provided access to ONLY those resources for which they have a legitimate business need. Doesn't that prevent the inappropriate access referred to above?
Not really. Although least privilege sounds simple enough, in practice it has proven extraordinarily difficult to achieve. This is especially true in dynamic enterprise environments, where activities related to onboarding, offboarding, outsourcing, partnering, and use of contractors threaten to overwhelm whatever business processes exist. These challenges are exacerbated by the coordination required between line-of-business managers, IT staff, HR, security, and compliance staff to manage access controls. In fact, Bruce Schneier, a prominent security guru, states unequivocally that perfect access control just isn't possible.
Schneier must be on to something. The Ponemon survey, sponsored by Aveksa, found that most relevant metrics for access management are trending down. Here are the top two findings:
- User access rights continue to be poorly managed. Eighty-seven percent of respondents believe that individuals have too much access to information resources that are not pertinent to their job description - up nine percent from the 2008 study.
- Organizations are not able to keep pace with changes to users' job responsibilities and they face serious noncompliance and business risk as a result. Nearly three out of four organizations (72 percent) said they cannot quickly respond to changes in employee access requirements; and more than half (52 percent) reported that they are unable keep pace with the number of access change requests that come in on a regular basis.
What's at risk when access controls are ineffective? Survey respondents' concern was highest for company applications, intellectual property and general business information. Not to mention audit findings.
So what's the primary cause of poor performance in IT access management? A plurality of respondents say "We cannot keep up with our organization's information resources." This is consistent with Schneier's observation that organizations are simply too chaotic to make it work. So what should be done?
According to the IAM experts, this is where access certification comes in. Here's what Aveksa has to say about access certification:
Good access governance requires the regular review and certification of user entitlements and roles to ensure that access rights to enterprise information assets are appropriate and meet regulatory mandates and guidelines for Sarbanes Oxley, PCI, GLBA, MAR, FERC/NERC, Basel II and HIPAA compliance.
Many IAM solution providers have integrated modules to help you with your access certification. The problem is, this level of certification -- while important -- involves a review of the rather complicated matrix of staff and roles/entitlement assignments that have overwhelmed organizations in the first place.
It's not as if organizations don't know they have probable vulnerabilities: the vast majority say it's "likely" that users are over-entitled.
Here's what we can conclude: Organizations suspect that their users have more access than is required, a clear violation of compliance regulations as well as a security risk. And auditors have proven their worst fears, as excessive access rights have remained the top audit finding for years. So we know that organizations are motivated to solve this problem. But despite the availability of comprehensive role-based access control IAM systems, regulated enterprises apparently still do not have the right tools to manage access controls. What they are missing is feedback that quantifies the effectiveness of their access controls.
Current approaches have obviously failed to achieve the desired and necessary level of security and compliance. That's why Cloud Compliance, my prior company, was formed -- to address this and related access audit issues through an innovative SaaS-based capability called Identity and Access Assessment (IdAA). Cloud Compliance provided visibility into not just who is accessing what, but who should access what. And when excessive access rights inevitably occur, Cloud Compliance analytics would help determine the root cause and effective remediation strategies.
No comments:
Post a Comment