Every day we see reports in the media of yet another data breach, and more often than not these seem to be taking place internally. We still need to be aware and proactively manage the ‘outsider’ threat, however, by addressing a few access management myths we can contain and control the ‘insider’ threat.
Based on anecdotal evidence from working with numerous large organizations over the last few years, I’ve found that labor-intensive internal access controls are often overlooked and/or not kept up to date, which can provide the opportunist with access to sensitive data. So, this is not just a way to stop determined internal ‘hackers’, but also to protect employees who may come across data unintentionally. It’s all about trust: ensuring you can trust your data and employees, and also that your employees can trust the organization to protect them.
I’d like to ‘expose’ five access rights management myths that I believe are stopping organizations from securely and cost-effectively managing access rights and thereby undermining not only the trust in their data, but also their ability to meet compliance requirements.
The first of these myths is that: ‘I know where my data is and who can access it’. Yet, without being able to actually see and report on who can access what data, how can you be sure? You will no doubt have processes in place to enable user provisioning and de-provisioning, although these are often complex, error-prone, manual processes that may not be the highest priority for the IT department. When a new employee joins the organization they may need Active Directory (AD) and SharePoint accounts plus access to specific physical and virtual file servers. Conversely, when the employee leaves the organization or moves to another department, these access rights should be updated.
The challenge is how to keep a track of all these changes and know that the right people have the right access. One way is delegating the granting of access rights to the actual data owners or stewards; however, this can only be achieved if the complexity and time required to implement the changes can be reduced.
This brings me to the second myth: ‘Streamlining the process is good, but it’s far too complicated and not worth the effort’. Taking on a project to streamline a series of manual processes can be complicated and perceived as taking a disproportionate amount of time. How often in business do we hear the limiting, short-term comment: ‘it’s quicker if I just do it myself’. But with any recurring process, it is prudent to assess, streamline and implement a more efficient and sustainable procedure.
This may or may not involve software tools and applications, but does involve training and documentation. Job ownership can often be a barrier, but by reducing the amount of manual effort required to managing access rights, the IT department can focus on more interesting activities. My experience shows that by streamlining and automating this process, organizations can save time, costs and frustration – among their IT department, the data owners/stewards and the actual data users. Streamlining also helps organizations become more agile and more quickly set up specific project teams, for example.
Another response I often hear from organizations is that their employees are sufficiently sensitized to what they should or should not do with company data. This is an interesting one. Of course, we all expect our employees to be guardians of our data: they all attended an induction briefing and signed the appropriate policy when they joined, didn’t they? Most will take on this responsibility, but what happens when they realize that their short stint in HR as a graduate recruit still enables them to check everyone’s pay levels? We can all be tempted.
This relates to my aforementioned point about trust. Organizations have a duty to protect not only their sensitive data, but also their employees. Let’s keep temptation out of reach, so the insider threat – whether planned or opportunistic – can be controlled.
Finally, I’m frequently told: ‘With shrinking budgets, access rights management is definitely not a priority’. To this I always respond that with shrinking budgets, organizations that look closely at their access rights management processes will see that this is a great place to start stripping out costs (and saving time).
Automating the provisioning and de-provisioning of access rights, running reports and generating alerts if unauthorized access is attempted all save time and effort, while enhancing security. If the process can be simplified or automated to such an extent that non-technical data owners/stewards can manage their own access rights, then this not only frees up expensive IT resources but puts control into the hands of those nearest to the data.
Organizations that have implemented automation software for access rights management have seen significant return on investment through cost savings and increasing their responsiveness. Essentially, these solutions ensure access on a strictly need-to-know basis, cutting the amount of manual input required to manage access rights and thereby reducing costs.
Needless to say, a data breach can be very costly in terms of fines and reputational damage. There are other advantages that cannot be easily measured, such as potential increases in profitability when organizations are able to quickly set up new project groups, move employees to new teams or departments (or even companies in the same group), and in doing so respond to changing market needs. Sounds like great ROI to me.
I’d like to leave you with one last myth, which is that managing access rights is not a business-critical activity. But I think you’d agree that with the ever-growing strategic importance and reliance on data, best practice stewardship is essential. We’re living in an age of Big Data, so let’s make sure that our sensitive data and employees are protected.
Christian Zander is the CTO and co-founder of protected-networks. He closely leads the solutions team through all the developmental stages of the company’s primary solution, 8MAN.