Because most organizations are subject to industry-specific audit requirements, they must confirm that the right people have suitable access to the organization’s sensitive data.
However, data breaches are increasingly affecting organizations which should have high-quality safeguards in place, raising questions as to whether existing access certification processes are still able to do their job effectively.
The function of access certification is entirely sensible. As organizations become ever more subject to regulations regarding how they protect information, a formal checking process for access provisioning and privileges to data accessed is essential. The established approach is that access certification audits occur every six months or annually. Managers and other authorized personnel are required to conduct a meticulous review of users’ access and indicate whether access rights are correct.
Waves of security breaches have affected organizations of all sizes; the forecast for 2015 is more of the same. A common characteristic of several incidents is that the breached organizations were oblivious that an incident had occurred.
But why are organizations finding themselves ever more vulnerable to breaches, even after undertaking periodic certification reviews and successfully passing audits?
The explanation lies in the digital transformation organizations of all shapes and sizes are undertaking. Changes in how they operate, trade and interact with customers, prospects and partners are generating a massive surge in the volume, variety and velocity of information that organizations need their staff to access.
Organizations are finding it exceptionally difficult to put into effect high security standards while maintaining the higher levels of productivity expected from digitized enterprises.
A related issue is how workforces are becoming more flexible with user roles and responsibilities. This reflects how organizations have changed how they adjust to keep up with fast moving business needs, be these internal moves, new hires or employees leaving.
As a result, access rights and the resources they are allowed to use aren’t fixed and can change between these periodic access reviews, creating vulnerabilities that expose organisations to charges of regulatory non-compliance. Worse still, vulnerabilities could be taken advantage of by e-criminals or insider hackers.
To give an indication of the scale of the hidden challenge, my company worked with one multi-national enterprise last year. Using our technology, they were able to identify 1000+ abandoned contractor accounts, 130 terminated employee accounts that needed to be de-provisioned, 14,000 inactive user groups and 25+ users with access in excess of their role. And this was an organization that had an extremely strong information security team.
"Organizations are finding it exceptionally difficult to put into effect high security standards while maintaining... higher levels of productivity"
Consequently, although users’ access information is accessible to reviewers, this information often lacks context. Auditors do not know exactly how, why or when users acquired the access. In fact, a recent survey conducted by Courion revealed that 43 percent of IT security executives agreed that their organizations were unaware of when access privileges are augmented or when inappropriate or unusual access occurs. In addition, the volume of data that is presented is substantial, if not overwhelming. These reasons regularly compel reviewers to simply rubber stamp, which is clearly an ineffective tactic when trying to assess and mitigate access risk within an organization.
What organizations need is a continuous and comprehensive approach to identifying access risks, whilst also employing preventative controls to moderate these risks: for example, a solution that provides organizations with the ability to automatically withdraw inappropriate access, plus perform risk-based certifications reviews when a policy infringement occurs or a threat is detected.
Identity and access management solutions that include built-in identity analytics and intelligence capabilities can save a great deal of time and effort during management reviews and audits, by providing reports with filtering and drill-down capabilities, trend information, and data visualisation tools.
These not only give managers and the IT department a high-level view of progress toward business goals, such as eliminating orphaned accounts and policy violations, but they can also show auditors that efforts have been made to address high-risk issues.
Risk-based certification reviews provide complete context around the information being examined, thus allowing managers to make educated and informed decisions on whether a user’s access is suitable or not. By performing these narrowly focused, risk-based certification reviews on a continuous basis, organizations can both satisfy audit requirements, whilst also diminishing potential risks in a more intelligent and efficient manner.
About the Author
Chris Sullivan is VP of Advanced Solutions at Courion, and is responsible for developing and bringing new products and solutions to market. Before joining Courion, Chris was president and co-founder of ISOLX, Inc, a systems integration services provider. Earlier in his career, Chris held management roles in R&D, engineering and product management at Samsung, Schlumberger, IBM and Digital Equipment Corporation. He is a frequent speaker at industry events including the European Identity Conference.