Access risk until now was viewed as an intrinsic risk to which organizations could do little to prevent, but my recent findings made me realize that there is more to it than that it meets the eye. Access risk is defined as, "risks related to unauthorized or inappropriate access". The Verizon Business 2010 research report reveals importance of curbing insider access risks and highlights that the percentage of breaches that involved insiders increased 26% over the previous year (48%)
While access risk continues to be a challenge, Organizations can curb this by taking few preventive measures as viewed by many industry experts.
- Policy Enforcement: Can a person deliberately perform dreadful act if she/he has just right access?Excerpts from Wikipedia: "With the concept of Segregation of Duties, business critical duties can be categorized into four types of functions: authorization, custody, record keeping, and reconciliation. In a perfect system, no one person should handle more than one type of function". This gives me confidence that chances of single person being a threat go down drastically if access policy is defined and enforced properly.
- Certification: Let us assume that, at one point of time every person in the organization has just the right access to resources needed to perform their work; can this status be maintained in current business scenario where delegation of task is a day to day phenomenon? Probably not, because managing changes in user access across the organization, like granting entitlements, revoking access, permission setting for a new role, is complicated for many organizations. Periodic review of entitlements not only provides insight of who is having what access, but also helps fine tune access policy. Policy is tuned so that fewer exceptions happen in the system in future
- Role Lifecycle Management:In large organizations entitlements can go in tens of thousands, quarterly or biannually certification of entitlements could give managers nightmare. Number of roles in an organization would be much lesser than entitlements, defining roles and clubbing entitlements to business roles make more sense. Certifying roles rather than entitlements is less time consuming.
- Violation Report: Having a dashboard with application specific reports like orphan account in a system and roles violating separation of duties will empower application owners to view and remediate policy violations.
To counter access risk, organizations need to reassess their processes to assign system resources and privileges to users, and adopt a complementary solution that addresses end-to-end access certification process across the organization.
Access Governance Platform has emerged as a solution which covers above mentioned preventive measures. With an Access Governance Platform organizations can more efficiently tackle access risk through a process that automates manual tasks and enforces responsibility. The platform provides the auditable evidence of compliance and creates an effective process for access delivery across the organization.
Access governance platform collects data from various sources like a central directory server, identity and access system, applications, files and folders, etc. Collected raw data is transformed through aggregation and correlation to make it concise.
The diagram below shows data and processes in an access governance platform.
An access governance platform provides dashboard for various categories of users (user, supervisor, admin, auditor etc.) and interface to perform certification, send reminder, change certification plan, define policy, raise request for access/resource, and take action on policy violations. In a nutshell, an access governance platform:
- Automates the validation of user entitlements and roles, certification, monitoring, reporting and remediation
- Gives enterprise-wide insight into user access and determines if the access is appropriate and compliant with policies
- Facilitates complete lifecycle management for roles: Creation (using bottom up role mining), validation and enhancement.
- Allows automation of managing access requests and changes
However, with a large volume of access change requests on a daily basis, can an access governance platform keep pace with the needs of the business and compliance? Current products in market provide flexibility to adopt centralized yet local deployment architecture. Organization may not be mature enough to leverage the entire functionality at one go. For example: To start with organizations may choose to deploy only compliance part for some applications, later deployment can be extended to cover other applications and role management aspects. Deployment approach and participation of users define success of an access governance solution deployment.
I would like to hear your thoughts!